Edit tour

Windows Analysis Report
CompleteStudio.exe

Overview

General Information

Sample name:	CompleteStudio.exe
Analysis ID:	1577354
MD5:	ee4d5bd9f92faca11d441676ceddcec9
SHA1:	64626881b63abc37cd77fca95f524830849dd135
SHA256:	d6872d521e977683f9fbf54b80e2a218aec4f0ae9caaa233ca9797f16c37b4d4
Tags:	18521511316185215113209bulletproofexeuser-abus3reports
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

CompleteStudio.exe (PID: 7904 cmdline: "C:\Users\user\Desktop\CompleteStudio.exe" MD5: EE4D5BD9F92FACA11D441676CEDDCEC9)

RegAsm.exe (PID: 8144 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 8152 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 8160 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["underlinemdsj.site", "possiwreeste.site", "delaylacedmn.site", "bellykmrebk.site", "famikyjdiag.site", "agentyanlark.site", "commandejorsk.site", "writekdmsnu.site"], "Build id": "CrQ5xX--mizou"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:26:31.450288+0100	2028371	3	Unknown Traffic	192.168.2.8	49709	23.55.153.106	443	TCP
2024-12-18T12:26:33.914351+0100	2028371	3	Unknown Traffic	192.168.2.8	49710	104.21.66.86	443	TCP
2024-12-18T12:26:35.473552+0100	2028371	3	Unknown Traffic	192.168.2.8	49711	104.21.66.86	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:26:34.653780+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49710	104.21.66.86	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:26:34.653780+0100	2049836	1	A Network Trojan was detected	192.168.2.8	49710	104.21.66.86	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (agentyanlark .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:26:29.278453+0100	2056324	1	Domain Observed Used for C2 Detected	192.168.2.8	53908	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellykmrebk .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:26:29.050890+0100	2056328	1	Domain Observed Used for C2 Detected	192.168.2.8	63189	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (commandejorsk .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:26:28.454159+0100	2056334	1	Domain Observed Used for C2 Detected	192.168.2.8	55990	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (delaylacedmn .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:26:27.596874+0100	2056336	1	Domain Observed Used for C2 Detected	192.168.2.8	63245	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (famikyjdiag .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:26:27.830010+0100	2056338	1	Domain Observed Used for C2 Detected	192.168.2.8	64644	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (possiwreeste .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:26:28.225597+0100	2056340	1	Domain Observed Used for C2 Detected	192.168.2.8	62519	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (underlinemdsj .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:26:28.759519+0100	2056344	1	Domain Observed Used for C2 Detected	192.168.2.8	54939	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (writekdmsnu .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:26:29.590093+0100	2056346	1	Domain Observed Used for C2 Detected	192.168.2.8	59437	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:26:32.308558+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.8	49709	23.55.153.106	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: CompleteStudio.exe

Avira: detected

Found malware configuration

Source: 5.2.RegAsm.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["underlinemdsj.site", "possiwreeste.site", "delaylacedmn.site", "bellykmrebk.site", "famikyjdiag.site", "agentyanlark.site", "commandejorsk.site", "writekdmsnu.site"], "Build id": "CrQ5xX--mizou"}

Multi AV Scanner detection for submitted file

Source: CompleteStudio.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: delaylacedmn.site
Source: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: writekdmsnu.site
Source: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: agentyanlark.site
Source: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: bellykmrebk.site
Source: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: underlinemdsj.site
Source: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: commandejorsk.site
Source: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: possiwreeste.site
Source: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: famikyjdiag.site
Source: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: delaylacedmn.site
Source: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: CrQ5xX--mizou

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49710 version: TLS 1.2

Source: CompleteStudio.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: F:\Crypt @LegendaryInstallsSupport 29.09.2024\Notepad-master\obj\Release\Notepad.pdb9 source: CompleteStudio.exe
Source:	Binary string: F:\Crypt @LegendaryInstallsSupport 29.09.2024\Notepad-master\obj\Release\Notepad.pdb source: CompleteStudio.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	5_2_00440118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	5_2_0040F242
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-28h]	5_2_0040F242
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	5_2_0040F940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_0040F940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	5_2_004109FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2EE0190Fh	5_2_00446C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h	5_2_00446C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_00446C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	5_2_0040ED69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea edx, dword ptr [eax+edi]	5_2_0040FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	5_2_0040FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, ebp	5_2_00422063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+7Ch]	5_2_00434060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	5_2_00434060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	5_2_00407070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+44h]	5_2_0044716D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+44h]	5_2_0044711B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+7Ch]	5_2_00434136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	5_2_00434136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	5_2_0042A1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_0041518E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh	5_2_00448190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000004F0h]	5_2_00433240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	5_2_00433240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	5_2_00433240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	5_2_00433240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001B8h]	5_2_0041325D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	5_2_00422260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	5_2_004492C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_00425320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	5_2_0041B330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, eax	5_2_0040A3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebp, eax	5_2_0040A3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	5_2_00448390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, ebx	5_2_00430399
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	5_2_00449410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	5_2_00444480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	5_2_004354A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [esi], ax	5_2_0041F552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000110h]	5_2_0041F552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	5_2_00445580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	5_2_00440580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	5_2_00449580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	5_2_00422673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	5_2_0044A610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_004296C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_004446C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	5_2_0042268A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	5_2_00449690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	5_2_004276A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	5_2_00408750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, edi	5_2_0042F700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then shrd esi, edx, 00000001h	5_2_00403710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	5_2_00431720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 77DD2217h	5_2_00420729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea eax, dword ptr [ebp+04h]	5_2_004407E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	5_2_00449780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	5_2_0044A7A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp+24h], DEC6D8DEh	5_2_00430810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 3BABA5E0h	5_2_00444960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	5_2_00427900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	5_2_0044A920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	5_2_00449A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	5_2_0040DA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, edi	5_2_0042FAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	5_2_00404B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	5_2_00444B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	5_2_00413B7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+18h]	5_2_0042DB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	5_2_0042DB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp di, 005Ch	5_2_0041FB39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+68h]	5_2_0041FB39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	5_2_0043BBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	5_2_00448C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	5_2_00405C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	5_2_00422C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	5_2_00441D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	5_2_0041DD55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	5_2_00421DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	5_2_00421DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_00414D8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	5_2_0040DE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	5_2_0042CEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov esi, eax	5_2_00431ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, word ptr [esi]	5_2_00429EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	5_2_00421DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	5_2_00421DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	5_2_00428FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	5_2_00428FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+000005A8h]	5_2_00420F8A

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056340 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (possiwreeste .site) : 192.168.2.8:62519 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056346 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (writekdmsnu .site) : 192.168.2.8:59437 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056338 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (famikyjdiag .site) : 192.168.2.8:64644 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056328 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellykmrebk .site) : 192.168.2.8:63189 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056324 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (agentyanlark .site) : 192.168.2.8:53908 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056336 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (delaylacedmn .site) : 192.168.2.8:63245 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056344 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (underlinemdsj .site) : 192.168.2.8:54939 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056334 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (commandejorsk .site) : 192.168.2.8:55990 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.8:49709 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49710 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49710 -> 104.21.66.86:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: underlinemdsj.site
Source: Malware configuration extractor	URLs: possiwreeste.site
Source: Malware configuration extractor	URLs: delaylacedmn.site
Source: Malware configuration extractor	URLs: bellykmrebk.site
Source: Malware configuration extractor	URLs: famikyjdiag.site
Source: Malware configuration extractor	URLs: agentyanlark.site
Source: Malware configuration extractor	URLs: commandejorsk.site
Source: Malware configuration extractor	URLs: writekdmsnu.site

Source: Joe Sandbox View

IP Address: 23.55.153.106 23.55.153.106

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49711 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49710 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49709 -> 23.55.153.106:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: adcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampoweLs equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: delaylacedmn.site
Source: global traffic	DNS traffic detected: DNS query: famikyjdiag.site
Source: global traffic	DNS traffic detected: DNS query: possiwreeste.site
Source: global traffic	DNS traffic detected: DNS query: commandejorsk.site
Source: global traffic	DNS traffic detected: DNS query: underlinemdsj.site
Source: global traffic	DNS traffic detected: DNS query: bellykmrebk.site
Source: global traffic	DNS traffic detected: DNS query: agentyanlark.site
Source: global traffic	DNS traffic detected: DNS query: writekdmsnu.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: lev-tolstoi.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1568363403.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.ste
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: RegAsm.exe, 00000005.00000002.1569030100.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1569030100.0000000000B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api
Source: RegAsm.exe, 00000005.00000002.1569030100.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/d
Source: RegAsm.exe, 00000005.00000002.1569030100.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/lt
Source: RegAsm.exe, 00000005.00000002.1569030100.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/pi
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1568363403.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1568363403.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1568363403.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1568363403.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1568363403.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampoweLs
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1568363403.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.8:49710 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_00439D70 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_00439D70

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_00439D70 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_00439D70

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_0043A264 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

5_2_0043A264

Source: C:\Users\user\Desktop\CompleteStudio.exe	Code function: 0_2_00007FFB4AFF9F51	0_2_00007FFB4AFF9F51
Source: C:\Users\user\Desktop\CompleteStudio.exe	Code function: 0_2_00007FFB4AFFC5AB	0_2_00007FFB4AFFC5AB
Source: C:\Users\user\Desktop\CompleteStudio.exe	Code function: 0_2_00007FFB4AFF151F	0_2_00007FFB4AFF151F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00440118	5_2_00440118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040F242	5_2_0040F242
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00410A14	5_2_00410A14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040FEA0	5_2_0040FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00434060	5_2_00434060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00401000	5_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040B010	5_2_0040B010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042F038	5_2_0042F038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00409130	5_2_00409130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00434136	5_2_00434136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043F1E0	5_2_0043F1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004492C0	5_2_004492C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00401297	5_2_00401297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00405320	5_2_00405320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040A3F0	5_2_0040A3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004073B0	5_2_004073B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00449410	5_2_00449410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040B4B0	5_2_0040B4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00449580	5_2_00449580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00411600	5_2_00411600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042D6F0	5_2_0042D6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00449690	5_2_00449690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00448740	5_2_00448740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00408750	5_2_00408750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00403710	5_2_00403710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004407E0	5_2_004407E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00449780	5_2_00449780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041E85A	5_2_0041E85A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042887B	5_2_0042887B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00430810	5_2_00430810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00439880	5_2_00439880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040A940	5_2_0040A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041E900	5_2_0041E900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00449A40	5_2_00449A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00409AC4	5_2_00409AC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00444B60	5_2_00444B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042DB00	5_2_0042DB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00439B00	5_2_00439B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041FB39	5_2_0041FB39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042DBD5	5_2_0042DBD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00448C40	5_2_00448C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00428D00	5_2_00428D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00428D1C	5_2_00428D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0044AD20	5_2_0044AD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00429DC9	5_2_00429DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00407DB0	5_2_00407DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00437E70	5_2_00437E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042CEC0	5_2_0042CEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00429EE0	5_2_00429EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00410E90	5_2_00410E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040BFC0	5_2_0040BFC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CB10 appears 57 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041DBA0 appears 150 times

Source: CompleteStudio.exe, 00000000.00000000.1426820634.000000000057A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNotepad.exe0 vs CompleteStudio.exe
Source: CompleteStudio.exe, 00000000.00000002.1538729726.000000001B330000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleTCPSockets.dllB vs CompleteStudio.exe
Source: CompleteStudio.exe, 00000000.00000000.1426820634.0000000000502000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSimpleTCPSockets.dllB vs CompleteStudio.exe
Source: CompleteStudio.exe, 00000000.00000002.1538099840.0000000012911000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleTCPSockets.dllB vs CompleteStudio.exe
Source: CompleteStudio.exe, 00000000.00000002.1538099840.0000000012911000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNotepad.exe0 vs CompleteStudio.exe
Source: CompleteStudio.exe	Binary or memory string: OriginalFilenameSimpleTCPSockets.dllB vs CompleteStudio.exe
Source: CompleteStudio.exe	Binary or memory string: OriginalFilenameNotepad.exe0 vs CompleteStudio.exe

Source: 0.0.CompleteStudio.exe.511b66.1.raw.unpack, ShaForNonSecretPurposesGacIdentityPermissionAttribute.cs	Suspicious method names: .ShaForNonSecretPurposesGacIdentityPermissionAttribute.getPayloadNamesgetArray
Source: 0.2.CompleteStudio.exe.12988c16.1.raw.unpack, ShaForNonSecretPurposesGacIdentityPermissionAttribute.cs	Suspicious method names: .ShaForNonSecretPurposesGacIdentityPermissionAttribute.getPayloadNamesgetArray
Source: 0.2.CompleteStudio.exe.1b330000.4.raw.unpack, ShaForNonSecretPurposesGacIdentityPermissionAttribute.cs	Suspicious method names: .ShaForNonSecretPurposesGacIdentityPermissionAttribute.getPayloadNamesgetArray
Source: 0.2.CompleteStudio.exe.12911a78.2.raw.unpack, ShaForNonSecretPurposesGacIdentityPermissionAttribute.cs	Suspicious method names: .ShaForNonSecretPurposesGacIdentityPermissionAttribute.getPayloadNamesgetArray

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@10/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_0043FD80 CoCreateInstance,

5_2_0043FD80

Source: C:\Users\user\Desktop\CompleteStudio.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CompleteStudio.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\CompleteStudio.exe

Mutant created: NULL

Source: CompleteStudio.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: CompleteStudio.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.69%

Source: C:\Users\user\Desktop\CompleteStudio.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CompleteStudio.exe

ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\CompleteStudio.exe

File read: C:\Users\user\Desktop\CompleteStudio.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CompleteStudio.exe "C:\Users\user\Desktop\CompleteStudio.exe"
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\CompleteStudio.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\CompleteStudio.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\CompleteStudio.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: CompleteStudio.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CompleteStudio.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: CompleteStudio.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: F:\Crypt @LegendaryInstallsSupport 29.09.2024\Notepad-master\obj\Release\Notepad.pdb9 source: CompleteStudio.exe
Source:	Binary string: F:\Crypt @LegendaryInstallsSupport 29.09.2024\Notepad-master\obj\Release\Notepad.pdb source: CompleteStudio.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: CompleteStudio.exe, NotePad.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.CompleteStudio.exe.12978eb0.3.raw.unpack, NotePad.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])

Source: CompleteStudio.exe

Static PE information: 0x87E9D682 [Fri Apr 4 18:29:22 2042 UTC]

Source: C:\Users\user\Desktop\CompleteStudio.exe	Code function: 0_2_00007FFB4AFFBEC5 pushad ; ret	0_2_00007FFB4AFFBF0D
Source: C:\Users\user\Desktop\CompleteStudio.exe	Code function: 0_2_00007FFB4AFF3E18 push E95BABACh; ret	0_2_00007FFB4AFF3E39
Source: C:\Users\user\Desktop\CompleteStudio.exe	Code function: 0_2_00007FFB4AFF3E3D push E95BABACh; ret	0_2_00007FFB4AFF3E39

Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\CompleteStudio.exe	Memory allocated: 2660000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Memory allocated: 1A900000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\CompleteStudio.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\CompleteStudio.exe TID: 7928	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8176	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8180	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\CompleteStudio.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1568363403.0000000000AF5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1568363403.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\CompleteStudio.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_00446BB0 LdrInitializeThunk,

5_2_00446BB0

Source: C:\Users\user\Desktop\CompleteStudio.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\CompleteStudio.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\CompleteStudio.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\CompleteStudio.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: CompleteStudio.exe, 00000000.00000002.1537052680.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: delaylacedmn.site
Source: CompleteStudio.exe, 00000000.00000002.1537052680.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: writekdmsnu.site
Source: CompleteStudio.exe, 00000000.00000002.1537052680.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: agentyanlark.site
Source: CompleteStudio.exe, 00000000.00000002.1537052680.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bellykmrebk.site
Source: CompleteStudio.exe, 00000000.00000002.1537052680.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: underlinemdsj.site
Source: CompleteStudio.exe, 00000000.00000002.1537052680.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: commandejorsk.site
Source: CompleteStudio.exe, 00000000.00000002.1537052680.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: possiwreeste.site
Source: CompleteStudio.exe, 00000000.00000002.1537052680.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: famikyjdiag.site

Writes to foreign memory regions

Source: C:\Users\user\Desktop\CompleteStudio.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44C000	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44F000	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45E000	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 60C008	Jump to behavior

Source: C:\Users\user\Desktop\CompleteStudio.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\CompleteStudio.exe	Queries volume information: C:\Users\user\Desktop\CompleteStudio.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CompleteStudio.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\CompleteStudio.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CompleteStudio.exe	71%	ReversingLabs	Win32.Spyware.Multiverze
CompleteStudio.exe	100%	Avira	TR/AD.Nekark.pzkpz

Source	Detection	Scanner	Label
https://lev-tolstoi.com/pi	0%	Avira URL Cloud	safe
https://store.steampoweLs	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/api	0%	Avira URL Cloud	safe
https://help.ste	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/d	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/lt	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	23.55.153.106	true	false	high
lev-tolstoi.com	104.21.66.86	true	false	high
possiwreeste.site	unknown	unknown	true	unknown
commandejorsk.site	unknown	unknown	true	unknown
famikyjdiag.site	unknown	unknown	true	unknown
writekdmsnu.site	unknown	unknown	true	unknown
delaylacedmn.site	unknown	unknown	true	unknown
agentyanlark.site	unknown	unknown	true	unknown
underlinemdsj.site	unknown	unknown	true	unknown
bellykmrebk.site	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
possiwreeste.site	false		high
commandejorsk.site	false		high
famikyjdiag.site	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
bellykmrebk.site	false		high
writekdmsnu.site	false		high
https://lev-tolstoi.com/api	true	Avira URL Cloud: safe	unknown
agentyanlark.site	false		high
delaylacedmn.site	false		high
underlinemdsj.site	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://help.ste	RegAsm.exe, 00000005.00000002.1568363403.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://player.vimeo.com	RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/	RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1568363403.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1568363403.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:27060	RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1568363403.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/lt	RegAsm.exe, 00000005.00000002.1569030100.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://medal.tv	RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	RegAsm.exe, 00000005.00000002.1568363403.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/	RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.steampowered.com/	RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampoweLs	RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/	RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1568363403.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	RegAsm.exe, 00000005.00000002.1568363403.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/	RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/d	RegAsm.exe, 00000005.00000002.1569030100.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steam.tv/	RegAsm.exe, 00000005.00000002.1568363403.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1568363403.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/pi	RegAsm.exe, 00000005.00000002.1569030100.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/;	RegAsm.exe, 00000005.00000002.1568363403.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.66.86	lev-tolstoi.com	United States		13335	CLOUDFLARENETUS	false
23.55.153.106	steamcommunity.com	United States		20940	AKAMAI-ASN1EU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577354
Start date and time:	2024-12-18 12:25:24 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CompleteStudio.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@10/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 28 Number of non-executed functions: 73
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109, 4.175.87.197, 13.107.246.63
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: CompleteStudio.exe

Simulations

Behavior and APIs

Time	Type	Description
06:26:26	API Interceptor	1x Sleep call for process: CompleteStudio.exe modified
06:26:27	API Interceptor	9x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.66.86	MV ROCKET_PDA.exe	Get hash	malicious	FormBook	Browse	www.ayushigangwar.com/nqn4/?CJBlp=0Brh6Vr8UbBX&T2MpwT=59bmqUDXor7TXV4b71NCQ0d0nCVif23i1yH5+9ZmJc5hgCU7y+ZN9z0btTsWzGv6OrGw
23.55.153.106	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse
	99awhy8l.exe	Get hash	malicious	LummaC	Browse
	5_6253708004881862888.exe	Get hash	malicious	LummaC	Browse
	noll.exe	Get hash	malicious	Stealc, Vidar	Browse
	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse
	ardware-v1.exe	Get hash	malicious	LummaC	Browse
	ardware-v1.exe	Get hash	malicious	LummaC	Browse
	sNWQ2gC6if.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lev-tolstoi.com	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	172.67.157.254
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254
	5_6253708004881862888.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
steamcommunity.com	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	23.55.153.106
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	99awhy8l.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	5_6253708004881862888.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	noll.exe	Get hash	malicious	Stealc, Vidar	Browse	23.55.153.106
	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	sNWQ2gC6if.exe	Get hash	malicious	LummaC	Browse	23.55.153.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	23.55.153.106
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	99awhy8l.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	5_6253708004881862888.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	noll.exe	Get hash	malicious	Stealc, Vidar	Browse	23.55.153.106
	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	EXTERNALRe.msg	Get hash	malicious	Unknown	Browse	23.44.201.32
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	23.218.93.195
CLOUDFLARENETUS	winrar-x64-701.exe	Get hash	malicious	Unknown	Browse	172.67.177.42
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	104.21.23.76
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254
	random.exe_Y.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.21.64.80
	https://pluginvest.freshdesk.com/en/support/solutions/articles/157000010678-pluginvest-laadoplossing	Get hash	malicious	Unknown	Browse	172.66.0.145
	https://www.ispringsolutions.com/ispring-suite	Get hash	malicious	Unknown	Browse	104.21.80.1
	5_6253708004881862888.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	http://trackmail.info/QLTRG66TP4/offer/00248/811/iuk7x/b4q/41/32	Get hash	malicious	Unknown	Browse	104.21.52.161

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	winrar-x64-701.exe	Get hash	malicious	Unknown	Browse	104.21.66.86 23.55.153.106
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	104.21.66.86 23.55.153.106
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.66.86 23.55.153.106
	99awhy8l.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	random.exe_Y.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.21.66.86 23.55.153.106
	5_6253708004881862888.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.21.66.86 23.55.153.106
	NativeApp_G5L1NHZZ.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.66.86 23.55.153.106

Process:	C:\Users\user\Desktop\CompleteStudio.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.713569994064714
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.69% Win32 Executable (generic) a (10002005/4) 49.65% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% InstallShield setup (43055/19) 0.21% Windows Screen Saver (13104/52) 0.07%
File name:	CompleteStudio.exe
File size:	490'496 bytes
MD5:	ee4d5bd9f92faca11d441676ceddcec9
SHA1:	64626881b63abc37cd77fca95f524830849dd135
SHA256:	d6872d521e977683f9fbf54b80e2a218aec4f0ae9caaa233ca9797f16c37b4d4
SHA512:	0daac4bdfc51994877c27f87377d210674c78eb4587a9baef6fbe46f5a1aa8e9ed700d4881356adc66c713562995a5fa5f56ecacc2a84ee2f695f2816fe63752
SSDEEP:	12288:vghWNZ1zz4AxWtCfoPiVrCVe80BupSNcBCpzT:vkW9zP2Q7uVebupSN
TLSH:	6BA43974EB80F908DC9E43F4A6E77E56674580C94321083B6B0C5EB10A6734B9EDF69E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..r..........f.... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x479066
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x87E9D682 [Fri Apr 4 18:29:22 2042 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x79011	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7a000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x78f6c	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7706c	0x77200	6ca3e53768551924c944f7975ff88919	False	0.424752426547744	data	6.7210323069276665	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x7a000	0x59c	0x600	67fccbbe05f308adb136b902a73933d8	False	0.4134114583333333	data	4.051975543236342	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7c000	0xc	0x200	0cf7194caa9d1c5319d2c8ebabb4d931	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x7a090	0x30c	data			0.4217948717948718
RT_MANIFEST	0x7a3ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-18T12:26:27.596874+0100	2056336	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (delaylacedmn .site)	1	192.168.2.8	63245	1.1.1.1	53	UDP
2024-12-18T12:26:27.830010+0100	2056338	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (famikyjdiag .site)	1	192.168.2.8	64644	1.1.1.1	53	UDP
2024-12-18T12:26:28.225597+0100	2056340	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (possiwreeste .site)	1	192.168.2.8	62519	1.1.1.1	53	UDP
2024-12-18T12:26:28.454159+0100	2056334	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (commandejorsk .site)	1	192.168.2.8	55990	1.1.1.1	53	UDP
2024-12-18T12:26:28.759519+0100	2056344	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (underlinemdsj .site)	1	192.168.2.8	54939	1.1.1.1	53	UDP
2024-12-18T12:26:29.050890+0100	2056328	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellykmrebk .site)	1	192.168.2.8	63189	1.1.1.1	53	UDP
2024-12-18T12:26:29.278453+0100	2056324	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (agentyanlark .site)	1	192.168.2.8	53908	1.1.1.1	53	UDP
2024-12-18T12:26:29.590093+0100	2056346	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (writekdmsnu .site)	1	192.168.2.8	59437	1.1.1.1	53	UDP
2024-12-18T12:26:31.450288+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49709	23.55.153.106	443	TCP
2024-12-18T12:26:32.308558+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.8	49709	23.55.153.106	443	TCP
2024-12-18T12:26:33.914351+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49710	104.21.66.86	443	TCP
2024-12-18T12:26:34.653780+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.8	49710	104.21.66.86	443	TCP
2024-12-18T12:26:34.653780+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49710	104.21.66.86	443	TCP
2024-12-18T12:26:35.473552+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49711	104.21.66.86	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 12:26:30.050163031 CET	49709	443	192.168.2.8	23.55.153.106
Dec 18, 2024 12:26:30.050236940 CET	443	49709	23.55.153.106	192.168.2.8
Dec 18, 2024 12:26:30.050333977 CET	49709	443	192.168.2.8	23.55.153.106
Dec 18, 2024 12:26:30.055358887 CET	49709	443	192.168.2.8	23.55.153.106
Dec 18, 2024 12:26:30.055399895 CET	443	49709	23.55.153.106	192.168.2.8
Dec 18, 2024 12:26:31.450112104 CET	443	49709	23.55.153.106	192.168.2.8
Dec 18, 2024 12:26:31.450288057 CET	49709	443	192.168.2.8	23.55.153.106
Dec 18, 2024 12:26:31.453531981 CET	49709	443	192.168.2.8	23.55.153.106
Dec 18, 2024 12:26:31.453572035 CET	443	49709	23.55.153.106	192.168.2.8
Dec 18, 2024 12:26:31.453888893 CET	443	49709	23.55.153.106	192.168.2.8
Dec 18, 2024 12:26:31.504664898 CET	49709	443	192.168.2.8	23.55.153.106
Dec 18, 2024 12:26:31.532617092 CET	49709	443	192.168.2.8	23.55.153.106
Dec 18, 2024 12:26:31.579333067 CET	443	49709	23.55.153.106	192.168.2.8
Dec 18, 2024 12:26:32.308598042 CET	443	49709	23.55.153.106	192.168.2.8
Dec 18, 2024 12:26:32.308623075 CET	443	49709	23.55.153.106	192.168.2.8
Dec 18, 2024 12:26:32.308661938 CET	443	49709	23.55.153.106	192.168.2.8
Dec 18, 2024 12:26:32.308674097 CET	443	49709	23.55.153.106	192.168.2.8
Dec 18, 2024 12:26:32.308695078 CET	443	49709	23.55.153.106	192.168.2.8
Dec 18, 2024 12:26:32.308696985 CET	49709	443	192.168.2.8	23.55.153.106
Dec 18, 2024 12:26:32.308767080 CET	443	49709	23.55.153.106	192.168.2.8
Dec 18, 2024 12:26:32.308808088 CET	49709	443	192.168.2.8	23.55.153.106
Dec 18, 2024 12:26:32.308809042 CET	49709	443	192.168.2.8	23.55.153.106
Dec 18, 2024 12:26:32.308840990 CET	49709	443	192.168.2.8	23.55.153.106
Dec 18, 2024 12:26:32.406325102 CET	443	49709	23.55.153.106	192.168.2.8
Dec 18, 2024 12:26:32.406383991 CET	443	49709	23.55.153.106	192.168.2.8
Dec 18, 2024 12:26:32.406413078 CET	49709	443	192.168.2.8	23.55.153.106
Dec 18, 2024 12:26:32.406431913 CET	443	49709	23.55.153.106	192.168.2.8
Dec 18, 2024 12:26:32.406475067 CET	49709	443	192.168.2.8	23.55.153.106
Dec 18, 2024 12:26:32.439661980 CET	443	49709	23.55.153.106	192.168.2.8
Dec 18, 2024 12:26:32.439750910 CET	443	49709	23.55.153.106	192.168.2.8
Dec 18, 2024 12:26:32.439760923 CET	49709	443	192.168.2.8	23.55.153.106
Dec 18, 2024 12:26:32.439769030 CET	443	49709	23.55.153.106	192.168.2.8
Dec 18, 2024 12:26:32.439824104 CET	49709	443	192.168.2.8	23.55.153.106
Dec 18, 2024 12:26:32.442542076 CET	49709	443	192.168.2.8	23.55.153.106
Dec 18, 2024 12:26:32.442542076 CET	49709	443	192.168.2.8	23.55.153.106
Dec 18, 2024 12:26:32.442589045 CET	443	49709	23.55.153.106	192.168.2.8
Dec 18, 2024 12:26:32.442621946 CET	443	49709	23.55.153.106	192.168.2.8
Dec 18, 2024 12:26:32.693105936 CET	49710	443	192.168.2.8	104.21.66.86
Dec 18, 2024 12:26:32.693166018 CET	443	49710	104.21.66.86	192.168.2.8
Dec 18, 2024 12:26:32.693236113 CET	49710	443	192.168.2.8	104.21.66.86
Dec 18, 2024 12:26:32.693703890 CET	49710	443	192.168.2.8	104.21.66.86
Dec 18, 2024 12:26:32.693717003 CET	443	49710	104.21.66.86	192.168.2.8
Dec 18, 2024 12:26:33.914191008 CET	443	49710	104.21.66.86	192.168.2.8
Dec 18, 2024 12:26:33.914350986 CET	49710	443	192.168.2.8	104.21.66.86
Dec 18, 2024 12:26:33.916503906 CET	49710	443	192.168.2.8	104.21.66.86
Dec 18, 2024 12:26:33.916522980 CET	443	49710	104.21.66.86	192.168.2.8
Dec 18, 2024 12:26:33.916809082 CET	443	49710	104.21.66.86	192.168.2.8
Dec 18, 2024 12:26:33.918427944 CET	49710	443	192.168.2.8	104.21.66.86
Dec 18, 2024 12:26:33.918462038 CET	49710	443	192.168.2.8	104.21.66.86
Dec 18, 2024 12:26:33.918519020 CET	443	49710	104.21.66.86	192.168.2.8
Dec 18, 2024 12:26:34.653778076 CET	443	49710	104.21.66.86	192.168.2.8
Dec 18, 2024 12:26:34.653860092 CET	443	49710	104.21.66.86	192.168.2.8
Dec 18, 2024 12:26:34.653961897 CET	49710	443	192.168.2.8	104.21.66.86
Dec 18, 2024 12:26:34.654211998 CET	49710	443	192.168.2.8	104.21.66.86
Dec 18, 2024 12:26:34.654257059 CET	443	49710	104.21.66.86	192.168.2.8
Dec 18, 2024 12:26:34.654292107 CET	49710	443	192.168.2.8	104.21.66.86
Dec 18, 2024 12:26:34.654308081 CET	443	49710	104.21.66.86	192.168.2.8
Dec 18, 2024 12:26:34.721230984 CET	49711	443	192.168.2.8	104.21.66.86
Dec 18, 2024 12:26:34.721271992 CET	443	49711	104.21.66.86	192.168.2.8
Dec 18, 2024 12:26:34.721368074 CET	49711	443	192.168.2.8	104.21.66.86
Dec 18, 2024 12:26:34.721930027 CET	49711	443	192.168.2.8	104.21.66.86
Dec 18, 2024 12:26:34.721946001 CET	443	49711	104.21.66.86	192.168.2.8
Dec 18, 2024 12:26:35.473551989 CET	49711	443	192.168.2.8	104.21.66.86

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 12:26:27.596873999 CET	63245	53	192.168.2.8	1.1.1.1
Dec 18, 2024 12:26:27.824726105 CET	53	63245	1.1.1.1	192.168.2.8
Dec 18, 2024 12:26:27.830009937 CET	64644	53	192.168.2.8	1.1.1.1
Dec 18, 2024 12:26:28.220206022 CET	53	64644	1.1.1.1	192.168.2.8
Dec 18, 2024 12:26:28.225596905 CET	62519	53	192.168.2.8	1.1.1.1
Dec 18, 2024 12:26:28.450390100 CET	53	62519	1.1.1.1	192.168.2.8
Dec 18, 2024 12:26:28.454159021 CET	55990	53	192.168.2.8	1.1.1.1
Dec 18, 2024 12:26:28.756627083 CET	53	55990	1.1.1.1	192.168.2.8
Dec 18, 2024 12:26:28.759519100 CET	54939	53	192.168.2.8	1.1.1.1
Dec 18, 2024 12:26:28.979896069 CET	53	54939	1.1.1.1	192.168.2.8
Dec 18, 2024 12:26:29.050889969 CET	63189	53	192.168.2.8	1.1.1.1
Dec 18, 2024 12:26:29.272849083 CET	53	63189	1.1.1.1	192.168.2.8
Dec 18, 2024 12:26:29.278453112 CET	53908	53	192.168.2.8	1.1.1.1
Dec 18, 2024 12:26:29.580962896 CET	53	53908	1.1.1.1	192.168.2.8
Dec 18, 2024 12:26:29.590092897 CET	59437	53	192.168.2.8	1.1.1.1
Dec 18, 2024 12:26:29.902637005 CET	53	59437	1.1.1.1	192.168.2.8
Dec 18, 2024 12:26:29.907421112 CET	63223	53	192.168.2.8	1.1.1.1
Dec 18, 2024 12:26:30.044404984 CET	53	63223	1.1.1.1	192.168.2.8
Dec 18, 2024 12:26:32.447899103 CET	65110	53	192.168.2.8	1.1.1.1
Dec 18, 2024 12:26:32.686244011 CET	53	65110	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 12:26:27.596873999 CET	192.168.2.8	1.1.1.1	0xf61d	Standard query (0)	delaylacedmn.site	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:26:27.830009937 CET	192.168.2.8	1.1.1.1	0x2780	Standard query (0)	famikyjdiag.site	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:26:28.225596905 CET	192.168.2.8	1.1.1.1	0xe494	Standard query (0)	possiwreeste.site	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:26:28.454159021 CET	192.168.2.8	1.1.1.1	0x2a03	Standard query (0)	commandejorsk.site	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:26:28.759519100 CET	192.168.2.8	1.1.1.1	0x61d	Standard query (0)	underlinemdsj.site	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:26:29.050889969 CET	192.168.2.8	1.1.1.1	0x492d	Standard query (0)	bellykmrebk.site	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:26:29.278453112 CET	192.168.2.8	1.1.1.1	0x979e	Standard query (0)	agentyanlark.site	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:26:29.590092897 CET	192.168.2.8	1.1.1.1	0x5d45	Standard query (0)	writekdmsnu.site	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:26:29.907421112 CET	192.168.2.8	1.1.1.1	0x95c4	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:26:32.447899103 CET	192.168.2.8	1.1.1.1	0xbbc8	Standard query (0)	lev-tolstoi.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 12:26:27.824726105 CET	1.1.1.1	192.168.2.8	0xf61d	Name error (3)	delaylacedmn.site	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:26:28.220206022 CET	1.1.1.1	192.168.2.8	0x2780	Name error (3)	famikyjdiag.site	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:26:28.450390100 CET	1.1.1.1	192.168.2.8	0xe494	Name error (3)	possiwreeste.site	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:26:28.756627083 CET	1.1.1.1	192.168.2.8	0x2a03	Name error (3)	commandejorsk.site	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:26:28.979896069 CET	1.1.1.1	192.168.2.8	0x61d	Name error (3)	underlinemdsj.site	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:26:29.272849083 CET	1.1.1.1	192.168.2.8	0x492d	Name error (3)	bellykmrebk.site	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:26:29.580962896 CET	1.1.1.1	192.168.2.8	0x979e	Name error (3)	agentyanlark.site	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:26:29.902637005 CET	1.1.1.1	192.168.2.8	0x5d45	Name error (3)	writekdmsnu.site	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:26:30.044404984 CET	1.1.1.1	192.168.2.8	0x95c4	No error (0)	steamcommunity.com		23.55.153.106	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:26:32.686244011 CET	1.1.1.1	192.168.2.8	0xbbc8	No error (0)	lev-tolstoi.com		104.21.66.86	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:26:32.686244011 CET	1.1.1.1	192.168.2.8	0xbbc8	No error (0)	lev-tolstoi.com		172.67.157.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

lev-tolstoi.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49709	23.55.153.106	443	8160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 11:26:31 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-18 11:26:32 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Wed, 18 Dec 2024 11:26:31 GMT Content-Length: 35121 Connection: close Set-Cookie: sessionid=10d5db56be4d634a05fc1ba4; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-18 11:26:32 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-18 11:26:32 UTC	10097	IN	Data Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09 Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
2024-12-18 11:26:32 UTC	10545	IN	Data Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 Data Ascii: NIVERSE":"public","LANGUAGE":"english","COUNTRY":"US","MEDIA_CDN_COMMUNITY_URL":"https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/","MEDIA_CDN_URL":"htt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49710	104.21.66.86	443	8160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 11:26:33 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: lev-tolstoi.com
2024-12-18 11:26:33 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-18 11:26:34 UTC	1032	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 11:26:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4gqghd437nghinnohha7vm62ln; expires=Sun, 13-Apr-2025 05:13:13 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eeKt8FwIJI3Im%2Bl9NlCi1alPZk7Js1AjUupzmuegB0lzvRAXug78no7T2hXkwPqzQka4GggW9I6h27mnG4Aq8nO8SpzrUAvEqsl5RJSc6X2ncnZi41PWyH2%2F8xhwE1csLsQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3ecc77dfa54402-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2040&min_rtt=2034&rtt_var=776&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=906&delivery_rate=1398467&cwnd=182&unsent_bytes=0&cid=b3db66d2b857af4f&ts=753&x=0"
2024-12-18 11:26:34 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-18 11:26:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	06:26:20
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\CompleteStudio.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\CompleteStudio.exe"
Imagebase:	0x500000
File size:	490'496 bytes
MD5 hash:	EE4D5BD9F92FACA11D441676CEDDCEC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:26:26
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x2a0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:26:26
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x310000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:26:26
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x4c0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	22%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	18
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFB4AFF151F Relevance: 1.6, Instructions: 1610
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1539896148.00007FFB4AFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aff0000_CompleteStudio.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1529a5f7115f7beac03f415c6306b8a0514a9dcbbf7259f340bbba4e3aab54fe
Instruction ID: 7c296b8b547b9e03015b0760e6b07b57c67d880a53a3aaabe7a1ce142ee0412a
Opcode Fuzzy Hash: 1529a5f7115f7beac03f415c6306b8a0514a9dcbbf7259f340bbba4e3aab54fe
Instruction Fuzzy Hash: 1EC28FB0619A498FE799FF38C485A6577E6FF98300F5045B9E44EC72A6DE34E842CB40

Function 00007FFB4AFFC5AB Relevance: .6, Instructions: 606
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1539896148.00007FFB4AFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aff0000_CompleteStudio.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9034a6242d024d40a9dd8c8b1dcaf165ca30c5548e61143c4167ba2400a87e4e
Instruction ID: 0c9a0d53a1b154fdd9623a3508410b10c1667f8c9d21501915c3a1980ddfb370
Opcode Fuzzy Hash: 9034a6242d024d40a9dd8c8b1dcaf165ca30c5548e61143c4167ba2400a87e4e
Instruction Fuzzy Hash: CA325570914A1E9FDB55EF24C090BA5F7B6FF98300F1086E5D41EDB299DA38A9C1CB90

Function 00007FFB4AFF9F51 Relevance: .3, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1539896148.00007FFB4AFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aff0000_CompleteStudio.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e835d0cb31d4980dd311b7248a0134fae46dccde8f1d955b83a4c694bd035f6d
Instruction ID: 282da6454b0fb3ffeddae4cee6410f7497cea4de33aa0b7a86e4223f93a9af3d
Opcode Fuzzy Hash: e835d0cb31d4980dd311b7248a0134fae46dccde8f1d955b83a4c694bd035f6d
Instruction Fuzzy Hash: 35B1497091490EDFDB45EF64C095BE9BBF2FF58300F5086B6D41AD7295DA38A881CB90

Function 00007FFB4B00183D Relevance: 2.0, APIs: 1, Instructions: 511
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE ref: 00007FFB4B001C93

Memory Dump Source

Source File: 00000000.00000002.1539896148.00007FFB4AFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aff0000_CompleteStudio.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f1ea5a9abf79ac23ec513bd952125a9abdc8118ee8d07c3562f334ef72ae5d56
Instruction ID: f06c6df168ca3bd0bc9b8a3c29d3191a96fcdce30d0c6c8118ad9863c0dddd34
Opcode Fuzzy Hash: f1ea5a9abf79ac23ec513bd952125a9abdc8118ee8d07c3562f334ef72ae5d56
Instruction Fuzzy Hash: 83025C70918A8D8FEBB9EF28D8557E977E1FB59301F00416AE80EC7291DF749681CB81

Function 00007FFB4B00131D Relevance: 1.7, APIs: 1, Instructions: 215
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE ref: 00007FFB4B001492

Memory Dump Source

Source File: 00000000.00000002.1539896148.00007FFB4AFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aff0000_CompleteStudio.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8c0d52b31b687c1302a07cb91a9613307019e13127177995865151d7d8482871
Instruction ID: 5943cb9f2f9a7f7b5327603b811fc571ddb12a1668509570d708706dcc777815
Opcode Fuzzy Hash: 8c0d52b31b687c1302a07cb91a9613307019e13127177995865151d7d8482871
Instruction Fuzzy Hash: D2612770908A5D8FDB94DF68C885BE9BBF1FB69311F1082AAD44DE3255CB34A985CF40

Function 00007FFB4B001521 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE ref: 00007FFB4B00166D

Memory Dump Source

Source File: 00000000.00000002.1539896148.00007FFB4AFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aff0000_CompleteStudio.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ad19a5e4a9dc85b6e5e05ca80dd0b48e9eabb76930b61758e940c4f9458b304d
Instruction ID: 338bb3f21148363c1945b7819d954801fd8873e6483ac845b0bb8257a01aad9d
Opcode Fuzzy Hash: ad19a5e4a9dc85b6e5e05ca80dd0b48e9eabb76930b61758e940c4f9458b304d
Instruction Fuzzy Hash: CF511570908A5C8FDF94DF68C885BE9BBB1FB69311F1082AAD44DE3251CB34A985CB40

Function 00007FFB4B001169 Relevance: 1.7, APIs: 1, Instructions: 191
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 00007FFB4B0012A7

Memory Dump Source

Source File: 00000000.00000002.1539896148.00007FFB4AFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aff0000_CompleteStudio.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8c28c227489bf600f77103113fe40b3388d4ca46dc60601c7952b7e6c10ac3c3
Instruction ID: ce371d1346c47f4cc2a29c18ddb3049b7d0dc76f12e3ccdcac1e5186310422e1
Opcode Fuzzy Hash: 8c28c227489bf600f77103113fe40b3388d4ca46dc60601c7952b7e6c10ac3c3
Instruction Fuzzy Hash: DF51287090865D8FDF94DF68C885BE9BBB1FB69310F1092AAD44DE3251DB34A895CF40

Function 00007FFB4B000FC5 Relevance: 1.7, APIs: 1, Instructions: 181
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNELBASE ref: 00007FFB4B0010F5

Memory Dump Source

Source File: 00000000.00000002.1539896148.00007FFB4AFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aff0000_CompleteStudio.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 137a05c27b3b2224396c131fdf50d0967d811fb71efe95579a1eb0100d671589
Instruction ID: 753fa082a5f03516e1801fbc87bcbe437ad1919831b5e3aa5f3243dbdbc06684
Opcode Fuzzy Hash: 137a05c27b3b2224396c131fdf50d0967d811fb71efe95579a1eb0100d671589
Instruction Fuzzy Hash: 5C512870D08A4D8FDB54DFA8C885BEDBBF1EB55311F1082AAD448E7256DB749485CB40

Function 00007FFB4B000E6D Relevance: 1.7, APIs: 1, Instructions: 153
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 00007FFB4B000F5F

Memory Dump Source

Source File: 00000000.00000002.1539896148.00007FFB4AFF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aff0000_CompleteStudio.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 81d17b049b4f2430f945cbf8b68914a8801803297e19e2187608c54f60eb59e8
Instruction ID: 2b3f1a5b1025f00ac6483f986e576c460189a99f259a67453df9e2020eb7dba3
Opcode Fuzzy Hash: 81d17b049b4f2430f945cbf8b68914a8801803297e19e2187608c54f60eb59e8
Instruction Fuzzy Hash: FB518B70D0C78C8FDB56DFA8C895AEDBFB0EF56310F0441AAD049E7292DA74A486CB51

Analysis Process: RegAsm.exePID: 8160, Parent PID: 7904COMMON

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	48.1%
Total number of Nodes:	108
Total number of Limit Nodes:	18

Executed Functions

Function 00440118 Relevance: 18.0, APIs: 7, Strings: 3, Instructions: 462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 00440149
SysStringLen.OLEAUT32(?), ref: 004401FA
VariantClear.OLEAUT32 ref: 00440392

Strings

/.-,, xrefs: 00440693, 0044069B
/.-,, xrefs: 004405E3, 004405EB
4`[b, xrefs: 004406D0

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInitString
String ID: /.-,$/.-,$4`[b
API String ID: 825681660-3655442430
Opcode ID: 74fa93fe1aa01fc7789c4b564c888145abc275ceb45d1c9a3e570741ec2b6672
Instruction ID: a146195070703f8030d25863cbf2834a15c96a942167813edb38b99b85ca9f11
Opcode Fuzzy Hash: 74fa93fe1aa01fc7789c4b564c888145abc275ceb45d1c9a3e570741ec2b6672
Instruction Fuzzy Hash: C6F1FEB2608301DFE300DF24E88172EB7E1FB89346F14492DE58197392D739E921CB5A

Function 0040FEA0 Relevance: 14.4, Strings: 11, Instructions: 633
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

a#B!, xrefs: 00410849
-g.e, xrefs: 004108C0
!, xrefs: 00410160
c;j9, xrefs: 0041083B
-{(y, xrefs: 004108AB
vA, xrefs: 004107EE
*, xrefs: 0041017E
|/s-, xrefs: 0041085E
WU, xrefs: 004100B6
+w#u, xrefs: 004108A4
j?n=, xrefs: 00410842

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: *$+w#u$-g.e$-{(y$a#B!$c;j9$j?n=$vA$|/s-$WU$!
API String ID: 0-1787053657
Opcode ID: c13be54020f41ce89dab5dc43ca08c7f796e33f7d12026ab39e084d4114764ea
Instruction ID: c2bb247bafdb7313821d879b64bda63368b080b473f309f5bbc30140614eceec
Opcode Fuzzy Hash: c13be54020f41ce89dab5dc43ca08c7f796e33f7d12026ab39e084d4114764ea
Instruction Fuzzy Hash: F25223B8101B44CFD3208F25D985B9BBBF1FB45304F108A2DE5AA9BA90D7B4A449CF95

Function 0040F242 Relevance: 13.1, Strings: 10, Instructions: 615
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}%v', xrefs: 0040F56A
a1c3, xrefs: 0040F4F4
m5o7, xrefs: 0040F4FB
o9h;, xrefs: 0040F502
}%v', xrefs: 0040F517
|s, xrefs: 0040F4AE
s!s#, xrefs: 0040F510
h=m?, xrefs: 0040F509
x)*+, xrefs: 0040F51E
lev-tolstoi.com, xrefs: 0040F3C3, 0040F7DC, 0040F803

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: a1c3$h=m?$lev-tolstoi.com$m5o7$o9h;$s!s#$x)*+$|s$}%v'$}%v'
API String ID: 0-986374806
Opcode ID: 024ef0da4a596ea164a11865650f69faa876bc17e72d013c950936e6cad53d2c
Instruction ID: ab31153b6aecb880430fb79f64d743cd69268ca503e92c45a0fdefa4ad8a0f35
Opcode Fuzzy Hash: 024ef0da4a596ea164a11865650f69faa876bc17e72d013c950936e6cad53d2c
Instruction Fuzzy Hash: E712CF75904254CFCB24CFA4D8906ADBBB1FF4A314F28447ED845BB792D33A984ACB58

Function 004109FD Relevance: 10.1, Strings: 8, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

a#B!, xrefs: 00410849
-g.e, xrefs: 004108C0
c;j9, xrefs: 0041083B
-{(y, xrefs: 004108AB
vA, xrefs: 004107EE
|/s-, xrefs: 0041085E
+w#u, xrefs: 004108A4
j?n=, xrefs: 00410842

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: +w#u$-g.e$-{(y$a#B!$c;j9$j?n=$vA$|/s-
API String ID: 0-3368389427
Opcode ID: 7cdf59660103e34530295848d8297454cd7db00b4eee7c08d484b65ddcde7457
Instruction ID: ef5da5caff501121846a183971fce4e3a24f1d29a4bd3fd26003c313b652faee
Opcode Fuzzy Hash: 7cdf59660103e34530295848d8297454cd7db00b4eee7c08d484b65ddcde7457
Instruction Fuzzy Hash: 26511DB8801B44CFD320DF65D58579BBAF1BB11300F508A0DE5AA6BB90D7B4A049CF9A

Function 00446C3F Relevance: 7.9, Strings: 6, Instructions: 387
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

bkji, xrefs: 00447092, 00446FEF
%sgh, xrefs: 00446E10
;tD, xrefs: 004475A0
@, xrefs: 00446CBB
bkji, xrefs: 00446F7B, 00446F53, 00446F5B
4`[b, xrefs: 004470A0

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %sgh$4`[b$;tD$@$bkji$bkji
API String ID: 0-2268879959
Opcode ID: 94df2760f8db060c208eec00ee275b17ceaeda88ae7b023788925bbd64218746
Instruction ID: 3f5a3689fe6e23831503edc09df9701b4f8abac82631b9520675ae7212839888
Opcode Fuzzy Hash: 94df2760f8db060c208eec00ee275b17ceaeda88ae7b023788925bbd64218746
Instruction Fuzzy Hash: 87D17B7560C3419BE700DF24D890B2EBBE5EF8630AF55882DE1C58B2A2D339D855CB5B

Function 0040F940 Relevance: 5.4, Strings: 4, Instructions: 384
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

abv>, xrefs: 0040F983, 0040F98B
(+, xrefs: 0040FC95
,S, xrefs: 0040FAEC
hl`b, xrefs: 0040F952

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ,S$abv>$hl`b$(+
API String ID: 0-1477408855
Opcode ID: 72ac0c004794a08c95aa35a317ae4500911b9d1d818d48228cf010c78f30d133
Instruction ID: 9f817a8e2a67d5e9bb77a4aa321ba27626eab226e45f4db4f393a7a4b5a1abac
Opcode Fuzzy Hash: 72ac0c004794a08c95aa35a317ae4500911b9d1d818d48228cf010c78f30d133
Instruction Fuzzy Hash: 1DD15A7050C3848BD321DF18D494A2FBBE1AF92744F14093EE4D5AB792D33AD949CB9A

Function 0043FD80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0044DCE0,00000000,00000001,0044DCD0,00000000), ref: 0043FEA2

Strings

mIJK, xrefs: 0043FDC5

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: CreateInstance
String ID: mIJK
API String ID: 542301482-2094758170
Opcode ID: cd81c5929b91414d489edfd56ac764e2b56c5f937d3754ba0716fcd7b3fc2e63
Instruction ID: 6d6e8251282932131825886d4fbc4f339e8b743bf89347e6ebcce9a4e0a81887
Opcode Fuzzy Hash: cd81c5929b91414d489edfd56ac764e2b56c5f937d3754ba0716fcd7b3fc2e63
Instruction Fuzzy Hash: 132157B0118380AFE3209F15D984B5FBBF4BB86B05F50591DF6D88A291CBB69408CF97

Function 00446BB0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0044A35D,005C003F,00000006,?,?,00000018,;:54,?,?), ref: 00446BDE

Strings

;:54, xrefs: 00446BB0, 00446BCC, 00446BDA

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: ;:54
API String ID: 2994545307-2887251705
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0040ED69 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af35127cc1491bfc61b17fa5ba87654075c7ae562b45c20c3b4bab04c1f43731
Instruction ID: 9edcf4d25f74866ae39aa047a6d5692af398919683ba0a025143113fbbde7ae8
Opcode Fuzzy Hash: af35127cc1491bfc61b17fa5ba87654075c7ae562b45c20c3b4bab04c1f43731
Instruction Fuzzy Hash: 40C04C75D44218ABCB109FD4DC44BEDF7B9EB0F211F142420F518F3150D670D4408B18

Function 00412763 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 300
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(910F9FD9,00000104), ref: 00412BB0

Strings

7, xrefs: 00412838
XY, xrefs: 00412AD8
F?>1, xrefs: 00412A36
GD, xrefs: 00412770
s{, xrefs: 004129A7
lev-tolstoi.com, xrefs: 00412B62
E22B8C8B971D605C894122DFD90F982E, xrefs: 00412763

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: DirectorySystem
String ID: 7$E22B8C8B971D605C894122DFD90F982E$F?>1$GD$XY$lev-tolstoi.com$s{
API String ID: 2188284642-1030622931
Opcode ID: fc0f454941e73d89c8600b02f15ed39ee35adba4237271d2f7a6d66bb47eb516
Instruction ID: 62ad8892d7640dbba1527e93f85876fe2800d594e9350e4a7a6b89632e521fd2
Opcode Fuzzy Hash: fc0f454941e73d89c8600b02f15ed39ee35adba4237271d2f7a6d66bb47eb516
Instruction Fuzzy Hash: 1CB18AB400C3808ED7708F24C494BEFBBE5AB9A308F14496EE8D89B252D7758589CF57

Function 0043FF7B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 82
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 0043FFCB
SysAllocString.OLEAUT32 ref: 00440087

Strings

13, xrefs: 0043FFA3, 0043FFAB
<;, xrefs: 00440033
=>?, xrefs: 0043FF83

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString
String ID: <;$13$=>?
API String ID: 2525500382-233072664
Opcode ID: eadfb38759a15d6bf80d1e0cf7a58bb9c6127851ff1dfacb242367057db8f5d2
Instruction ID: aef27eaaddc37be085e33d94480df1b121f3fdb86c47149d4cfce4d70e5ec3ca
Opcode Fuzzy Hash: eadfb38759a15d6bf80d1e0cf7a58bb9c6127851ff1dfacb242367057db8f5d2
Instruction Fuzzy Hash: 3A310CB410E380AFD310AF59E984A1FBBF5EB96705F90191EF5C18A212C37A8815CB67

Function 0040D1B0 Relevance: 6.2, APIs: 4, Instructions: 168
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetInputState.USER32 ref: 0040D1C1
GetCurrentThreadId.KERNEL32 ref: 0040D1D6
GetCurrentProcessId.KERNEL32 ref: 0040D1DC
ExitProcess.KERNEL32 ref: 0040D3B0

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: CurrentProcess$ExitInputStateThread
String ID:
API String ID: 1029096631-0
Opcode ID: c0e1b895e2e72f73dc8955270e6ecdde58eb03a2be26a69b02c4ddbf36745924
Instruction ID: cef429908aa3f9a371f43fe30aad8a3e1bbd179f5a8d92ac8e9d07c1c392d4d2
Opcode Fuzzy Hash: c0e1b895e2e72f73dc8955270e6ecdde58eb03a2be26a69b02c4ddbf36745924
Instruction Fuzzy Hash: 4D41387490C380ABD301BFA9D544A1EFFE5AF52709F148D6DE5C4A7292C33AC8148B6B

Function 00443D70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00443DC7

Strings

;:9, xrefs: 00443D93, 00443D9B

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID: ;:9
API String ID: 1279760036-2043501942
Opcode ID: b0a2b385c493f2e05ed0f16342a373650e8d6b78ba81928787c921c82ab7b483
Instruction ID: 3614878b22931f63ccd83f747bb93377d8c2420df51822dec7133d9b7ce95dac
Opcode Fuzzy Hash: b0a2b385c493f2e05ed0f16342a373650e8d6b78ba81928787c921c82ab7b483
Instruction Fuzzy Hash: 6EF0177450C240ABE201AF18D944A1EFBE5EB56B05F44882DE4C597352C236D824CB57

Function 004465E0 Relevance: 1.6, APIs: 1, Instructions: 83
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 00446664

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 926548098259e2fc225cf87cbf0a07f1f6e13c9ac034861a62f1b3963b3f043d
Instruction ID: 4ce622b64cc50561786442e2ebd757d5a7624bf01a3c6420f0681057dbec3c93
Opcode Fuzzy Hash: 926548098259e2fc225cf87cbf0a07f1f6e13c9ac034861a62f1b3963b3f043d
Instruction Fuzzy Hash: 1A11917150C3409BE301EF18E945A1BBBF4AFA7705F06482DE4C88B252D339D855CB9B

Function 0043FEB4 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0043FF27

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 7666628106c529591f1f5e3afe708d4da76fc42ea2ff82e84a032c975c6030cc
Instruction ID: b680452cd47ea37da18ca468b4a8a64252e73f50b88d38a01e5fc2ba32bb10fb
Opcode Fuzzy Hash: 7666628106c529591f1f5e3afe708d4da76fc42ea2ff82e84a032c975c6030cc
Instruction Fuzzy Hash: 6C0125B4009340AFD350AF19C884A1EBBF4BB86745F94191CF5C187262C736C800CB56

Function 00443DE0 Relevance: 1.5, APIs: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 00443E53

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c51c400c6a17806a49d266ab07ccd44f8f0e899916b432d7c6c93a4536d318f1
Instruction ID: c100f27477890f830ed4a8073daf1caf7dd598550ae5831fd290d4e8889c83d3
Opcode Fuzzy Hash: c51c400c6a17806a49d266ab07ccd44f8f0e899916b432d7c6c93a4536d318f1
Instruction Fuzzy Hash: CAF03C34909241EBD701AF18E945A0EBBE5EF56B06F158C2DE4C49B261C239DC64CBAA

Function 00412741 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00412753

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 0fd84e9b0abed952948b9c466c94997de6424758d735d921afbc80e580ea9442
Instruction ID: 83d111bc3bc70ede426c60bba2770345b39cf5d9520777a48df2b96ea7225b85
Opcode Fuzzy Hash: 0fd84e9b0abed952948b9c466c94997de6424758d735d921afbc80e580ea9442
Instruction Fuzzy Hash: 78D092343C8308B6F5310B08AC07F043150A702F72F300320BB607C1E2A9E071008A1E

Function 0043FF57 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043FF69

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 429117a7711c5d14442ba2fc7f728203b6dd2cdbb3ef88974ca0573a8270a513
Instruction ID: ca03229ba23774359a5e69f291a59a647c7017d22c8ecebe3b1044b9bd56d594
Opcode Fuzzy Hash: 429117a7711c5d14442ba2fc7f728203b6dd2cdbb3ef88974ca0573a8270a513
Instruction Fuzzy Hash: 4AD04C743C4304B6F5310B15EC17F14B564B747F93F201024F3817C0E1CAE26261990D

Function 00412720 Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00412731

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d7c132b3537b4074cfdf77236402666fb27f09f7b04a84c89f500654c8a43961
Instruction ID: 9bd95aa07536b0cc277ef00696cfa68a088d1ec72ac19b7e2354f7cd3d18a01a
Opcode Fuzzy Hash: d7c132b3537b4074cfdf77236402666fb27f09f7b04a84c89f500654c8a43961
Instruction Fuzzy Hash: E4C08C30414208B7F210272EAC0AF43392CE3077B2F400330B9A0400D2AA506410D9FE

Non-executed Functions

Function 0042DB00 Relevance: 34.1, APIs: 2, Strings: 17, Instructions: 806COMMON

Download Yara Rule

Strings

R7MI, xrefs: 0042E5CE
qB, xrefs: 0042E96B
A3L5, xrefs: 0042E5C6
"B, xrefs: 0042E515
B, xrefs: 0042EBE8
Pt#m, xrefs: 0042E794, 0042E7A8
>C$E, xrefs: 0042E5E6
f[,], xrefs: 0042E5F6
4`[b, xrefs: 0042E490
PS, xrefs: 0042E606
?G?Y, xrefs: 0042E5EE
4`[b, xrefs: 0042EC60
)O?A, xrefs: 0042E5DE
B, xrefs: 0042E7DB, 0042EC80, 0042F00D
8_8Q, xrefs: 0042E5FE
P?[1, xrefs: 0042E633, 0042E63B
1K&M, xrefs: 0042E5D6

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "B$)O?A$1K&M$4`[b$4`[b$8_8Q$>C$E$?G?Y$A3L5$P?[1$PS$Pt#m$R7MI$f[,]$qB$B$B
API String ID: 0-1033410975
Opcode ID: 4945f131cbcd63178f50a791d1600bd3529e92cfb1c3789f1156e4ce500b8d4d
Instruction ID: b527049b1f04bed8db2febbcc069cccee7980657cecff28908646a30116e1527
Opcode Fuzzy Hash: 4945f131cbcd63178f50a791d1600bd3529e92cfb1c3789f1156e4ce500b8d4d
Instruction Fuzzy Hash: 3C4210B1608305DFD314DF29E89062FBBE1FB9A305F44492DE5848B3A2E774D805CB9A

Function 00433240 Relevance: 20.3, APIs: 1, Strings: 10, Instructions: 1011COMMON

Download Yara Rule

Strings

-6, xrefs: 004333A5
(\QQ, xrefs: 00433314
C+N), xrefs: 00433F58
4_2], xrefs: 00433F8A
2.%1, xrefs: 00433413
GD, xrefs: 004332EE
?;2, xrefs: 00433445
iJIQ, xrefs: 004339F8
av%, xrefs: 0043326A
NREH, xrefs: 004337E3

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: av%$(\QQ$2.%1$4_2]$?;2$C+N)$GD$NREH$iJIQ$-6
API String ID: 0-2209209854
Opcode ID: 3dea97e05e88cb0162a67cab6b3455c4048c2d6602de325be8b757f4bce8188f
Instruction ID: 409dd95b141f07926cd205b7855d849f23a46d072771003b431955ec9f8a7ea4
Opcode Fuzzy Hash: 3dea97e05e88cb0162a67cab6b3455c4048c2d6602de325be8b757f4bce8188f
Instruction Fuzzy Hash: 41826970405B818ED7218F35C4907A3FBE0AF1B306F58695ED4EB9B282D739A605CF69

Function 0041FB39 Relevance: 17.4, Strings: 13, Instructions: 1195COMMON

Download Yara Rule

Strings

yw, xrefs: 0041FBC5
, xrefs: 0041FD80, 0041FE70, 0041FE37, 0041FD47, 0041FD56, 0041FE46
LTI, xrefs: 00420542
@A, xrefs: 00420DD6
$'&!, xrefs: 0042059A
qo, xrefs: 0041FBDB
A^_\, xrefs: 004202C5
TWVQ, xrefs: 004205C6
<E:G, xrefs: 00420DCB
Q=A?, xrefs: 00420DB5
URSP, xrefs: 004202E6
X[ZE, xrefs: 004205E7
L, xrefs: 00420608

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $'&!$<E:G$@A$A^_\$L$LTI$Q=A?$TWVQ$URSP$X[ZE$qo$yw$
API String ID: 0-2229384479
Opcode ID: 3686f5bc4b348d2d26c09967f31526b0b7d09be7330fbf0dcdca5f559d9bc543
Instruction ID: ade82052f7034141f3486747ce71b63ff0a93d90754f62eeb3371bc372faa748
Opcode Fuzzy Hash: 3686f5bc4b348d2d26c09967f31526b0b7d09be7330fbf0dcdca5f559d9bc543
Instruction Fuzzy Hash: 1EA2ACB46083809FE730CF11D881BABBBE1EFC5344F54492EE5C98B252DB799845CB5A

Function 0042CEC0 Relevance: 12.9, Strings: 10, Instructions: 425COMMON

Download Yara Rule

Strings

X+\), xrefs: 0042D101, 0042D0D4, 0042D0DD, 0042D10B
$W U, xrefs: 0042CF5F
4`[b, xrefs: 0042D400
4`[b, xrefs: 0042D320
=O?M, xrefs: 0042CF8F
+[&Y, xrefs: 0042CF67
c/g-, xrefs: 0042CF4F
cS'Q, xrefs: 0042CF57
/.-,, xrefs: 0042D3C4, 0042D3CD
w1u, xrefs: 0042CF9F

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: w1u$$W U$+[&Y$/.-,$4`[b$4`[b$=O?M$X+\)$c/g-$cS'Q
API String ID: 0-1896435338
Opcode ID: f3b20549ed32967fa41e0b770e14c0a9f1733105eacce4aad3a787895fa9273f
Instruction ID: b05090eb9a83177901ea3704caff3b2f9a6eb8352bc78c1fc5c7ecac0665f33e
Opcode Fuzzy Hash: f3b20549ed32967fa41e0b770e14c0a9f1733105eacce4aad3a787895fa9273f
Instruction Fuzzy Hash: 7CE188B5608341DBE320DF24E881B2BBBF5FB86345F50482EF58487262D779E854CB1A

Function 00428FF0 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 460COMMON

Download Yara Rule

Strings

~F, xrefs: 0042946E
;{}, xrefs: 00429015
`8, xrefs: 0042945E
aq, xrefs: 00429466
qo, xrefs: 00429476
W'Y, xrefs: 004295BB

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ;{}$`8$aq$qo$~F$W'Y
API String ID: 0-4060129118
Opcode ID: bc58df64a225dbae0f541f826bf52a928db0aafb00a4db3f32ea25c37ab8fdb0
Instruction ID: 8b9829fc2b4919bb135ab6d18dd40f8c546e063c63e9033c8f6ca4485ea100bc
Opcode Fuzzy Hash: bc58df64a225dbae0f541f826bf52a928db0aafb00a4db3f32ea25c37ab8fdb0
Instruction Fuzzy Hash: 07023FB4208340ABD310DF55E980A2FBBF4EB96B49F40491DF4C99B252D339D905CBAB

Function 00422260 Relevance: 11.6, Strings: 9, Instructions: 387COMMON

Download Yara Rule

Strings

Q1:O, xrefs: 004222EB
xY9W, xrefs: 0042231B
de, xrefs: 00422343
\9b7, xrefs: 00422373, 0042237B
r&B, xrefs: 0042266C
G5M3, xrefs: 004222E3
9E0C, xrefs: 00422303
HI, xrefs: 00422517
/]([, xrefs: 00422313

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: /]([$9E0C$G5M3$HI$Q1:O$\9b7$de$r&B$xY9W
API String ID: 0-509952333
Opcode ID: eab2989d5c1ca6d9895e3b8815c2bec9bb0e9353bd6588a293385eb12087281d
Instruction ID: b20ecfa1218eb78e5202d0c738cbeec8428151f5f79ed63716bde37511c93a69
Opcode Fuzzy Hash: eab2989d5c1ca6d9895e3b8815c2bec9bb0e9353bd6588a293385eb12087281d
Instruction Fuzzy Hash: 5EA1A970108350ABC720EF18D891B2BB7F0EF91354F94894DE8D58B3A1E779D941CB6A

Function 00430810 Relevance: 10.7, Strings: 8, Instructions: 708COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00430B50
4`[b, xrefs: 00430E80
SV, xrefs: 00430F87
uvw, xrefs: 00430995
`h] , xrefs: 00430F6F
VQgi, xrefs: 00430F5F
z, xrefs: 00430BA7
m1s3, xrefs: 004309C3, 004309CB

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b$SV$VQgi$`h] $m1s3$z$uvw
API String ID: 0-1570870778
Opcode ID: 6940bd77cd7df20c8438f87061f6af86a247c2cf395d55d692572ee4ab0c75c3
Instruction ID: 660509b604085e1a0b105996a5aed58a7c6aa5aa991dfcfa3e2d42d2c1c515d0
Opcode Fuzzy Hash: 6940bd77cd7df20c8438f87061f6af86a247c2cf395d55d692572ee4ab0c75c3
Instruction Fuzzy Hash: 4F42DDB1508340DFD310EF25D991A2BBBE1AF8A309F144A6EF5C497352D379E904CB5A

Function 00434136 Relevance: 9.8, APIs: 1, Strings: 4, Instructions: 1039COMMON

Download Yara Rule

Strings

jXJ,, xrefs: 00434A1B
cos`, xrefs: 00434B1D
34t, xrefs: 00434D30
QYMA, xrefs: 00434173

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 34t$QYMA$cos`$jXJ,
API String ID: 0-3026627037
Opcode ID: f8b66ab7bb3bfb9fc8db50659caa218e70da8c2d83bc6d0a9692e9b00dccea9c
Instruction ID: cdedb0f16f626838ad45ab5571db02497c84d10fb9eeda8d87be13f06e05827c
Opcode Fuzzy Hash: f8b66ab7bb3bfb9fc8db50659caa218e70da8c2d83bc6d0a9692e9b00dccea9c
Instruction Fuzzy Hash: E482CB70504B808FD726CF35C4907A7BBE1AF4A304F58996ED5EA8B692CB39F505CB18

Function 00439D70 Relevance: 9.1, APIs: 6, Instructions: 119clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00439D94
GetWindowLongW.USER32 ref: 00439DC3
GetClipboardData.USER32 ref: 00439DD6
CloseClipboard.USER32 ref: 00439ED9

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID:
API String ID: 1647500905-0
Opcode ID: bd733db51de7a274a1ea2e485793d498a05ca025b0381db77358d02ebdc330fd
Instruction ID: f8eb7662055ae418468e5478b484177f75bb97afe56f8083e02c4ac8d2d6a6c6
Opcode Fuzzy Hash: bd733db51de7a274a1ea2e485793d498a05ca025b0381db77358d02ebdc330fd
Instruction Fuzzy Hash: 7041C5749087818FD711AB7CC84A26EBFA0AF56320F048A6DE4E6873D1D2789855C7A7

Function 00434060 Relevance: 8.0, APIs: 1, Strings: 3, Instructions: 959COMMON

Download Yara Rule

Strings

cos`, xrefs: 00434B1D
jXJ,, xrefs: 00434A1B
34t, xrefs: 00434D30

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 34t$cos`$jXJ,
API String ID: 0-1477531880
Opcode ID: e6cf050e03f680f9534f78ef4aab8308371ff0f1078a72a46c214a2f3525f9ac
Instruction ID: 8753dea9b6e7294165946d73b9d4cbff6eac4e22efe94e5982482735d7dcf57e
Opcode Fuzzy Hash: e6cf050e03f680f9534f78ef4aab8308371ff0f1078a72a46c214a2f3525f9ac
Instruction Fuzzy Hash: A872CC70504B808FD7268F35C4907E3BBE1AF5A304F58986ED5EA8B692CB39F505CB58

Function 0040DA90 Relevance: 6.5, Strings: 5, Instructions: 268COMMON

Download Yara Rule

Strings

RTjb, xrefs: 0040DD6E
(_+X, xrefs: 0040DD7E
WX,3, xrefs: 0040DD86
ZS, xrefs: 0040DAF6
PPaR, xrefs: 0040DD76

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: (_+X$PPaR$RTjb$WX,3$ZS
API String ID: 0-863934208
Opcode ID: 3ddfa35f87954236f0c23a299fca66bb3b93060c60e7a05e05d5190dfb38f789
Instruction ID: d0cf81dbf9aa542438e21b9e093ff4536dfe669ed3218448f7505fd5c5da7706
Opcode Fuzzy Hash: 3ddfa35f87954236f0c23a299fca66bb3b93060c60e7a05e05d5190dfb38f789
Instruction Fuzzy Hash: EAA166B450C3808FD3218F5995A062BFBE1AF96745F54896EE4E49B382C379C809CB57

Function 004446C0 Relevance: 6.4, Strings: 5, Instructions: 195COMMON

Download Yara Rule

Strings

_ZTn, xrefs: 00444780
, xrefs: 004448C6, 004448A3, 004448AB
O[=F, xrefs: 00444778
0, xrefs: 00444826
S]^Z, xrefs: 00444770

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: 0$O[=F$S]^Z$_ZTn$
API String ID: 2994545307-2719754397
Opcode ID: 6025b61dd59e6360ea53f82e5307d2b81f0fce3acd2d188a90f594a6a7657a1a
Instruction ID: 313905893d1e1e7e0242f4a1edf30df717f4d78309ef6d6032eb1adb43791fd7
Opcode Fuzzy Hash: 6025b61dd59e6360ea53f82e5307d2b81f0fce3acd2d188a90f594a6a7657a1a
Instruction Fuzzy Hash: CC8114B8608340ABE714DF15D890B2BFBE5FB8A314F14481EF99587391C739E815CB96

Function 0041F552 Relevance: 5.4, Strings: 4, Instructions: 350COMMON

Download Yara Rule

Strings

nInO, xrefs: 0041F657, 0041F666
4`[b, xrefs: 0041FA40
4`[b, xrefs: 0041F980
, xrefs: 0041FA29, 0041F9E7, 0041F969, 0041F927, 0041F8A9, 0041F867, 0041F876, 0041F936, 0041F9F6

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: 4`[b$4`[b$nInO$
API String ID: 2994545307-1506492284
Opcode ID: 3065231b23380dae8df6ff952a9f52a90a3da71bd92ce920fb78ec851f738950
Instruction ID: 892bb54473547f6c3f17e525adf3228a4b55f96a76f350a56702ec2478476bef
Opcode Fuzzy Hash: 3065231b23380dae8df6ff952a9f52a90a3da71bd92ce920fb78ec851f738950
Instruction Fuzzy Hash: 1FC19AB45093809BE3349F10C861BEBB7F1BF89305F54092DE5CC9B291DB79A885CB5A

Function 0043A264 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043A29A
GetSystemMetrics.USER32 ref: 0043A2A9

Strings

, xrefs: 0043A354

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: c21be9d2694e2b68cfdc32f4eb9cabf62df2482831049d53af685cbe19498bb9
Instruction ID: 03140c3d05d663704b6b564207b4e2a79db1268aa39735f2662102cdacc9f5c2
Opcode Fuzzy Hash: c21be9d2694e2b68cfdc32f4eb9cabf62df2482831049d53af685cbe19498bb9
Instruction Fuzzy Hash: 1E3191B49143008FDB00EF69E985A5EBBF4FB89314F11892DE498DB360D774A948CB96

Function 00444B60 Relevance: 4.3, Strings: 3, Instructions: 572COMMON

Download Yara Rule

Strings

, xrefs: 00445212, 004451E3, 00444E96, 00444F08, 00444E73, 00444DEF, 00444DC3, 00444DCB, 00444E7B, 00444F0C, 004451EB
f, xrefs: 00444D86
, xrefs: 00444BE6, 00444BC3, 00444BCB

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: f$$
API String ID: 0-2685584965
Opcode ID: e5fe15bc993402b79ae6fd0a8e8267b10b88acd63cba0fd7997ff48647d14ee1
Instruction ID: 85f8fbffd657e1a2c41f7e50236ae4f37192d85f09d5935e236d51d05d68cbad
Opcode Fuzzy Hash: e5fe15bc993402b79ae6fd0a8e8267b10b88acd63cba0fd7997ff48647d14ee1
Instruction Fuzzy Hash: 7D12AA716083418FE715CF28C890B2BBBE6BBC9314F194A2EF49597392D739E805CB56

Function 00422C90 Relevance: 4.3, Strings: 3, Instructions: 528COMMON

Download Yara Rule

Strings

hUVS, xrefs: 00423214, 0042321D
{jhk, xrefs: 004231DF
X, xrefs: 00422EE6

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: X$hUVS${jhk
API String ID: 0-1700130621
Opcode ID: 3f4bcb633678015ddfdabc249f28c4bdf0efc2fe8b785642f4c930266efd323e
Instruction ID: 062697985ec5d3873608a8fe0e6609fabf76f2f58c76c371f68d1c8877fce24f
Opcode Fuzzy Hash: 3f4bcb633678015ddfdabc249f28c4bdf0efc2fe8b785642f4c930266efd323e
Instruction Fuzzy Hash: 4202ADB5608350ABD300DF21E981A1FBBE5AFC5708F54882EF98897242D339ED059B5B

Function 00403710 Relevance: 4.2, Strings: 3, Instructions: 439COMMON

Download Yara Rule

Strings

|, xrefs: 004039C2
NaN, xrefs: 0040376E
Inf, xrefs: 00403767

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: Inf$NaN$|
API String ID: 0-2466523057
Opcode ID: 0a4d66ac5d9a30818153c283b2145e03d9f631e7b0f4f484d42089034e9cbd65
Instruction ID: 8dff6c7b172047a2ae6ef76387c72cebf5739e0883bf045c6ae33580d9919b23
Opcode Fuzzy Hash: 0a4d66ac5d9a30818153c283b2145e03d9f631e7b0f4f484d42089034e9cbd65
Instruction Fuzzy Hash: A4E1C372B143019BC704DF28C88061BBBE5EBC4755F248A3EE895E73E5E675ED018B86

Function 00408750 Relevance: 4.1, Strings: 3, Instructions: 393COMMON

Download Yara Rule

Strings

IEND, xrefs: 00408BB0
), xrefs: 004087D6
), xrefs: 004087CC

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: df4f626cf024e61cea9d74bb21ad584babb789d8ef152633e427089c5937cec4
Instruction ID: e201d24cd4307b6ffba764ff5e07ee633e22e8df84828d647ac8a2efaddb935f
Opcode Fuzzy Hash: df4f626cf024e61cea9d74bb21ad584babb789d8ef152633e427089c5937cec4
Instruction Fuzzy Hash: DEE1E0B1A087019BD310DF28D88175ABBE0BB84314F144A3EE9D9A73C1D779E915CBDA

Function 0040DE20 Relevance: 4.1, Strings: 3, Instructions: 335COMMON

Download Yara Rule

Strings

w`}b, xrefs: 0040DFB4
opgt, xrefs: 0040DFAC
E22B8C8B971D605C894122DFD90F982E, xrefs: 0040DEDC

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: E22B8C8B971D605C894122DFD90F982E$opgt$w`}b
API String ID: 0-2628914241
Opcode ID: 298a5cd36f6d69d185647e169501a24c557c346b6e4923422ba8e26d7c29c9b9
Instruction ID: 56c1f4487eaec788286ed6761f49cb54518eada9de256ec486ddf6324bf4e2db
Opcode Fuzzy Hash: 298a5cd36f6d69d185647e169501a24c557c346b6e4923422ba8e26d7c29c9b9
Instruction Fuzzy Hash: F0C134B05083809BD311EF56D480A2FBBE4EB96748F104D2DE1D49B392C779D918CBAB

Function 00414D8D Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

*, xrefs: 00414F0B
oQA, xrefs: 00415169
H9, xrefs: 00414D8D

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: *$H9$oQA
API String ID: 0-3086764009
Opcode ID: f7f7aabd342a089234bc4a55029cea29a7f16f20146576aa267cd8d08a302688
Instruction ID: e32ca05ba96c9175d4cce646fd607f1986eb62935b15cfcc67354a17a0a27be4
Opcode Fuzzy Hash: f7f7aabd342a089234bc4a55029cea29a7f16f20146576aa267cd8d08a302688
Instruction Fuzzy Hash: EDB138B05083809BD315EB94D880BAFFBF8AF96305F14092EE5C497252E379D854CB6B

Function 00440580 Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

/.-,, xrefs: 00440693, 0044069B
/.-,, xrefs: 004405E3, 004405EB
4`[b, xrefs: 004406D0

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: /.-,$/.-,$4`[b
API String ID: 0-3655442430
Opcode ID: f06a106d91e2cc7800fd747d151223e1fb3d4f498dee8cabf8de532cc40f2a63
Instruction ID: c748d1ae17558c148dad3250e2def7c23df5c0511277cb16bede94740d35a379
Opcode Fuzzy Hash: f06a106d91e2cc7800fd747d151223e1fb3d4f498dee8cabf8de532cc40f2a63
Instruction Fuzzy Hash: 0C51A1716083009BE714DF25E851B2FB7E5EF95346F01082DF2C197252D73AE921CBAA

Function 00422063 Relevance: 3.9, Strings: 3, Instructions: 162COMMON

Download Yara Rule

Strings

jABC, xrefs: 004221E3, 004221EB
TU, xrefs: 00422100
-"B, xrefs: 00422227

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: -"B$TU$jABC
API String ID: 0-1472133093
Opcode ID: cb7b2110b44033b6b4bcad9678ed1a0df7346a6f9ae8281a6a8eca307ae42e4e
Instruction ID: cc864d50663ff5025ed46511f35f12994df011000135a368941414507477666c
Opcode Fuzzy Hash: cb7b2110b44033b6b4bcad9678ed1a0df7346a6f9ae8281a6a8eca307ae42e4e
Instruction Fuzzy Hash: 644198B0608354ABC700EF14E991B2BBBF1EF91740F44880DE9C58B351E3B9DA14CB5A

Function 0041325D Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

F'W9, xrefs: 004132CD
", xrefs: 00413437
D, xrefs: 004134B6

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "$D$F'W9
API String ID: 0-1820947052
Opcode ID: 797442a6e9bbd140379a47495c6fb2942faa59ad89277d1c5fcaaa84544cecf2
Instruction ID: f32d58d7e18b96630162a080e2e64c46b825db4d7c3546f9c88ca46c941da017
Opcode Fuzzy Hash: 797442a6e9bbd140379a47495c6fb2942faa59ad89277d1c5fcaaa84544cecf2
Instruction Fuzzy Hash: 0D51EBB40183809FE7608F11C5957AFBBF0BF92B08F50890DE4D85A290D7BA9548CF8A

Function 00425320 Relevance: 3.8, Strings: 3, Instructions: 99COMMON

Download Yara Rule

Strings

KM, xrefs: 0042536D
0TB, xrefs: 0042542A
LO, xrefs: 00425375

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0TB$LO$KM
API String ID: 0-2473149073
Opcode ID: d6257bed21c9ff048528a7f7718e21e47e460f5a5a5fddf4b638dc6589350f62
Instruction ID: 5af698da3240ce5cf2f13bd734f54302c2ab68d98fd4413b216b81fbb1d13a70
Opcode Fuzzy Hash: d6257bed21c9ff048528a7f7718e21e47e460f5a5a5fddf4b638dc6589350f62
Instruction Fuzzy Hash: CA21BFB45096209BC310EB18D841A2BB7F4EF92799F95590DE4C587391E378D900CBAB

Function 0044A920 Relevance: 3.8, Strings: 3, Instructions: 84COMMON

Download Yara Rule

Strings

\9X7, xrefs: 0044A923
;:54, xrefs: 0044A9B3, 0044A9BB
@, xrefs: 0044A970

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: ;:54$@$\9X7
API String ID: 2994545307-443102510
Opcode ID: 6ac5ba2a3848dfd158dfdc445177851b6ea7e7ab2008ca005f77dba1e41b31d4
Instruction ID: 61df063a2357247074fa9386486a3e1957a8e93e6842f5f367d6fb2425e9dc59
Opcode Fuzzy Hash: 6ac5ba2a3848dfd158dfdc445177851b6ea7e7ab2008ca005f77dba1e41b31d4
Instruction Fuzzy Hash: DB3166B15083009BE310DF14D980A2BFBF9FF8A318F14892DE58497251E339D914CBAB

Function 00449580 Relevance: 3.2, Strings: 2, Instructions: 713COMMON

Download Yara Rule

Strings

0$, xrefs: 00449AD3, 00449ADB
T'&!, xrefs: 004495B3, 004495BB

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$$T'&!
API String ID: 0-2300784948
Opcode ID: e2b057cc033b0edc3fe4232f2a3896a439a452f1bee7fab9dc5139b2cf461f2c
Instruction ID: f16a53d80bf270c7979ba3a4e2a3b4766dddc8c5520dd8645b6b3131129592cf
Opcode Fuzzy Hash: e2b057cc033b0edc3fe4232f2a3896a439a452f1bee7fab9dc5139b2cf461f2c
Instruction Fuzzy Hash: 3032893460C340CFD704DF28E990A1AB7E1FF8A31AF19886DE5858B362D335E954DB4A

Function 004354A6 Relevance: 2.9, Strings: 2, Instructions: 353COMMON

Download Yara Rule

Strings

[^"Y, xrefs: 004355CB
U.Da, xrefs: 004356B5

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: U.Da$[^"Y
API String ID: 0-3132506315
Opcode ID: 9b75ece036759378195a9bf4f53f2f48e10b4deee5bf70fda4db311eb22fbf02
Instruction ID: ac9ac3933775d2256496bc8287258fa8106305a43dadf0415ea25cee06398cb6
Opcode Fuzzy Hash: 9b75ece036759378195a9bf4f53f2f48e10b4deee5bf70fda4db311eb22fbf02
Instruction Fuzzy Hash: B8E16B70404F808ED7328F35C4907E3BBE1AF1A304F84995ED5EA8B692D739E505DB65

Function 00422673 Relevance: 2.7, Strings: 2, Instructions: 245COMMON

Download Yara Rule

Strings

O1NO, xrefs: 00422816
")B, xrefs: 00422919

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ")B$O1NO
API String ID: 0-2629967336
Opcode ID: e6cf0548333ae4fcf02a1c70276e66e1be1c026a10561864c89da198f9c4aa89
Instruction ID: 357e7906652d570bd0c3cf92acab623ec5306bc9f16e6ff154a734f56acea3a8
Opcode Fuzzy Hash: e6cf0548333ae4fcf02a1c70276e66e1be1c026a10561864c89da198f9c4aa89
Instruction Fuzzy Hash: 5C6177B46083909BC300AF19E891A2BBBF0EF92755F84491DF4C49B361E379D911CB5B

Function 0042268A Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

O1NO, xrefs: 00422816
")B, xrefs: 00422919

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ")B$O1NO
API String ID: 0-2629967336
Opcode ID: 142dfccd39e8424dc339e935302cb7a54e8df3c4f5416460b5bcfe13e7502297
Instruction ID: d5ac74756f149cbb4a96c6fcf04656c1624da6386313232f50d9fcc619c8e41f
Opcode Fuzzy Hash: 142dfccd39e8424dc339e935302cb7a54e8df3c4f5416460b5bcfe13e7502297
Instruction Fuzzy Hash: 896176B46083A0ABC300AF19E891A2BBBF0EF92755F44495DF4C49B361E379D911CB5B

Function 004492C0 Relevance: 2.1, Strings: 1, Instructions: 866COMMON

Download Yara Rule

Strings

0$, xrefs: 00449AD3, 00449ADB

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$
API String ID: 0-900979605
Opcode ID: 4b5fb86ab7783634e8426eb6a5beccb753f17b6567c103218c73c1187726e3c9
Instruction ID: 6e0865e907425cf75320b74792bf90df407925e1fa0e5ab0e50ac8bca2d6273f
Opcode Fuzzy Hash: 4b5fb86ab7783634e8426eb6a5beccb753f17b6567c103218c73c1187726e3c9
Instruction Fuzzy Hash: C0529B75608340CFD704DF28E89061BB7E1FB8A31AF19886EE5C58B352D335E950DB5A

Function 00449410 Relevance: 2.1, Strings: 1, Instructions: 801COMMON

Download Yara Rule

Strings

0$, xrefs: 00449AD3, 00449ADB

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$
API String ID: 0-900979605
Opcode ID: 49a94e6cb11d6aa5231ce31b2a3b0ae13bf27557489387570f618a1cede55622
Instruction ID: 9c79c92c8d55ea1f9b77809b46a9c6bc11abe925a532a833b99ee4f9aaeb858c
Opcode Fuzzy Hash: 49a94e6cb11d6aa5231ce31b2a3b0ae13bf27557489387570f618a1cede55622
Instruction Fuzzy Hash: 3F427A3560C340CFD704DF28E990A1AB7E1EB8A31AF19886DE5C58B362D335E950DB5A

Function 00449690 Relevance: 1.9, Strings: 1, Instructions: 670COMMON

Download Yara Rule

Strings

0$, xrefs: 00449AD3, 00449ADB

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$
API String ID: 0-900979605
Opcode ID: 6a9e394f2ce95cb9a7996a26e795fe10874b16fb4776584fafaa184a522fdb30
Instruction ID: a78a7c277879c736897cf7ac7ecc7938aeebc78e1496ca281fcf500cbbfe4cdb
Opcode Fuzzy Hash: 6a9e394f2ce95cb9a7996a26e795fe10874b16fb4776584fafaa184a522fdb30
Instruction Fuzzy Hash: 9422893460C340CFD704EF28E890A1BB7E1EB8A31AF09886DE5C58B352D335E950DB5A

Function 00449780 Relevance: 1.9, Strings: 1, Instructions: 670COMMON

Download Yara Rule

Strings

0$, xrefs: 00449AD3, 00449ADB

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$
API String ID: 0-900979605
Opcode ID: 7135110f5d930902eccf3a44a32dc23a60941ee016691cfe26a7abae5c701e14
Instruction ID: cca9a259955e133b43c0d4e571be30f1d12aba5fe8632a6eced6d828887752d6
Opcode Fuzzy Hash: 7135110f5d930902eccf3a44a32dc23a60941ee016691cfe26a7abae5c701e14
Instruction Fuzzy Hash: 8C228774608340DFD704EF28D99062BBBE1EF8A316F09886EE5C58B352D335E950DB5A

Function 004276A0 Relevance: 1.7, APIs: 1, Instructions: 242comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0044DB80,00000000,00000001,0044DB70), ref: 004276C9

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 735f4f0e8ea5cc4430647eb07c1c43c3b0f65900f5abb12b3a6264a1ad4a35d4
Instruction ID: 661dc55ae77cfbde4c0051d48ed309cc2d55411694cdcf6b49fd2dde045b32f1
Opcode Fuzzy Hash: 735f4f0e8ea5cc4430647eb07c1c43c3b0f65900f5abb12b3a6264a1ad4a35d4
Instruction Fuzzy Hash: 6851FFB07083209BDB20AB24EC96B7733B4EF81358F544959F9858B390E378E801C76A

Function 00449A40 Relevance: 1.7, Strings: 1, Instructions: 458COMMON

Download Yara Rule

Strings

0$, xrefs: 00449AD3, 00449ADB

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$
API String ID: 0-900979605
Opcode ID: af47a18e417ca44032f7ecccd916510462ab16a59ee48c76b0e9b599ab7f98b5
Instruction ID: 881c954678f8796fe656ae0d28e990270fa6eae4fcec6e348efbb8980500b22d
Opcode Fuzzy Hash: af47a18e417ca44032f7ecccd916510462ab16a59ee48c76b0e9b599ab7f98b5
Instruction Fuzzy Hash: A4E1793460C340DFD704EF28E99061BBBF1EB8A316F19886DE5C68B252D339E950DB56

Function 00427900 Relevance: 1.7, Strings: 1, Instructions: 418COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00427D40

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 175d8a288f5888c5a2cb581ced43757a7e2644ab78572fc4fafd738db361e8ea
Instruction ID: 6bd0c6b0c3419b93c5c7550c24bf3f6632f543d7fe83940d4e1721b018c3d69e
Opcode Fuzzy Hash: 175d8a288f5888c5a2cb581ced43757a7e2644ab78572fc4fafd738db361e8ea
Instruction Fuzzy Hash: B6C1D1B160C3109BD711AB25E841A2BB7F4EF96364F88481EF8C597351E339E940CB6A

Function 00431ED0 Relevance: 1.7, Strings: 1, Instructions: 414COMMON

Download Yara Rule

Strings

", xrefs: 004321D8

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: ff99a7c9b470f766bfbe338ba90c26ed05b46c28c8c0b3cdbf304a5dfe3f06da
Instruction ID: 42062e19262baeacce261b2f88b05e1f475a0e7cfe5b4b7249c66d792c028547
Opcode Fuzzy Hash: ff99a7c9b470f766bfbe338ba90c26ed05b46c28c8c0b3cdbf304a5dfe3f06da
Instruction Fuzzy Hash: 35D147B2A043009FD714CE25C98076BB7E5AF89310F189A2FE99587391E7BCDD49C786

Function 00448C40 Relevance: 1.7, Strings: 1, Instructions: 412COMMON

Download Yara Rule

Strings

P, xrefs: 00448DE6

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 42475a6d9d4a1a8bfd98537bfd63c011a62fd918712275191ea96adf7ca5917d
Instruction ID: 34688efd5666104c9592188b828e154dc221ee294a09268e027c054d00bcd7fc
Opcode Fuzzy Hash: 42475a6d9d4a1a8bfd98537bfd63c011a62fd918712275191ea96adf7ca5917d
Instruction Fuzzy Hash: 9BD1F4329082644FE719CA18C45072FB6E2EBC5318F15863DE8B9AB390DB79DC06D7C6

Function 0042F700 Relevance: 1.6, Strings: 1, Instructions: 389COMMON

Download Yara Rule

Strings

0{y, xrefs: 0042F924, 0042F92D

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0{y
API String ID: 0-51807998
Opcode ID: 20fa1c9257911a36ca36470c2e7e1c22bb6fb13c29c85412142eef28ecb33bfe
Instruction ID: c4731e0e9eccddd579ce74b767209ac34a9a962a8e632d51c6645eda6d2b33b1
Opcode Fuzzy Hash: 20fa1c9257911a36ca36470c2e7e1c22bb6fb13c29c85412142eef28ecb33bfe
Instruction Fuzzy Hash: ECE124745083918AD724DF18E950B1FBBF1BB86708F90092DE9C89B391D735D909CBAB

Function 00448390 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

4`[b, xrefs: 004485B0

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: 4`[b
API String ID: 2994545307-3962175265
Opcode ID: eedfc26b24bc0fe6557ceb04a84a399e725fa3b42207ef816896f37233c85be1
Instruction ID: 131acc8278a68d64eeb6898d39fc8dfeddf15283686ebe1cb7cefac48c2ffecb
Opcode Fuzzy Hash: eedfc26b24bc0fe6557ceb04a84a399e725fa3b42207ef816896f37233c85be1
Instruction Fuzzy Hash: 3CA1BF71608341ABF720DF14C850BAFBBE5EB85355F54482EF98497391EB34E940CB9A

Function 00429EE0 Relevance: 1.5, Strings: 1, Instructions: 273COMMON

Download Yara Rule

Strings

4, xrefs: 00429F53

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-350161683
Opcode ID: 198d44f7afc769c1b3122b401b871429bf2e966949c3172fdbe8aea22ff48e24
Instruction ID: e4fc10516fa2316bf4a5599780e9b805dc78d69fb17dffabfdebbfb6507c3884
Opcode Fuzzy Hash: 198d44f7afc769c1b3122b401b871429bf2e966949c3172fdbe8aea22ff48e24
Instruction Fuzzy Hash: 42A1F071608312CBC320DF28D48096BB3F2FF88741F968D2DE4C687260EB39A955DB56

Function 00421DC0 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

a B, xrefs: 0042205B

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: a B
API String ID: 0-3137502235
Opcode ID: 3a791a4865b2b10de04ca526748692eef6ba2820f3cd87d1b616ded78406b9dc
Instruction ID: 6791246eca1351c5328d7902d9057258b1aec060df4b542f970ff6e8af0f9a69
Opcode Fuzzy Hash: 3a791a4865b2b10de04ca526748692eef6ba2820f3cd87d1b616ded78406b9dc
Instruction Fuzzy Hash: DF5168B06083508BC714DF14D581A2BB7F0FFA6358F448A0EE8D59B3A1E339D944CB9A

Function 00445580 Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

, xrefs: 004455D6, 0044575F, 00445733, 004455B3, 004455BB, 0044573B

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 7a42694725f0e8f604c61eb579e0ffb5b06b52798249ef1ea9602468f7b0b423
Instruction ID: 99bd972ddb00d8c0accb3e56e9343d025c11d7df58ce895e5b891d06f5205592
Opcode Fuzzy Hash: 7a42694725f0e8f604c61eb579e0ffb5b06b52798249ef1ea9602468f7b0b423
Instruction Fuzzy Hash: 0D61E2356087019BFB10DF24C880B3BBBE6EB85314F55892EE48987362D639EC11CB1A

Function 00448190 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00448350

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 96d8d896c6325d1ecc715d8eec931c372c915e865b1d35b4a9b399d7417457fe
Instruction ID: f2be005d942e4e2615dd207fd9a3b45408ac578641062338537af6c7fa4a3d29
Opcode Fuzzy Hash: 96d8d896c6325d1ecc715d8eec931c372c915e865b1d35b4a9b399d7417457fe
Instruction Fuzzy Hash: 7A5125316087049BE7149F19C890B2FB7E5FF85715F188A2DE8D957391CA3AEC01C79A

Function 00444480 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

, xrefs: 004445D6, 004445B3, 00444556, 00444533, 0044453B, 004445BB

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: c3984b0afdbe81277c892565e6284a68daa2c00bdff0285ab262ff4f6266c121
Instruction ID: ae879fc850b573c7fcc27bce8fc0229c99342f9cf9ea990149d60e095a57cdc4
Opcode Fuzzy Hash: c3984b0afdbe81277c892565e6284a68daa2c00bdff0285ab262ff4f6266c121
Instruction Fuzzy Hash: 9241B035608240ABEB24DF14D980B2BBBE6EFC6705F19482EE5C587311D739EC51CB2A

Function 0044A610 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

;:54, xrefs: 0044A644, 0044A64D

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ;:54
API String ID: 0-2887251705
Opcode ID: 5631d567d11453a6109dcff4ad7cc3bee237fea7f6fd986a06632eafa227ce3b
Instruction ID: 882643b4eb6ca10f8686816ed560115293d3e2a899ffd47342a0d4b0e7199bb1
Opcode Fuzzy Hash: 5631d567d11453a6109dcff4ad7cc3bee237fea7f6fd986a06632eafa227ce3b
Instruction Fuzzy Hash: 14418074248300ABE7249F15D990B2FB7B6EB85715F18882EF5C587252D339EC21CB6B

Function 00444960 Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

, xrefs: 00444A76, 00444A53, 00444A5B

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 14c545dee9ca3b9773ca046853ccc447e70483d1340eecc98b931c74cbf1d43a
Instruction ID: 274f3e1b3b6f42031ba6c240eb81a6913b2c0584eb231ee528a0b8831dbf2603
Opcode Fuzzy Hash: 14c545dee9ca3b9773ca046853ccc447e70483d1340eecc98b931c74cbf1d43a
Instruction Fuzzy Hash: 5341D275604204ABEB20DF64EC41B6BBBA5EFC5705F04482EE88593351D339DC10EB6A

Function 0044A7A0 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

;:54, xrefs: 0044A7D4, 0044A7DD

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ;:54
API String ID: 0-2887251705
Opcode ID: 031c22b133dd9dba0ebc7900e4cb744e3d4209b3f1ea91417fb3c36fded8ae43
Instruction ID: 78e3c2dc7897cdc557890b703a0409e606c332cfa71594da55bc866c29a599f7
Opcode Fuzzy Hash: 031c22b133dd9dba0ebc7900e4cb744e3d4209b3f1ea91417fb3c36fded8ae43
Instruction Fuzzy Hash: FE419D74648300ABE714AF14D890B2FB7F6EB85715F24882EF58997291C339E821CB5B

Function 00420729 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

, xrefs: 004207BD, 00420777, 00420786

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 32387dd3542a485ec372521255e0c86dbce74193274f2aceababfaa4507e62a6
Instruction ID: 0e37ae3c7cdb39b94d4783fab9bf39235a70f96b3866e444776f1420009e3a49
Opcode Fuzzy Hash: 32387dd3542a485ec372521255e0c86dbce74193274f2aceababfaa4507e62a6
Instruction Fuzzy Hash: 7E218E356093419FD770CF10E890AABB3A3EBC5302F954A6DE08897252DB35F891CF86

Function 0042A1F0 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0042A250

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 71637f2b961aae30c1abcf79f9556ccac77976f21aa7df97791045416a8145e8
Instruction ID: 900762551a009ee9e5bc5032e1dc8f56701680aef49dcc048cf94ae26ce606f7
Opcode Fuzzy Hash: 71637f2b961aae30c1abcf79f9556ccac77976f21aa7df97791045416a8145e8
Instruction Fuzzy Hash: 7F116731618352CFD704DF60E89092BB7B2FB86302F844C6CE89193252C336E956CB2A

Function 00430399 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00430400

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 36c81f32d7e8e98c2885f55244e5b12d3ca4cf1e43c1a724e488aea8086b4d45
Instruction ID: 0fede4bbd285df6194be11d0089554e364ca0ed6f48cce0ee28e8a9528bdc190
Opcode Fuzzy Hash: 36c81f32d7e8e98c2885f55244e5b12d3ca4cf1e43c1a724e488aea8086b4d45
Instruction Fuzzy Hash: 5A115A726083429BD704DF15E9A042BF7F6EB9A706F54692EE580E3212D335EC508B6A

Function 0040A3F0 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cdc42eeb92d643ba025e61c60c6b6b2c152b78bc3bcec359127e9f0bc94d57e
Instruction ID: 58a25341c55a3b80564a6f3fd460fa8bad488cfbb2019d67dcfb717cc5f8fa03
Opcode Fuzzy Hash: 3cdc42eeb92d643ba025e61c60c6b6b2c152b78bc3bcec359127e9f0bc94d57e
Instruction Fuzzy Hash: 68F1E0366083418FC724DF29C88176BFBE2AFD9304F08892EE4C587791E679E855CB56

Function 004407E0 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44507f9f604c2c1d37b6d5e06ed740d9bbacf44789427aedc9e6beee1ee453db
Instruction ID: 1f599e4a3158c74960d010f2bc0623c05adc229359004241147c85c12db3a7a7
Opcode Fuzzy Hash: 44507f9f604c2c1d37b6d5e06ed740d9bbacf44789427aedc9e6beee1ee453db
Instruction Fuzzy Hash: B151677160C7944FE724DA28C4906BBF7E2EBCA304F05891EE5D68B386D239ED11C786

Function 0041DD55 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3392f45c507c747f5b1d8c00030def1c78b4c31358d16bacb3bc8ef3b41f33c
Instruction ID: c3eb6362ce0c75d13d700f485dc85ea6da2151878511bd4321f44dde0745d3df
Opcode Fuzzy Hash: d3392f45c507c747f5b1d8c00030def1c78b4c31358d16bacb3bc8ef3b41f33c
Instruction Fuzzy Hash: 4241FFB0D007118BDB24DF18D892BB773B1EF66365F098209E8469B3D1F738A580C3A9

Function 0042FAA0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f59a72204999f12b57d7a6d56c558054d4f9ffdf3d7360ab34c8f025ffc8da
Instruction ID: 834d04fe016ef7ba85265e29078afe447fec19cf065d57abbf3f5259a11ec16b
Opcode Fuzzy Hash: 87f59a72204999f12b57d7a6d56c558054d4f9ffdf3d7360ab34c8f025ffc8da
Instruction Fuzzy Hash: 9C51A975A083418BD7209F14E81076BB7F0BF86344F94482EE9C897391EB399959CB9B

Function 00405C20 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129904f85c307e3588cd884dafb5844055e48e4276fee2c0a2a473afeaa7381d
Instruction ID: 800948cd5643afb1633654617254b82d61c8276f70e6524d9fc1444306718457
Opcode Fuzzy Hash: 129904f85c307e3588cd884dafb5844055e48e4276fee2c0a2a473afeaa7381d
Instruction Fuzzy Hash: 8A51BFB5A087009FD7149F14C480927B7A1FF85324F19467EE899AB392D634ED82CFDA

Function 004296C0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 219e0ba5dac7627202dd42f0dd9fdee3cf7fd7e203a04a3204457abd9438207f
Instruction ID: 0925ad793c1136a2802a404586ed31f0ee07a2f5848fa9ad6f03dcbcf2e6d2b7
Opcode Fuzzy Hash: 219e0ba5dac7627202dd42f0dd9fdee3cf7fd7e203a04a3204457abd9438207f
Instruction Fuzzy Hash: 1A511FB451C384AFD200EF15E980A1EBBF8AB96748F848A0DF0D55B251D379D904CFA7

Function 0041518E Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c702810b4918d153a208cc470cd7352f5762b9d1db81313dbb29e59251792305
Instruction ID: 52a620e33f2925f96ab70c1619b5e5c7130e5b592a62fa1a6b5a43710b3232e2
Opcode Fuzzy Hash: c702810b4918d153a208cc470cd7352f5762b9d1db81313dbb29e59251792305
Instruction Fuzzy Hash: F53168B4508341DFD300EF21E855B5FB7F8EF86305F04482EF98186292E339D4098B2A

Function 00404B60 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608b37dfba14305b93db33815757c93df7d2eb92e9354bda027161d552915dbc
Instruction ID: b276c89fb37e417b112e9a1432116ee7dab3cda9556e7031b28351ec34740547
Opcode Fuzzy Hash: 608b37dfba14305b93db33815757c93df7d2eb92e9354bda027161d552915dbc
Instruction Fuzzy Hash: A531D7756182009BD7109E19D8C0B27B7F1EFC4318F14497EE999AB381D239ED42CB8A

Function 0043BBB0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: f3d13c4f77b678f3f5ad4c70681dfe8afdb1ce760f55218f4420d384e65a605f
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 89112C336082D80EC3218D3C8440665BF934A97234F59539EF4B89B2D6DB2ACD8B8399

Function 00431720 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689434a6e26603a0695f01cf84fccc129b07ef7bb0e5c58eae2955e3fe6ef262
Instruction ID: 809c4b8c5f4d90910c120ffc8bea963b43a288cc7962883a6e400ac8cb8d82d8
Opcode Fuzzy Hash: 689434a6e26603a0695f01cf84fccc129b07ef7bb0e5c58eae2955e3fe6ef262
Instruction Fuzzy Hash: 8201B1F570030187E720AF11E4C272BB2B8AF88748F0C153EE80957346DB79EC0586A9

Function 0044716D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d12d1adf075babf471c10f2bc2ad8607f47991889b014188b00980cf6b31f3
Instruction ID: 228517455a837c86bd3de3dc643e4236668c8363ac2aa5d5ed890d384a3c7814
Opcode Fuzzy Hash: b5d12d1adf075babf471c10f2bc2ad8607f47991889b014188b00980cf6b31f3
Instruction Fuzzy Hash: 9E11AF7550C3408BE200DF64D69091EBBF6ABAAA45F200C2DF68187712C33ADC46CB9A

Function 00420F8A Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d617ffe7d5c95ea20ab83b84e9b735c0169c4a1dce0e854e5ea2c9dadd475d
Instruction ID: e0267410d78486dba0c77835f341638f85eeac581fc42256d1c37bbad7741185
Opcode Fuzzy Hash: 87d617ffe7d5c95ea20ab83b84e9b735c0169c4a1dce0e854e5ea2c9dadd475d
Instruction Fuzzy Hash: 5B21F475A083909FD771CF549840BEFBBF1AB8A305F850A2DE8D957251CB329981CB86

Function 00407070 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1fb4f72ceadc0dfbd97c0dbf4fc3d104c1246a9a268a6091118f86cb1cae9b
Instruction ID: 0881e27a7d94786878d36033187f5f8f48ccf74c1cb2524e580698b1175071d2
Opcode Fuzzy Hash: 8b1fb4f72ceadc0dfbd97c0dbf4fc3d104c1246a9a268a6091118f86cb1cae9b
Instruction Fuzzy Hash: A0F0F63BB6931A07D710CD79ECC0A67B396D7C5245B1D413DE940D3341D47AFC0992A9

Function 00413B7C Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4d8a037c957590e93bdc69d912da8838a2c4143d311182997f493f8a113886
Instruction ID: 3824444f2fea6a38aa224781555283573b27659997e86fc043f4af1527c16adb
Opcode Fuzzy Hash: 0b4d8a037c957590e93bdc69d912da8838a2c4143d311182997f493f8a113886
Instruction Fuzzy Hash: E7F0697090C3808BD305EB95D855E2EFBF8EF96305F44086DE1C097252E379EA188B6B

Function 0041B330 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52042383ae9116ef5cef2de8b578cd95b58dcf8ae2945c0acd97e50c34331e2f
Instruction ID: b90808f0e45e1e089d553ff27c91ba6f2e0ad3c2caebfdd83e04d91715e99d22
Opcode Fuzzy Hash: 52042383ae9116ef5cef2de8b578cd95b58dcf8ae2945c0acd97e50c34331e2f
Instruction Fuzzy Hash: 2AF0ECB160415497DB2289559CC0FB7FB9CCB8B354F190416EC9557202D2655894C3E9

Function 0044711B Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae4b3d176fe3d9e6cfb88a54c04a35cb48f5a0a8002072fee7359236cb8bd63
Instruction ID: 47a14b461e903dbeb014341540f750bbb98732ec7d8519a36154f73ef99dc437
Opcode Fuzzy Hash: eae4b3d176fe3d9e6cfb88a54c04a35cb48f5a0a8002072fee7359236cb8bd63
Instruction Fuzzy Hash: 14F0927491C3408BE204DF64D69091EFBF2AB9BA05F500C6DF68593312C326DC45CB9A

Function 00441D40 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: ede5682b8c28294e075f40f1dacc9e23737c0304b007f35a3b59bcb766d625e6
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 5FD0A7B1A0832146AB748E19E400977F7F0EAC7B11F49955FF586E3268D334EC81C2AD

Function 00436D22 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 83COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00436D2B
VariantInit.OLEAUT32 ref: 00436D37

Strings

!, xrefs: 00436D8F
?, xrefs: 00436D6B
;, xrefs: 00436D7B
0, xrefs: 00436D7F
=, xrefs: 00436D63
1, xrefs: 00436D53
!, xrefs: 00436D9F
>, xrefs: 00436D97
3, xrefs: 00436D5B
9, xrefs: 00436D73

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$!$0$1$3$9$;$=$>$?
API String ID: 2610073882-4017061420
Opcode ID: cda46e692248261d225455bfbd383da656a6067b642fcb8ee50a9e8c432748ed
Instruction ID: dce76f18d0c2847a660f32665c65f5c980a7f4d88856c9310731f7cf479fe7be
Opcode Fuzzy Hash: cda46e692248261d225455bfbd383da656a6067b642fcb8ee50a9e8c432748ed
Instruction Fuzzy Hash: 754106701087818FD722DF3C9588606BFA0AB16314F488A9DD8E64F7D6C774E605C762

Function 00435F1B Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 78COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00435F27
VariantInit.OLEAUT32 ref: 00435F33

Strings

?, xrefs: 00435F67
>, xrefs: 00435F93
0, xrefs: 00435F7B
=, xrefs: 00435F5F
!, xrefs: 00435F8B
9, xrefs: 00435F6F
1, xrefs: 00435F4F
;, xrefs: 00435F77
3, xrefs: 00435F57
!, xrefs: 00435F9B

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$!$0$1$3$9$;$=$>$?
API String ID: 2610073882-4017061420
Opcode ID: 348c8edf02b1c46880617a20ea4cde773ba569d30a26ddf398e4fd9ad9377b71
Instruction ID: bd7fa2d9b3d987461a1fb8d7b0d277e8894d75febd5d938405cb1f81150e01dc
Opcode Fuzzy Hash: 348c8edf02b1c46880617a20ea4cde773ba569d30a26ddf398e4fd9ad9377b71
Instruction Fuzzy Hash: C841E930109780CED726CF6C9584706BFE06B16324F488A8EE8E54F7D7C765D606CB62

Function 004372B3 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004372BC
VariantInit.OLEAUT32 ref: 004372C8

Strings

2, xrefs: 0043730E
3, xrefs: 004372FE
*, xrefs: 0043732E
~, xrefs: 0043734E
-, xrefs: 00437316

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: *$-$2$3$~
API String ID: 2610073882-712268440
Opcode ID: 181e109783da7289cc71976f8fc4f3b3bc7cd2bc1eac37b6c41ad2700ea7520d
Instruction ID: 60cbd62482cf228be9b6e719d21a7a82e449c946974cc26fe90643ebd4c431bc
Opcode Fuzzy Hash: 181e109783da7289cc71976f8fc4f3b3bc7cd2bc1eac37b6c41ad2700ea7520d
Instruction Fuzzy Hash: 8F410770108B81CED721DF3C8588706BFE0AB26214F088A8DD8E98F397C775D515DB66

Function 00435296 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00435394
FreeLibrary.KERNEL32(?), ref: 00435494

Strings

Wu, xrefs: 00435394, 00435494

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: FreeLibrary
String ID: Wu
API String ID: 3664257935-4083010176
Opcode ID: 2ee30ce198429f2b261720e978774b144f59fa7d6bba2f124f19d53244588817
Instruction ID: d1eb672ef71c5625a8b09c305371944eacc5032cbe31c346a6b42b4affc249ab
Opcode Fuzzy Hash: 2ee30ce198429f2b261720e978774b144f59fa7d6bba2f124f19d53244588817
Instruction Fuzzy Hash: 5F515370005F808FD7268B358850BA3BBE19F1B306F48599ED4FB8B252D779A508CF18

Function 0043A888 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043A8D6
GetSystemMetrics.USER32 ref: 0043A8E5

Strings

, xrefs: 0043A9B9

Memory Dump Source

Source File: 00000005.00000002.1567672031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 65cae8f6cdf4aa0ee36dce3bf563fb2e0777f3d215215006cc2803287500b777
Instruction ID: aff40aa290a2da8482ed65553a9083856d3f095cad100f3f2e2c159a29b72631
Opcode Fuzzy Hash: 65cae8f6cdf4aa0ee36dce3bf563fb2e0777f3d215215006cc2803287500b777
Instruction Fuzzy Hash: 2B519EB4E142089FDB40EFADE981A9DBBF0BB48310F118569E898E7350D734AD45CF96

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CompleteStudio.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CompleteStudio.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
CompleteStudio.exe

Function 00007FFB4AFF151F Relevance: 1.6, Instructions: 1610
COMMON

Function 00007FFB4AFFC5AB Relevance: .6, Instructions: 606
COMMON

Function 00007FFB4AFF9F51 Relevance: .3, Instructions: 309
COMMON

Function 00007FFB4B00183D Relevance: 2.0, APIs: 1, Instructions: 511
processCOMMON

Function 00007FFB4B00131D Relevance: 1.7, APIs: 1, Instructions: 215
injectionCOMMON

Function 00007FFB4B001521 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Function 00007FFB4B001169 Relevance: 1.7, APIs: 1, Instructions: 191
memoryCOMMON

Function 00007FFB4B000FC5 Relevance: 1.7, APIs: 1, Instructions: 181
threadCOMMON

Function 00007FFB4B000E6D Relevance: 1.7, APIs: 1, Instructions: 153
threadCOMMON

Function 00440118 Relevance: 18.0, APIs: 7, Strings: 3, Instructions: 462
COMMON

Function 0040FEA0 Relevance: 14.4, Strings: 11, Instructions: 633
COMMON

Function 0040F242 Relevance: 13.1, Strings: 10, Instructions: 615
COMMON

Function 004109FD Relevance: 10.1, Strings: 8, Instructions: 109
COMMON

Function 00446C3F Relevance: 7.9, Strings: 6, Instructions: 387
COMMON

Function 0040F940 Relevance: 5.4, Strings: 4, Instructions: 384
COMMON

Function 0043FD80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
comCOMMON

Function 00446BB0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14
libraryCOMMON

Function 00412763 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 300
COMMON

Function 0043FF7B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 82
memoryCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre