Edit tour

Windows Analysis Report
cccc2.exe

Overview

General Information

Sample name:	cccc2.exe
Analysis ID:	1577356
MD5:	6b470f7251aa9c14d7daea8f6446e217
SHA1:	a256c54d4dd7e0a7a1582d8fdfef5807bc3c4af4
SHA256:	8b9097b795d42c49c3b2c560714226361671a3f1d711faa9aeaee20e22e7095f
Tags:	18521511316185215113209bulletproofexeuser-abus3reports
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

cccc2.exe (PID: 7076 cmdline: "C:\Users\user\Desktop\cccc2.exe" MD5: 6B470F7251AA9C14D7DAEA8F6446E217)

conhost.exe (PID: 7104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 908 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["fragnantbui.shop", "offensivedzvju.shop", "gutterydhowi.shop", "vozmeatillu.shop", "stogeneratmns.shop", "ghostreedmnu.shop", "reinforcenh.shop", "drawzhotdog.shop"], "Build id": "TBnDlH--"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:29:56.488826+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	23.55.153.106	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:29:53.120642+0100	2056156	1	Domain Observed Used for C2 Detected	192.168.2.4	58593	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:29:54.274159+0100	2056154	1	Domain Observed Used for C2 Detected	192.168.2.4	63286	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:29:53.576060+0100	2056162	1	Domain Observed Used for C2 Detected	192.168.2.4	55062	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:29:53.342237+0100	2056164	1	Domain Observed Used for C2 Detected	192.168.2.4	57209	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:29:53.812256+0100	2056160	1	Domain Observed Used for C2 Detected	192.168.2.4	55012	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:29:54.732201+0100	2056150	1	Domain Observed Used for C2 Detected	192.168.2.4	62664	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:29:54.503778+0100	2056152	1	Domain Observed Used for C2 Detected	192.168.2.4	54960	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:29:54.034847+0100	2056158	1	Domain Observed Used for C2 Detected	192.168.2.4	50006	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:29:57.368287+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49730	23.55.153.106	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: cccc2.exe

Avira: detected

Found malware configuration

Source: 2.2.RegAsm.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["fragnantbui.shop", "offensivedzvju.shop", "gutterydhowi.shop", "vozmeatillu.shop", "stogeneratmns.shop", "ghostreedmnu.shop", "reinforcenh.shop", "drawzhotdog.shop"], "Build id": "TBnDlH--"}

Multi AV Scanner detection for submitted file

Source: cccc2.exe

ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: reinforcenh.shop
Source: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stogeneratmns.shop
Source: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fragnantbui.shop
Source: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drawzhotdog.shop
Source: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: vozmeatillu.shop
Source: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: offensivedzvju.shop
Source: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: gutterydhowi.shop
Source: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drawzhotdog.shop
Source: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TBnDlH--

Source: cccc2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: cccc2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: c:\rje\tg\7v\obj\Release\Qrr.pdb source: cccc2.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+24h]	2_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	2_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	2_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	2_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	2_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-1Ch]	2_2_0040E9C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	2_2_0041A040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edi+edx]	2_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00443010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	2_2_0040A0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	2_2_0040A0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], cl	2_2_00431167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	2_2_00431167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	2_2_00431167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_00431167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+44h]	2_2_0041D1CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 54CA534Eh	2_2_004472C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	2_2_004153E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	2_2_004153E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_0043A3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_004313A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], al	2_2_004313A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	2_2_00443460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	2_2_0042D46E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	2_2_0041447C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	2_2_004474C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	2_2_0042D4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_0042F530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000874h]	2_2_00428581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], ax	2_2_00428581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	2_2_00444590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	2_2_00445643
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	2_2_00405680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	2_2_00410690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	2_2_00410690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	2_2_00449700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	2_2_00449700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	2_2_004487D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp+14h], 12EEEC16h	2_2_0042E7F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	2_2_004278E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004278E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	2_2_004278E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	2_2_00449890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	2_2_00449890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	2_2_00449A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	2_2_00431AC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	2_2_00431AC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000006A8h]	2_2_0041DACA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0040DBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then xor eax, eax	2_2_0042ABF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00443B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	2_2_00443B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	2_2_00414C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	2_2_00447D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	2_2_00440D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi+eax+01h], 00000000h	2_2_0042CD08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	2_2_0042CD08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_0042FD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_0041FD80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp dword ptr [00450078h]	2_2_0041FD80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_00411DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi]	2_2_00411DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_00411DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00425EF0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.4:55012 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.4:55062 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.4:63286 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.4:62664 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.4:58593 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.4:57209 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.4:54960 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.4:50006 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49730 -> 23.55.153.106:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: fragnantbui.shop
Source: Malware configuration extractor	URLs: offensivedzvju.shop
Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: stogeneratmns.shop
Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: drawzhotdog.shop

Source: Joe Sandbox View

IP Address: 23.55.153.106 23.55.153.106

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 23.55.153.106:443

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: drawzhotdog.shop
Source: global traffic	DNS traffic detected: DNS query: gutterydhowi.shop
Source: global traffic	DNS traffic detected: DNS query: ghostreedmnu.shop
Source: global traffic	DNS traffic detected: DNS query: offensivedzvju.shop
Source: global traffic	DNS traffic detected: DNS query: vozmeatillu.shop
Source: global traffic	DNS traffic detected: DNS query: fragnantbui.shop
Source: global traffic	DNS traffic detected: DNS query: stogeneratmns.shop
Source: global traffic	DNS traffic detected: DNS query: reinforcenh.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: RegAsm.exe, 00000002.00000002.1749217999.000000000135D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000002.00000002.1749217999.000000000135D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000002.00000002.1749217999.000000000135D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: RegAsm.exe, 00000002.00000002.1749217999.000000000135D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: RegAsm.exe, 00000002.00000002.1749217999.000000000135D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: RegAsm.exe, 00000002.00000002.1749381476.0000000001388000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000002.00000002.1749217999.000000000135D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/3
Source: RegAsm.exe, 00000002.00000002.1749217999.000000000135D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: RegAsm.exe, 00000002.00000002.1749217999.000000000135D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: RegAsm.exe, 00000002.00000002.1749217999.000000000135D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00437DE0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00437DE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00437DE0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00437DE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00438247 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_00438247

System Summary

.NET source code contains very large array initializations

Source: cccc2.exe, MoveAngles.cs

Large array initialization: MoveAngles: array initializer size 357376

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040F870	2_2_0040F870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00401000	2_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040A0C0	2_2_0040A0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040E080	2_2_0040E080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00415081	2_2_00415081
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040B150	2_2_0040B150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00431167	2_2_00431167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044A120	2_2_0044A120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409269	2_2_00409269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043F2AC	2_2_0043F2AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004362B0	2_2_004362B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00401379	2_2_00401379
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004483F0	2_2_004483F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004013BC	2_2_004013BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409442	2_2_00409442
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042D4B0	2_2_0042D4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00436560	2_2_00436560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042F5D0	2_2_0042F5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004015DE	2_2_004015DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042C5E3	2_2_0042C5E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00428581	2_2_00428581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00403660	2_2_00403660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00410690	2_2_00410690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004487D0	2_2_004487D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00447870	2_2_00447870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004378C0	2_2_004378C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00407900	2_2_00407900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040C9D0	2_2_0040C9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041DACA	2_2_0041DACA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00406B60	2_2_00406B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00437B70	2_2_00437B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042CB0F	2_2_0042CB0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042ABF9	2_2_0042ABF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00443B90	2_2_00443B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040BC60	2_2_0040BC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040ACC0	2_2_0040ACC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00426D6F	2_2_00426D6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00447D70	2_2_00447D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042CD08	2_2_0042CD08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00412D20	2_2_00412D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00404DB0	2_2_00404DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00449E50	2_2_00449E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00413E12	2_2_00413E12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00410ED0	2_2_00410ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043DF50	2_2_0043DF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00406F00	2_2_00406F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00408FCE	2_2_00408FCE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041C710 appears 153 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040C7C0 appears 50 times

Source: cccc2.exe, 00000000.00000000.1680366680.000000000104C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVQP.exe@ vs cccc2.exe
Source: cccc2.exe, 00000000.00000002.1704179935.000000000157E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs cccc2.exe
Source: cccc2.exe	Binary or memory string: OriginalFilenameVQP.exe@ vs cccc2.exe

Source: cccc2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: cccc2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/2@9/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_004373B7 CoCreateInstance,

2_2_004373B7

Source: C:\Users\user\Desktop\cccc2.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cccc2.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\cccc2.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7104:120:WilError_03

Source: cccc2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: cccc2.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\cccc2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: cccc2.exe

ReversingLabs: Detection: 76%

Source: unknown	Process created: C:\Users\user\Desktop\cccc2.exe "C:\Users\user\Desktop\cccc2.exe"
Source: C:\Users\user\Desktop\cccc2.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cccc2.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\cccc2.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\cccc2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior

Source: cccc2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: cccc2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: cccc2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\rje\tg\7v\obj\Release\Qrr.pdb source: cccc2.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00440466 push ds; ret		2_2_00440468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00416D75 push ebx; ret		2_2_00416D77

Source: cccc2.exe

Static PE information: section name: .text entropy: 7.995511495858083

Source: C:\Users\user\Desktop\cccc2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\cccc2.exe	Memory allocated: 17A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Memory allocated: 33A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Memory allocated: 53A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\cccc2.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\cccc2.exe TID: 6308	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2800	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2800	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\cccc2.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RegAsm.exe, 00000002.00000002.1749217999.0000000001355000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8:
Source: RegAsm.exe, 00000002.00000002.1749381476.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW1
Source: RegAsm.exe, 00000002.00000002.1749381476.00000000013A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00445D10 LdrInitializeThunk,

2_2_00445D10

Source: C:\Users\user\Desktop\cccc2.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\cccc2.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\cccc2.exe

Code function: 0_2_033A212D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_033A212D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\cccc2.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: cccc2.exe, 00000000.00000002.1705304601.00000000043A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: cccc2.exe, 00000000.00000002.1705304601.00000000043A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: cccc2.exe, 00000000.00000002.1705304601.00000000043A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: cccc2.exe, 00000000.00000002.1705304601.00000000043A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: cccc2.exe, 00000000.00000002.1705304601.00000000043A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: cccc2.exe, 00000000.00000002.1705304601.00000000043A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: cccc2.exe, 00000000.00000002.1705304601.00000000043A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: cccc2.exe, 00000000.00000002.1705304601.00000000043A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\cccc2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44B000	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44E000	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45D000	Jump to behavior
Source: C:\Users\user\Desktop\cccc2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 10DA008	Jump to behavior

Source: C:\Users\user\Desktop\cccc2.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\cccc2.exe

Queries volume information: C:\Users\user\Desktop\cccc2.exe VolumeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	411 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
cccc2.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.LummaSteal
cccc2.exe	100%	Avira	TR/AD.Nekark.gzucc

Name	IP	Active	Malicious	Reputation
steamcommunity.com	23.55.153.106	true	false	high
fragnantbui.shop	unknown	unknown	true	unknown
gutterydhowi.shop	unknown	unknown	true	unknown
offensivedzvju.shop	unknown	unknown	true	unknown
stogeneratmns.shop	unknown	unknown	true	unknown
reinforcenh.shop	unknown	unknown	true	unknown
drawzhotdog.shop	unknown	unknown	true	unknown
ghostreedmnu.shop	unknown	unknown	true	unknown
vozmeatillu.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
https://steamcommunity.com/profiles/76561199724331900	false	high
stogeneratmns.shop	false	high
reinforcenh.shop	false	high
fragnantbui.shop	false	high
gutterydhowi.shop	false	high
offensivedzvju.shop	false	high
drawzhotdog.shop	false	high
ghostreedmnu.shop	false	high
vozmeatillu.shop	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://player.vimeo.com	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/3	RegAsm.exe, 00000002.00000002.1749217999.000000000135D000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000002.00000002.1749217999.000000000135D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.gstatic.cn/recaptcha/	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000002.00000002.1749217999.000000000135D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	RegAsm.exe, 00000002.00000002.1749217999.000000000135D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com	RegAsm.exe, 00000002.00000002.1749217999.000000000135D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://sketchfab.com	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://lv.queniujq.cn	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net/recaptcha/;	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com/	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
http://127.0.0.1:27060	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://medal.tv	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://broadcast.st.dl.eccdnx.com	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com/recaptcha/	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://checkout.steampowered.com/	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.steampowered.com/	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/account/cookiepreferences/	RegAsm.exe, 00000002.00000002.1749217999.000000000135D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://s.ytimg.com;	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/	RegAsm.exe, 00000002.00000002.1749381476.0000000001388000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://login.steampowered.com/	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	RegAsm.exe, 00000002.00000002.1749217999.000000000135D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/legal/	RegAsm.exe, 00000002.00000002.1749217999.000000000135D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steam.tv/	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;	RegAsm.exe, 00000002.00000002.1749451185.00000000013AB000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.55.153.106	steamcommunity.com	United States		20940	AKAMAI-ASN1EU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577356
Start date and time:	2024-12-18 12:28:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	cccc2.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/2@9/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 10 Number of non-executed functions: 86
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: cccc2.exe

Simulations

Behavior and APIs

Time	Type	Description
06:29:52	API Interceptor	9x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
23.55.153.106	CompleteStudio.exe	Get hash	malicious	LummaC	Browse
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse
	99awhy8l.exe	Get hash	malicious	LummaC	Browse
	5_6253708004881862888.exe	Get hash	malicious	LummaC	Browse
	noll.exe	Get hash	malicious	Stealc, Vidar	Browse
	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse
	ardware-v1.exe	Get hash	malicious	LummaC	Browse
	ardware-v1.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	CompleteStudio.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	23.55.153.106
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	99awhy8l.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	5_6253708004881862888.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	noll.exe	Get hash	malicious	Stealc, Vidar	Browse	23.55.153.106
	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	CompleteStudio.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	23.55.153.106
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	99awhy8l.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	5_6253708004881862888.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	noll.exe	Get hash	malicious	Stealc, Vidar	Browse	23.55.153.106
	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	EXTERNALRe.msg	Get hash	malicious	Unknown	Browse	23.44.201.32
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	CompleteStudio.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	winrar-x64-701.exe	Get hash	malicious	Unknown	Browse	23.55.153.106
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	23.55.153.106
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	99awhy8l.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	random.exe_Y.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	23.55.153.106
	5_6253708004881862888.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	23.55.153.106

Process:	C:\Users\user\Desktop\cccc2.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\cccc2.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	23
Entropy (8bit):	2.5600289361122233
Encrypted:	false
SSDEEP:	3:oWEMo6vvRya:oWEpKvD
MD5:	198AA7622D86723F12D39AA38A10C97F
SHA1:	B3FE9A9637FAF01EFCFCB92AB288F7C91CE87F63
SHA-256:	88866B26B5F228DBEF268709E063E29F5BD89C114921148BEAA92FC2EACD2E2D
SHA-512:	8452029C020F524303144260D478F8F15E2AD5A4BB3F65DB06B62DEA568FAD165949A0FFDE119D7F5C4CA58E87AF660C35CCD54CE78D82BDEB01F6E84E3ED5BA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	012340..1..2..3..4.....

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.989212623944353
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	cccc2.exe
File size:	367'616 bytes
MD5:	6b470f7251aa9c14d7daea8f6446e217
SHA1:	a256c54d4dd7e0a7a1582d8fdfef5807bc3c4af4
SHA256:	8b9097b795d42c49c3b2c560714226361671a3f1d711faa9aeaee20e22e7095f
SHA512:	fdc553c9d2ff19343dd99b0b34c875752df4fa0cbd494096aeb51d859bd102448f1a5043a53a808045ae52077f180546a134b1aa69db4dc04aff2610fadeaca4
SSDEEP:	6144:A9qV5P6oqa2R9xVnirCMSaMp1iXh7Dvnj+c60jNyRBEKjbXIEloBTOZu:AOB2Rx8/4p1ix/njn9knbvlo
TLSH:	EE7423E0A4EAD27ECDB5443188E317B6D5F58A7E806F177B2462B27E4C18749223FB50
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................>.... ........@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x45b13e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F3EAB1 [Wed Sep 25 10:49:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5b0e8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5c000	0x5c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x5afb0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x59144	0x59200	7c87d4e64787a64eded379b8c3dafd1f	False	0.9937406863604488	data	7.995511495858083	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x5c000	0x5c8	0x600	59aaab19b9712bb034b24cd3f8200869	False	0.4375	data	4.1218576719270885	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5e000	0xc	0x200	779cc6de682bfe0fef87793bb2fa6c5a	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x5c0a0	0x338	data			0.44660194174757284
RT_MANIFEST	0x5c3d8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-18T12:29:53.120642+0100	2056156	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)	1	192.168.2.4	58593	1.1.1.1	53	UDP
2024-12-18T12:29:53.342237+0100	2056164	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)	1	192.168.2.4	57209	1.1.1.1	53	UDP
2024-12-18T12:29:53.576060+0100	2056162	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)	1	192.168.2.4	55062	1.1.1.1	53	UDP
2024-12-18T12:29:53.812256+0100	2056160	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)	1	192.168.2.4	55012	1.1.1.1	53	UDP
2024-12-18T12:29:54.034847+0100	2056158	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)	1	192.168.2.4	50006	1.1.1.1	53	UDP
2024-12-18T12:29:54.274159+0100	2056154	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)	1	192.168.2.4	63286	1.1.1.1	53	UDP
2024-12-18T12:29:54.503778+0100	2056152	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)	1	192.168.2.4	54960	1.1.1.1	53	UDP
2024-12-18T12:29:54.732201+0100	2056150	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)	1	192.168.2.4	62664	1.1.1.1	53	UDP
2024-12-18T12:29:56.488826+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	23.55.153.106	443	TCP
2024-12-18T12:29:57.368287+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49730	23.55.153.106	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 12:29:55.095588923 CET	49730	443	192.168.2.4	23.55.153.106
Dec 18, 2024 12:29:55.095633984 CET	443	49730	23.55.153.106	192.168.2.4
Dec 18, 2024 12:29:55.095767975 CET	49730	443	192.168.2.4	23.55.153.106
Dec 18, 2024 12:29:55.098376989 CET	49730	443	192.168.2.4	23.55.153.106
Dec 18, 2024 12:29:55.098392010 CET	443	49730	23.55.153.106	192.168.2.4
Dec 18, 2024 12:29:56.488694906 CET	443	49730	23.55.153.106	192.168.2.4
Dec 18, 2024 12:29:56.488826036 CET	49730	443	192.168.2.4	23.55.153.106
Dec 18, 2024 12:29:56.492513895 CET	49730	443	192.168.2.4	23.55.153.106
Dec 18, 2024 12:29:56.492525101 CET	443	49730	23.55.153.106	192.168.2.4
Dec 18, 2024 12:29:56.492850065 CET	443	49730	23.55.153.106	192.168.2.4
Dec 18, 2024 12:29:56.537847042 CET	49730	443	192.168.2.4	23.55.153.106
Dec 18, 2024 12:29:56.541227102 CET	49730	443	192.168.2.4	23.55.153.106
Dec 18, 2024 12:29:56.587327003 CET	443	49730	23.55.153.106	192.168.2.4
Dec 18, 2024 12:29:57.368288040 CET	443	49730	23.55.153.106	192.168.2.4
Dec 18, 2024 12:29:57.368336916 CET	443	49730	23.55.153.106	192.168.2.4
Dec 18, 2024 12:29:57.368390083 CET	49730	443	192.168.2.4	23.55.153.106
Dec 18, 2024 12:29:57.368427992 CET	443	49730	23.55.153.106	192.168.2.4
Dec 18, 2024 12:29:57.368477106 CET	443	49730	23.55.153.106	192.168.2.4
Dec 18, 2024 12:29:57.368510962 CET	443	49730	23.55.153.106	192.168.2.4
Dec 18, 2024 12:29:57.368522882 CET	443	49730	23.55.153.106	192.168.2.4
Dec 18, 2024 12:29:57.368532896 CET	49730	443	192.168.2.4	23.55.153.106
Dec 18, 2024 12:29:57.368532896 CET	49730	443	192.168.2.4	23.55.153.106
Dec 18, 2024 12:29:57.368532896 CET	49730	443	192.168.2.4	23.55.153.106
Dec 18, 2024 12:29:57.368549109 CET	49730	443	192.168.2.4	23.55.153.106
Dec 18, 2024 12:29:57.368571043 CET	49730	443	192.168.2.4	23.55.153.106
Dec 18, 2024 12:29:57.544459105 CET	443	49730	23.55.153.106	192.168.2.4
Dec 18, 2024 12:29:57.544549942 CET	443	49730	23.55.153.106	192.168.2.4
Dec 18, 2024 12:29:57.544584036 CET	443	49730	23.55.153.106	192.168.2.4
Dec 18, 2024 12:29:57.544713020 CET	49730	443	192.168.2.4	23.55.153.106
Dec 18, 2024 12:29:57.544713020 CET	49730	443	192.168.2.4	23.55.153.106
Dec 18, 2024 12:29:57.546535969 CET	49730	443	192.168.2.4	23.55.153.106
Dec 18, 2024 12:29:57.546585083 CET	443	49730	23.55.153.106	192.168.2.4
Dec 18, 2024 12:29:57.546638012 CET	49730	443	192.168.2.4	23.55.153.106
Dec 18, 2024 12:29:57.546657085 CET	443	49730	23.55.153.106	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 12:29:53.120641947 CET	58593	53	192.168.2.4	1.1.1.1
Dec 18, 2024 12:29:53.337537050 CET	53	58593	1.1.1.1	192.168.2.4
Dec 18, 2024 12:29:53.342236996 CET	57209	53	192.168.2.4	1.1.1.1
Dec 18, 2024 12:29:53.572941065 CET	53	57209	1.1.1.1	192.168.2.4
Dec 18, 2024 12:29:53.576060057 CET	55062	53	192.168.2.4	1.1.1.1
Dec 18, 2024 12:29:53.808521032 CET	53	55062	1.1.1.1	192.168.2.4
Dec 18, 2024 12:29:53.812256098 CET	55012	53	192.168.2.4	1.1.1.1
Dec 18, 2024 12:29:54.028924942 CET	53	55012	1.1.1.1	192.168.2.4
Dec 18, 2024 12:29:54.034847021 CET	50006	53	192.168.2.4	1.1.1.1
Dec 18, 2024 12:29:54.266120911 CET	53	50006	1.1.1.1	192.168.2.4
Dec 18, 2024 12:29:54.274158955 CET	63286	53	192.168.2.4	1.1.1.1
Dec 18, 2024 12:29:54.500194073 CET	53	63286	1.1.1.1	192.168.2.4
Dec 18, 2024 12:29:54.503777981 CET	54960	53	192.168.2.4	1.1.1.1
Dec 18, 2024 12:29:54.729012012 CET	53	54960	1.1.1.1	192.168.2.4
Dec 18, 2024 12:29:54.732201099 CET	62664	53	192.168.2.4	1.1.1.1
Dec 18, 2024 12:29:54.952965975 CET	53	62664	1.1.1.1	192.168.2.4
Dec 18, 2024 12:29:54.954391956 CET	49303	53	192.168.2.4	1.1.1.1
Dec 18, 2024 12:29:55.091375113 CET	53	49303	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 12:29:53.120641947 CET	192.168.2.4	1.1.1.1	0x624f	Standard query (0)	drawzhotdog.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:29:53.342236996 CET	192.168.2.4	1.1.1.1	0xf3ae	Standard query (0)	gutterydhowi.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:29:53.576060057 CET	192.168.2.4	1.1.1.1	0x59e3	Standard query (0)	ghostreedmnu.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:29:53.812256098 CET	192.168.2.4	1.1.1.1	0xc309	Standard query (0)	offensivedzvju.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:29:54.034847021 CET	192.168.2.4	1.1.1.1	0x7ea2	Standard query (0)	vozmeatillu.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:29:54.274158955 CET	192.168.2.4	1.1.1.1	0xeabc	Standard query (0)	fragnantbui.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:29:54.503777981 CET	192.168.2.4	1.1.1.1	0x92d8	Standard query (0)	stogeneratmns.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:29:54.732201099 CET	192.168.2.4	1.1.1.1	0xf0c1	Standard query (0)	reinforcenh.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:29:54.954391956 CET	192.168.2.4	1.1.1.1	0x2f39	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 12:29:53.337537050 CET	1.1.1.1	192.168.2.4	0x624f	Name error (3)	drawzhotdog.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:29:53.572941065 CET	1.1.1.1	192.168.2.4	0xf3ae	Name error (3)	gutterydhowi.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:29:53.808521032 CET	1.1.1.1	192.168.2.4	0x59e3	Name error (3)	ghostreedmnu.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:29:54.028924942 CET	1.1.1.1	192.168.2.4	0xc309	Name error (3)	offensivedzvju.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:29:54.266120911 CET	1.1.1.1	192.168.2.4	0x7ea2	Name error (3)	vozmeatillu.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:29:54.500194073 CET	1.1.1.1	192.168.2.4	0xeabc	Name error (3)	fragnantbui.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:29:54.729012012 CET	1.1.1.1	192.168.2.4	0x92d8	Name error (3)	stogeneratmns.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:29:54.952965975 CET	1.1.1.1	192.168.2.4	0xf0c1	Name error (3)	reinforcenh.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 12:29:55.091375113 CET	1.1.1.1	192.168.2.4	0x2f39	No error (0)	steamcommunity.com		23.55.153.106	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	23.55.153.106	443	908	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 11:29:56 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-18 11:29:57 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Wed, 18 Dec 2024 11:29:57 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=b935f08de437e17d5f3eacca; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-18 11:29:57 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-18 11:29:57 UTC	10097	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>
2024-12-18 11:29:57 UTC	1089	IN	Data Raw: 68 65 69 72 20 72 65 73 70 65 63 74 69 76 65 20 6f 77 6e 65 72 73 20 69 6e 20 74 68 65 20 55 53 20 61 6e 64 20 6f 74 68 65 72 20 63 6f 75 6e 74 72 69 65 73 2e 3c 62 72 2f 3e 53 6f 6d 65 20 67 65 6f 73 70 61 74 69 61 6c 20 64 61 74 61 20 6f 6e 20 74 68 69 73 20 77 65 62 73 69 74 65 20 69 73 20 70 72 6f 76 69 64 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 6c 69 6e 6b 66 69 6c 74 65 72 2f 3f 75 3d 68 74 74 70 25 33 41 25 32 46 25 32 46 77 77 77 2e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 20 6e 6f 6f 70 65 6e 65 72 22 3e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 3c 2f 61 3e 2e 09 09 09 09 09 3c 62 72 3e 0a 09 09 09 09 09 Data Ascii: heir respective owners in the US and other countries.<br/>Some geospatial data on this website is provided by <a href="https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org" target="_blank" rel=" noopener">geonames.org</a>.<br>

Target ID:	0
Start time:	06:29:49
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\cccc2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\cccc2.exe"
Imagebase:	0xff0000
File size:	367'616 bytes
MD5 hash:	6B470F7251AA9C14D7DAEA8F6446E217
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:29:49
Start date:	18/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:29:51
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xe60000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	39.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	30%
Total number of Nodes:	20
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 033A212D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,033A209F,033A208F), ref: 033A229C
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 033A22AF
Wow64GetThreadContext.KERNEL32(00000098,00000000), ref: 033A22CD
ReadProcessMemory.KERNELBASE(000002D0,?,033A20E3,00000004,00000000), ref: 033A22F1
VirtualAllocEx.KERNELBASE(000002D0,?,?,00003000,00000040), ref: 033A231C
WriteProcessMemory.KERNELBASE(000002D0,00000000,?,?,00000000,?), ref: 033A2374
WriteProcessMemory.KERNELBASE(000002D0,00400000,?,?,00000000,?,00000028), ref: 033A23BF
WriteProcessMemory.KERNELBASE(000002D0,-00000008,?,00000004,00000000), ref: 033A23FD
Wow64SetThreadContext.KERNEL32(00000098,03310000), ref: 033A2439
ResumeThread.KERNELBASE(00000098), ref: 033A2448

Strings

VirtualAlloc, xrefs: 033A21F4
Load, xrefs: 033A216B
GetThreadContext, xrefs: 033A2207
aryA, xrefs: 033A2173
SetThreadContext, xrefs: 033A2253
ReadProcessMemory, xrefs: 033A221A
ress, xrefs: 033A21B7
VirtualAllocEx, xrefs: 033A222D
WriteProcessMemory, xrefs: 033A2240
CreateProcessA, xrefs: 033A21E1
GetP, xrefs: 033A21AF
TerminateProcess, xrefs: 033A232B
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 033A229B
ResumeThread, xrefs: 033A2269

Memory Dump Source

Source File: 00000000.00000002.1704515280.00000000033A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_33a1000_cccc2.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 71f46c280ebcd69b633fa7e906b6517100ffe3248152996273cad0168b32e2d1
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 13B1F77660064AAFDB60CF68CC80BDA77A9FF88714F158564EA0CEB341D774FA418B94

Function 017A1279 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 017A1300

Memory Dump Source

Source File: 00000000.00000002.1704333256.00000000017A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17a0000_cccc2.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 16dcc49e1f31a81c2cb55bf760d4614da67fd93a0528bb68d63b129601afab51
Instruction ID: f59c46070484d34ccd93dc1e161375112778a56df4945b197100b76313861183
Opcode Fuzzy Hash: 16dcc49e1f31a81c2cb55bf760d4614da67fd93a0528bb68d63b129601afab51
Instruction Fuzzy Hash: 252132B19002499FDB10DFAAC881AEEFBF4FF48314F50842AE959A7210C7749944CFA1

Function 017A1280 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 017A1300

Memory Dump Source

Source File: 00000000.00000002.1704333256.00000000017A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17a0000_cccc2.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 51844b04cf9a547f960c96e74433885e0dc207d19fc5791bda70936faa2c2863
Instruction ID: ff31165a7cfd61a7b16c9d6f77558f431fe25bbfd4b14c1b2599fecc689eabfe
Opcode Fuzzy Hash: 51844b04cf9a547f960c96e74433885e0dc207d19fc5791bda70936faa2c2863
Instruction Fuzzy Hash: D32113B19002499FDB10DFAAC880ADEFBF4FF48310F50842AE959A7250C775A944CFA5

Analysis Process: RegAsm.exePID: 908, Parent PID: 7076COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.7%
Total number of Nodes:	61
Total number of Limit Nodes:	6

Executed Functions

Function 0040F870 Relevance: 31.4, Strings: 24, Instructions: 1361COMMON

Download Yara Rule

Strings

}AtC, xrefs: 0040F98F
A{y, xrefs: 00410E00
F=W?, xrefs: 0040F97A
m%o, xrefs: 00410083
_O, xrefs: 00410196
*e*g, xrefs: 00410091
A{y, xrefs: 00410BF6, 00410BD3, 00410D56, 00410D33, 00410BDB, 00410D3B
$#, xrefs: 00410A9C
Zm^o, xrefs: 0040F9CE
sq, xrefs: 00410CCC
%EqG, xrefs: 0040F988
q<s, xrefs: 0041007C
8eFg, xrefs: 0040F9C0
\S, xrefs: 00410D0C
IC, xrefs: 004103A4
L9N;, xrefs: 0040F981
QaRc, xrefs: 0040F9C7
vK, xrefs: 004101A0
SiJk, xrefs: 0040F9D5
|MnO, xrefs: 0040F996
#]-_, xrefs: 0040F9B2
KM, xrefs: 004103B2
A{y, xrefs: 00410C6F, 00410C80, 00410C88, 00410C8C
e1E3, xrefs: 0040F973

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: m%o$#]-_$$#$%EqG$*e*g$8eFg$A{y$A{y$A{y$F=W?$IC$KM$L9N;$QaRc$SiJk$Zm^o$\S$_O$e1E3$vK$|MnO$}AtC$q<s$sq
API String ID: 0-4009828573
Opcode ID: a509d5cf1d3d34c660505e66dca031483d42619a1c4d3c995a79d72900ba09af
Instruction ID: c3630ad4f5c475876f494961501e8d9213224f6ba4832620ddef517b73d89da9
Opcode Fuzzy Hash: a509d5cf1d3d34c660505e66dca031483d42619a1c4d3c995a79d72900ba09af
Instruction Fuzzy Hash: 47B297B4504701DFD7208F66D881BABBBF5FF4A301F00892DE4969B6A1D778E844CB59

Function 0040E9C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(9FF799E3,00000000,8!67), ref: 0040EACD

Strings

8!67, xrefs: 0040EA33, 0040EA3B

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID: 8!67
API String ID: 1029625771-485824511
Opcode ID: e91380da90d0a1ae8e1856b7847d0d07c78a085f8e8e0f59ae24f324f6a7921f
Instruction ID: a378cef6331095809e7f5604f7941113c356dc053d7457f57d7eb746df845c38
Opcode Fuzzy Hash: e91380da90d0a1ae8e1856b7847d0d07c78a085f8e8e0f59ae24f324f6a7921f
Instruction Fuzzy Hash: A15161B4D00308BFDB01EFA5EC429ADBF71EB05386F50043AF804B7266D7399A558B99

Function 00445D10 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00412BE5,00000000,00000001), ref: 00445D3E

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0040CE80 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 165
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetInputState.USER32 ref: 0040CE91
GetCurrentThreadId.KERNEL32 ref: 0040CEA6
GetCurrentProcessId.KERNEL32 ref: 0040CEAC
ExitProcess.KERNEL32 ref: 0040D080

Strings

98?>, xrefs: 0040D043, 0040D04B
=<#", xrefs: 0040D00E

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: CurrentProcess$ExitInputStateThread
String ID: 98?>$=<#"
API String ID: 1029096631-575674944
Opcode ID: a3f6515795037531821660836c7337696ca12dfe54cee5e42f96d046294826c0
Instruction ID: 1cabd40eefa5255427a832a9ef4cda33b9a15c7814e292e2633299dd4afe059a
Opcode Fuzzy Hash: a3f6515795037531821660836c7337696ca12dfe54cee5e42f96d046294826c0
Instruction Fuzzy Hash: E2514D7480C2809BD301BFA5D544A1EFBE5AF56708F148D2DE5C8AB392C73AC814CB6B

Function 00442CE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00442D33

Strings

B-D, xrefs: 00442D39

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID: B-D
API String ID: 1279760036-3720634330
Opcode ID: 79013324be2e7cf687789249e67f7897953a24040b7a6cae2efb9464a0356ea0
Instruction ID: 7180bec0afc63eb0645584d58a18209a7e12a10d463dd5cc8d56965c9cb88df8
Opcode Fuzzy Hash: 79013324be2e7cf687789249e67f7897953a24040b7a6cae2efb9464a0356ea0
Instruction Fuzzy Hash: D3F0177450D3409BE302EF18DA94A1EFBE5EF5A706F84486DF4C597262C375E810CBA6

Function 00444CCE Relevance: 1.6, APIs: 1, Instructions: 71
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800), ref: 00444D4C

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 57921ecff0074fb26a671621a8c6e10d671e06d4fff2e775d20f371b54bcd6f6
Instruction ID: 75211bfb381c99097afae6bc3bfff694755b045083e4f895af76f65e9cef83b2
Opcode Fuzzy Hash: 57921ecff0074fb26a671621a8c6e10d671e06d4fff2e775d20f371b54bcd6f6
Instruction Fuzzy Hash: E321C1B5A003469FD701CFA9E59176EBBB1BF4A306F644429E141E7342C378EA11CFA9

Function 00442D62 Relevance: 1.5, APIs: 1, Instructions: 44
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 00442DE2

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: cd95ca436aed157d869a077e2eb902530f9a790a96de65f025573e8c48497f7e
Instruction ID: 882d167d70f18cf93cb8acc8d19bcbadd3068f1821c83cad1d58421c6399e89d
Opcode Fuzzy Hash: cd95ca436aed157d869a077e2eb902530f9a790a96de65f025573e8c48497f7e
Instruction Fuzzy Hash: 47014B34608340DFD311AF18FA55A09BBF1EB06B06F044C6AE5C087362C375EC61CB56

Non-executed Functions

Function 00411DAE Relevance: 38.0, APIs: 4, Strings: 17, Instructions: 1276COMMON

Download Yara Rule

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411DC0
CoUninitialize.OLE32 ref: 004120A9
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004120C1

Strings

%W'U, xrefs: 00411FC0
h], xrefs: 0041299C
6K;I, xrefs: 00411F9D
l/=-, xrefs: 00412674
b,A, xrefs: 00412C50
?&%, xrefs: 0041249C
(S)Q, xrefs: 00411FC7
4`[b, xrefs: 00412BBE
W?O=, xrefs: 00411F7A
_[, xrefs: 00412612
:+*), xrefs: 0041267B
/^, xrefs: 00412604
[n, xrefs: 00412619
U, xrefs: 00412995
'[(Y, xrefs: 00411FB9
1<$, xrefs: 0041248E
\^, xrefs: 0041260B

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: DirectoryInitializeSecuritySystemUninitialize
String ID: %W'U$'[(Y$(S)Q$/^$1<$$4`[b$6K;I$:+*)$?&%$U$W?O=$[n$\^$_[$b,A$h]$l/=-
API String ID: 1555113959-2802985764
Opcode ID: 7c1b73b5960e5cb8280c42fcae52b11ff627b864f58c0a8a99d72a8fdf34b107
Instruction ID: 0890cdf46cb5fd93ec4d35b377929ccd45ac2a1524a64ef46bb0b35c9f4aa94a
Opcode Fuzzy Hash: 7c1b73b5960e5cb8280c42fcae52b11ff627b864f58c0a8a99d72a8fdf34b107
Instruction Fuzzy Hash: E39202B4500341DFD3259F25D890A26BBF1FF16308F2448AEE4C58B352D73AE896CB99

Function 00428581 Relevance: 24.8, Strings: 19, Instructions: 1017COMMON

Download Yara Rule

Strings

DE, xrefs: 00428A72
31, xrefs: 00428E6D
HyK{, xrefs: 00429117
&+, xrefs: 00428EF1
l]j_, xrefs: 004290CA
\_, xrefs: 00428CB9
eUgW, xrefs: 004290E0
8K>M, xrefs: 00428C82
sAuC, xrefs: 004290A9
Y], xrefs: 004288AF
ZJ, xrefs: 004288BA
^], xrefs: 004288A4
>O, xrefs: 00428899
aQaS, xrefs: 004290D5
4`[b, xrefs: 00429900
/$, xrefs: 00428EE6
*, xrefs: 00428EFC
4`[b, xrefs: 004292E0
{8}, xrefs: 00428C56

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: {8}$&+$*$/$$4`[b$4`[b$8K>M$>O$DE$HyK{$Y]$ZJ$\_$^]$aQaS$eUgW$l]j_$sAuC$31
API String ID: 0-3538536219
Opcode ID: 7d74811fdd82feb000a695860ad95e8afdd67b0b2aa2c74e0eeb3869b4099422
Instruction ID: 0d01d294f5ac42c96272f57cdbc475340f3e3263fcb93a7f791e66e9023d972f
Opcode Fuzzy Hash: 7d74811fdd82feb000a695860ad95e8afdd67b0b2aa2c74e0eeb3869b4099422
Instruction Fuzzy Hash: 8BA24DB420D381CBE330CF25E540B9FBBE1BB85740FA48A2DE5C99B251DB749845CB96

Function 0041DACA Relevance: 21.1, Strings: 16, Instructions: 1128COMMON

Download Yara Rule

Strings

pqrs, xrefs: 0041E273
SRQP, xrefs: 0041E31D
pqrs, xrefs: 0041E4C5
gfed, xrefs: 0041E2FF
hijk, xrefs: 0041E237
tuvw, xrefs: 0041E269
`abc, xrefs: 0041E24B
wvut, xrefs: 0041E2D7
xyz{, xrefs: 0041E25F
,-./, xrefs: 0041E443
HIJK, xrefs: 0041E287
defg, xrefs: 0041E241
PQRS, xrefs: 0041E2C3
lmno, xrefs: 0041E4E3
VVZ`, xrefs: 0041E3AD
lmno, xrefs: 0041E22D

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ,-./$HIJK$PQRS$SRQP$VVZ`$`abc$defg$gfed$hijk$lmno$lmno$pqrs$pqrs$tuvw$wvut$xyz{
API String ID: 0-4259844150
Opcode ID: c05e8b2be86feaa69429dac1278eb537672adc3d07eb203c5182dab377d29760
Instruction ID: 6edab3831a676c65b5346b0794d5fdc330fee682ac90cd436dd138136671f69a
Opcode Fuzzy Hash: c05e8b2be86feaa69429dac1278eb537672adc3d07eb203c5182dab377d29760
Instruction Fuzzy Hash: A4A29AB4600B009FE720DF26C880BE7B7E2AF45705F54481EE9EA5B291DB39B485CF95

Function 00437DE0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 100clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00437DF0
GetWindowLongW.USER32 ref: 00437E15
GetClipboardData.USER32 ref: 00437E25
GlobalLock.KERNEL32 ref: 00437E44
GlobalUnlock.KERNEL32 ref: 00437F2E
CloseClipboard.USER32 ref: 00437F37

Strings

], xrefs: 00437EB5
c, xrefs: 00437EA1

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: ]$c
API String ID: 2832541153-3195450805
Opcode ID: 9d173db8625c292533a937b4ec308a27eb574b8c761597c8c21d12411735b29e
Instruction ID: f0355f79441650a0a2dfb925bc8775701aa76b8efccf3e07be0eb36c6224b3dc
Opcode Fuzzy Hash: 9d173db8625c292533a937b4ec308a27eb574b8c761597c8c21d12411735b29e
Instruction Fuzzy Hash: E841517550C7828ED311AF7C948531FBFE0AB96324F054A6DF4E986391D3388549CB97

Function 00431167 Relevance: 12.9, APIs: 4, Strings: 2, Instructions: 2395COMMON

Download Yara Rule

Strings

DEyv, xrefs: 00433101
CT"P, xrefs: 004329B6

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: CT"P$DEyv
API String ID: 0-2502682913
Opcode ID: a84dfd4050566295682649421f5760faad03067ec6b6a74ad0de1e7a051faa91
Instruction ID: 431c38d9bd3a7c6735da3ca242bad5345252c3ad66ca012962b032f7bb9076c0
Opcode Fuzzy Hash: a84dfd4050566295682649421f5760faad03067ec6b6a74ad0de1e7a051faa91
Instruction Fuzzy Hash: 28F2C0701047818FD7268F29C490B23FBE1EF1A315F18999ED4D68B792C77AE806CB65

Function 00401000 Relevance: 11.8, Strings: 8, Instructions: 1829COMMON

Download Yara Rule

Strings

@, xrefs: 00401840
gfff, xrefs: 00401EB6
gfff, xrefs: 00401E6F
A, xrefs: 00401D91
gfff, xrefs: 00401E04
0123456789ABCDEFXP, xrefs: 004014EE, 0040157C
0123456789abcdefxp, xrefs: 004014F7, 00401588
-, xrefs: 00401DCA

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$A$gfff$gfff$gfff
API String ID: 0-2771814109
Opcode ID: eee830bfda2d233a771dfd975141f7faa978a997b8c1b87711aac413b99c35f2
Instruction ID: 2498480ba6b5b8415727a7113cc8d1f2ebd9933ee789cd054bb499fd7dcc1bdb
Opcode Fuzzy Hash: eee830bfda2d233a771dfd975141f7faa978a997b8c1b87711aac413b99c35f2
Instruction Fuzzy Hash: B2D2E5716083418FD718CE29C49426BBBE2AFD9314F188A3EE4D99B3D1D778D906CB46

Function 00410690 Relevance: 10.5, Strings: 8, Instructions: 532COMMON

Download Yara Rule

Strings

\S, xrefs: 00410D0C
A{y, xrefs: 00410E00
R(, xrefs: 00410720
A{y, xrefs: 00410BF6, 00410BD3, 00410D56, 00410D33, 00410BDB, 00410D3B
$#, xrefs: 00410A9C
A{y, xrefs: 00410C6F, 00410C80, 00410C88, 00410C8C
sq, xrefs: 00410CCC
AQ, xrefs: 00410718

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $#$A{y$A{y$A{y$AQ$R($\S$sq
API String ID: 0-1253197155
Opcode ID: 67392aa17aaf496b27799292926d0416478cfe0d9b3776bbfd582c162b3ffb75
Instruction ID: c8744994b336ed8796d2169cd055dc0108fc6d35be67ae44addff89cb22ae4a1
Opcode Fuzzy Hash: 67392aa17aaf496b27799292926d0416478cfe0d9b3776bbfd582c162b3ffb75
Instruction Fuzzy Hash: E31252B4109380ABD3209F55DA91B6FBBF4EF86B45F50882DF5C88B251D378D880DB5A

Function 0042CD08 Relevance: 10.5, Strings: 8, Instructions: 496COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0042D300
]ZS/, xrefs: 0042D359
4`[b, xrefs: 0042D270
Y", , xrefs: 0042D3E3, 0042D3E7
oB&V, xrefs: 0042D369
Y,u[, xrefs: 0042D371
?s27, xrefs: 0042D381
72O1, xrefs: 0042D379

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b$72O1$?s27$Y", $Y,u[$]ZS/$oB&V
API String ID: 0-3181983892
Opcode ID: e5bfc5bf56ef9b586850b4494d77117ff740f303db6c4fe627894b075349ad6b
Instruction ID: c7714173f636146e9479f45cdbfd64f95855b45b88a278645e3d584f28d03ab1
Opcode Fuzzy Hash: e5bfc5bf56ef9b586850b4494d77117ff740f303db6c4fe627894b075349ad6b
Instruction Fuzzy Hash: 8AF10631A08351CFD3109F28E89072EB7E1AF8A315F58497DE895972A2D335DD44CB5A

Function 0042ABF9 Relevance: 10.4, Strings: 8, Instructions: 429COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0042B030
@[, xrefs: 0042AC95
MNO, xrefs: 0042AF20
KJML, xrefs: 0042B134
@{, xrefs: 0042ACAB
4`[b, xrefs: 0042B170
Rz, xrefs: 0042AC8A
w|, xrefs: 0042ACA0

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b$@[$@{$KJML$Rz$w|$MNO
API String ID: 0-1623158609
Opcode ID: 0400599849dadb01626eda726d7a0d00c83ade12803c21656ab78e75da0c915e
Instruction ID: 0d5274147a009100e9f69bee6203c0e5e4e30e46d04de95bf5e006a81ed4453c
Opcode Fuzzy Hash: 0400599849dadb01626eda726d7a0d00c83ade12803c21656ab78e75da0c915e
Instruction Fuzzy Hash: 2CE198B56083818BE320DF14E880B6FBBF1FB85305F44492DF695972A2D735D844CB9A

Function 004278E0 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 621COMMON

Download Yara Rule

Strings

\A, xrefs: 00427FEE
tu, xrefs: 004279EA
bq, xrefs: 00427F0B
(M, xrefs: 00427FE7

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: (M$\A$bq$tu
API String ID: 0-1669698739
Opcode ID: 80540fe6eb13f791428253bdae1ec886e8beca1e1d8ea505e4215bcf766940b1
Instruction ID: 7e5d4be01749d98fec94da65f0d144c1e3e64fb0894ea9a14a900d121e3c7a48
Opcode Fuzzy Hash: 80540fe6eb13f791428253bdae1ec886e8beca1e1d8ea505e4215bcf766940b1
Instruction Fuzzy Hash: DD3251B4509351ABD710DF55E980A2FBBF0BF86748F40491DF895AB352D338E904CBAA

Function 0040DBF0 Relevance: 9.1, Strings: 7, Instructions: 321COMMON

Download Yara Rule

Strings

@A, xrefs: 0040DF96
TW, xrefs: 0040DFF7
9(0-, xrefs: 0040DDA3, 0040DDAB
Q]T_, xrefs: 0040DF8B
1,'&, xrefs: 0040DD74
!4-0, xrefs: 0040DD6C
D, xrefs: 0040DE2F

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: !4-0$1,'&$9(0-$@A$D$Q]T_$TW
API String ID: 0-528657158
Opcode ID: f83999a9e731f8dbcb79dc171e3d13602147dc98599bd6f6efd75ab4d13cf1b9
Instruction ID: dd5b631da12e9e24317945e72edf82b14a2171761ed38a2be2e3316825c547a1
Opcode Fuzzy Hash: f83999a9e731f8dbcb79dc171e3d13602147dc98599bd6f6efd75ab4d13cf1b9
Instruction Fuzzy Hash: A4C124B05083809BD311EF59D880A2FBBE4EB96744F104D2EF5D49B292D379D918CB67

Function 004015DE Relevance: 7.9, Strings: 6, Instructions: 403COMMON

Download Yara Rule

Strings

gfff, xrefs: 00401FE5
gfff, xrefs: 0040204B
+, xrefs: 00401FA7
gfff, xrefs: 00401FFA
0123456789ABCDEFXP, xrefs: 004015DE
0123456789abcdefxp, xrefs: 004015E7

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff$gfff
API String ID: 0-925659942
Opcode ID: 230964537ae32bca0b931bad37bb8585c799be153586adb52acdb34528e34338
Instruction ID: 0bbd2fdc5c3003afc5383300cdbe59139718eb5fc6d9f0d72bd4289b05a9f032
Opcode Fuzzy Hash: 230964537ae32bca0b931bad37bb8585c799be153586adb52acdb34528e34338
Instruction Fuzzy Hash: 17E1E2307083828BD718CE29C59476FBBE2AFD5304F18893EE586973E1DB79D8458746

Function 004013BC Relevance: 7.9, Strings: 6, Instructions: 355COMMON

Download Yara Rule

Strings

gfff, xrefs: 00401FE5
gfff, xrefs: 0040204B
-, xrefs: 00401FB0
gfff, xrefs: 00401FFA
0123456789ABCDEFXP, xrefs: 004013BC
0123456789abcdefxp, xrefs: 004013C5

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff$gfff
API String ID: 0-854689426
Opcode ID: 7af6b2e3b8783617a8b018d959a36356fefbf13e282cd0d868156f431fa2743b
Instruction ID: a04efb390cbaf254fc0f390cee4a826e3a66b79c4635c3109147dfa87f5857e7
Opcode Fuzzy Hash: 7af6b2e3b8783617a8b018d959a36356fefbf13e282cd0d868156f431fa2743b
Instruction Fuzzy Hash: D4D1B3316083828FC319CE29C58466BFBE2AFD5308F188A3EE499973D2D779D945C746

Function 0042D46E Relevance: 7.6, Strings: 6, Instructions: 81COMMON

Download Yara Rule

Strings

]ZS/, xrefs: 0042D359
Y", , xrefs: 0042D3E3, 0042D3E7
oB&V, xrefs: 0042D369
Y,u[, xrefs: 0042D371
?s27, xrefs: 0042D381
72O1, xrefs: 0042D379

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 72O1$?s27$Y", $Y,u[$]ZS/$oB&V
API String ID: 0-4052876082
Opcode ID: d70bf1c1f63042cca91e0f0d96952224449d1d71b1906fdab94c8129b85aa0fc
Instruction ID: 255cf168559f10be7d1175cf8988301fb32433d8d6dbced94f32dc3915239b59
Opcode Fuzzy Hash: d70bf1c1f63042cca91e0f0d96952224449d1d71b1906fdab94c8129b85aa0fc
Instruction Fuzzy Hash: E1215C72908351DFC710DF59E480A2FFBE4AF95705F544A1EE8C5AB212C335E9418B9B

Function 00401379 Relevance: 7.2, Strings: 5, Instructions: 945COMMON

Download Yara Rule

Strings

@, xrefs: 0040292D
0, xrefs: 004022FF
0, xrefs: 00402573
i, xrefs: 00402A4A
0, xrefs: 00402238

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: 6efd4f3583b4206f53e5c158b0d5e9249ce92d80171d7db26026ad389132eb42
Instruction ID: 5f7c97cdea22e9e7ae5e923233e649b6b477c0ba0492bf097f20bb8c24429b32
Opcode Fuzzy Hash: 6efd4f3583b4206f53e5c158b0d5e9249ce92d80171d7db26026ad389132eb42
Instruction Fuzzy Hash: 2572F5716083428BD709CF28C69472BBBE2ABD5304F188A3EE499973D1D7B8DD45CB46

Function 00431AC3 Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 975COMMON

Download Yara Rule

Strings

{htM, xrefs: 00432097

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: {htM
API String ID: 0-2558583750
Opcode ID: 460e044c8e79f566fc65c807583dec1c3af10e9fc9010db1aa9919553b56872c
Instruction ID: 2e9d4f9b72aba7c047a4d8f56b5a49fef9b2a80b7b71dc117562085e0f476b46
Opcode Fuzzy Hash: 460e044c8e79f566fc65c807583dec1c3af10e9fc9010db1aa9919553b56872c
Instruction Fuzzy Hash: 9B628E701047818FD7258F29C550B23BBE1FF5A315F18998ED8DA8B792C379E806CB69

Function 00438247 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043827D
GetSystemMetrics.USER32 ref: 0043828C

Strings

, xrefs: 00438337

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 685b0eab73d45fe6766972de414d355aecf0d4d749a3e166455b2a9a6706c085
Instruction ID: 2b3d388066a84b55b2792eb91a5522e2e062081d1c1fcb7522abf6f00e1b7a8b
Opcode Fuzzy Hash: 685b0eab73d45fe6766972de414d355aecf0d4d749a3e166455b2a9a6706c085
Instruction Fuzzy Hash: 1E319DB49182408FDB00EF79E98561DBBF0BB89304F11892DE498DB361D774A958CF86

Function 00426D6F Relevance: 4.5, Strings: 3, Instructions: 742COMMON

Download Yara Rule

Strings

J[, xrefs: 00426E97
!6, xrefs: 00426E7F
KJML, xrefs: 00427368

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: !6$J[$KJML
API String ID: 0-3728117715
Opcode ID: 8abb31946a3727c284634766d95644f54f309af86dd5d5221ada2c424e40996c
Instruction ID: 2a25dcf092121437f70d10bafa5ed34f364bcf50a3894fec681a7a5b2b557070
Opcode Fuzzy Hash: 8abb31946a3727c284634766d95644f54f309af86dd5d5221ada2c424e40996c
Instruction Fuzzy Hash: 6742CF75618352DFD714DF28E890A2AB7E1FF89306F49893DE88587392D738E850CB49

Function 004313A6 Relevance: 4.3, Strings: 3, Instructions: 583COMMON

Download Yara Rule

Strings

;40&, xrefs: 004318B0
0<)), xrefs: 004318B7
??8:, xrefs: 004318A9

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0<))$;40&$??8:
API String ID: 0-1871281168
Opcode ID: bb6ced92a76976bc0f6e71e20fadc19b4c1d3bf0cce70c7e2194d211575c0c01
Instruction ID: 3172d921e78812b1c050acba91b436dc1560753df1098f0e0238a6ec08d5474b
Opcode Fuzzy Hash: bb6ced92a76976bc0f6e71e20fadc19b4c1d3bf0cce70c7e2194d211575c0c01
Instruction Fuzzy Hash: 33223CB48047809FD721EF29C142612BFB0AF16304F149A9ED8EA4F756D335E41ACFA6

Function 0042D4B0 Relevance: 4.2, Strings: 3, Instructions: 469COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0042DAE0
x~, xrefs: 0042D56C
@A, xrefs: 0042D8F6

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b$@A$x~
API String ID: 0-2557465156
Opcode ID: 073005090305d545b1cbc3f2214bbd6cd078a91ecc16a1324ff3c88742bb796a
Instruction ID: 71ce8913d7d35e2993ed1d7f5b34bd7b3a43d49ef706b87aeae4491ce3041307
Opcode Fuzzy Hash: 073005090305d545b1cbc3f2214bbd6cd078a91ecc16a1324ff3c88742bb796a
Instruction Fuzzy Hash: E0F187746083819BD310DF54E890A1FFBF1AB85345F50882DF4C89B2A2D778D985CB9A

Function 00445643 Relevance: 3.8, Strings: 3, Instructions: 72COMMON

Download Yara Rule

Strings

:*, xrefs: 004456BE
%*, xrefs: 004456B0
3<, xrefs: 004456B7

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %*$3<$:*
API String ID: 0-1794941600
Opcode ID: 37c0f990a05873117df136335eaf1b53f4f50d15036727b40a038832b769ff6e
Instruction ID: aab5561eedbb3972e5759fa3252ad924d383d29413a1e46feb6a5c27c627f847
Opcode Fuzzy Hash: 37c0f990a05873117df136335eaf1b53f4f50d15036727b40a038832b769ff6e
Instruction Fuzzy Hash: CF21F5B6D007419FDB11DF65FC8052EBBB2AF15309F54446DE085A7263D734DA04CBAA

Function 0041D1CC Relevance: 3.1, Strings: 2, Instructions: 637COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0041D8B0
4`[b, xrefs: 0041D7E0

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b
API String ID: 0-3640500014
Opcode ID: d5917c9b9d8350f3beb215bd5d8f9cbab930d6248480d37619cee77ce1b37d2b
Instruction ID: 12a80d30757b39ce965187c26aedd0054ae26030b4092d981c5a7fbdf15fc6cd
Opcode Fuzzy Hash: d5917c9b9d8350f3beb215bd5d8f9cbab930d6248480d37619cee77ce1b37d2b
Instruction Fuzzy Hash: D9128AB4600B019FD7249F24C881BA3B7F1FF4A305F14892ED4968BB51E739B895CB98

Function 00413E12 Relevance: 3.0, Strings: 2, Instructions: 487COMMON

Download Yara Rule

Strings

pAA, xrefs: 0041414C
&, xrefs: 004142C0

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: &$pAA
API String ID: 0-465269442
Opcode ID: f9196285db1c2b1127061fd708780623d171e5f0f70249608e66ea73976e410d
Instruction ID: 9a3263a6cd5681526376c4214b88087064958140d7f445b17b052180b7fa6ec6
Opcode Fuzzy Hash: f9196285db1c2b1127061fd708780623d171e5f0f70249608e66ea73976e410d
Instruction Fuzzy Hash: F1F1C0B19083019BC710DF28D88065FBBF1EF96348F14482EF585973A1E73AD985CB4A

Function 00403660 Relevance: 2.9, Strings: 2, Instructions: 419COMMON

Download Yara Rule

Strings

NaN, xrefs: 004036BE
Inf, xrefs: 004036B7

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: 34741a97254cca60cdf124d19751835b0456ddc72c0aa204760701693f181364
Instruction ID: 9f6e1609bf5ae3c939bd6f7d3d1e83053a0e02d0ae6046eec7f82b72232bd5e1
Opcode Fuzzy Hash: 34741a97254cca60cdf124d19751835b0456ddc72c0aa204760701693f181364
Instruction Fuzzy Hash: 25D1D8B2A183019BC704CF29C88061BBBE5EBC4751F258A3EF895A73D0E775DD458B86

Function 00409442 Relevance: 2.9, Strings: 2, Instructions: 404COMMON

Download Yara Rule

Strings

8, xrefs: 00409790
0, xrefs: 00409798

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 487e8e5503fc753536f2b589286d07810250f4190d30f8b03a4b485db3e395b3
Instruction ID: c85003599182c64deaf94edeb78d34fa1772c28eaf23bdad4ca749f7a16dacfb
Opcode Fuzzy Hash: 487e8e5503fc753536f2b589286d07810250f4190d30f8b03a4b485db3e395b3
Instruction Fuzzy Hash: D3025435209380EFD744CF29D880A8ABBF1BF9A304F49886DF98887362D375D955CB56

Function 00409269 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

8, xrefs: 00409790
0, xrefs: 00409798

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 8e40a435cd7dba42a333ad6edde212d45be7a34a2a928684b85601fa1d971ce9
Instruction ID: d53cd1ae9a89fc06510ae64533198426cc7ad23e7e444a7287cf69d98f7a29b3
Opcode Fuzzy Hash: 8e40a435cd7dba42a333ad6edde212d45be7a34a2a928684b85601fa1d971ce9
Instruction Fuzzy Hash: ABE14375209380EFD754CF29D880A4ABBF1BF9A304F49886CF98887392C775D955CB92

Function 004153E5 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

f, xrefs: 004155F3
G, xrefs: 004153E5

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: G$f
API String ID: 0-3568688445
Opcode ID: a3ab0d2a502cf9106bb1aae3365b7da690da5bf7a0c62a3cd38cbde2f1fff53a
Instruction ID: 877b337062b1dc3f477628eebd9f265be636e1b3d7748023da3c56bbf5271b67
Opcode Fuzzy Hash: a3ab0d2a502cf9106bb1aae3365b7da690da5bf7a0c62a3cd38cbde2f1fff53a
Instruction Fuzzy Hash: 01A1F674508341AAD3109B18D485B9FFFF1EFD6394F54881EF58897262E33AD884CB5A

Function 00436560 Relevance: 2.8, Strings: 2, Instructions: 270COMMON

Download Yara Rule

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 004367ED
000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 00436802

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 0-423013716
Opcode ID: 7253c76481f33b098a2e10bccb67d40fc3a086e792de9899d840be045cd895e3
Instruction ID: 220d6d31cb5a513c44074931160bcf69eb2b159beb9c0f2167700cfe38dabb36
Opcode Fuzzy Hash: 7253c76481f33b098a2e10bccb67d40fc3a086e792de9899d840be045cd895e3
Instruction Fuzzy Hash: A0914836E095925BCB199E3C8C513B97A925B5F330F3ED37BD8B19B3D5C22948028369

Function 0042E7F6 Relevance: 2.6, Strings: 2, Instructions: 72COMMON

Download Yara Rule

Strings

'M, xrefs: 0042E820
b, xrefs: 0042E827

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 'M$b
API String ID: 0-918009818
Opcode ID: 2aed94cd68272353eaa7926337b26d923203a4ea1e1e923335ff6a154fc774ce
Instruction ID: 1eb4dd26338a116d3a02ef21deea54923209418d33dba73ba1f9f06d3624bc32
Opcode Fuzzy Hash: 2aed94cd68272353eaa7926337b26d923203a4ea1e1e923335ff6a154fc774ce
Instruction Fuzzy Hash: D411817060C3908BC311EF16A09062BFBE5AF82705F680C5EE5D19B302C37AC9198B6B

Function 00412D20 Relevance: 2.1, Strings: 1, Instructions: 866COMMON

Download Yara Rule

Strings

ku, xrefs: 0041357D

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ku
API String ID: 0-3888063776
Opcode ID: 3fdf127da7069fa47e7b38ab17b01e00c79b8925519393abf646223ceba5f871
Instruction ID: fc4d39177779672566225db54df6da41b44001f0f112bd7ad3de96eb399ccf6b
Opcode Fuzzy Hash: 3fdf127da7069fa47e7b38ab17b01e00c79b8925519393abf646223ceba5f871
Instruction Fuzzy Hash: 2042B0719083019BD710DF28D88065FBFF4EF86358F14482EF58997262E739D985CB9A

Function 0041FD80 Relevance: 2.0, Strings: 1, Instructions: 705COMMON

Download Yara Rule

Strings

+*), xrefs: 00420583, 0042058B

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: +*)
API String ID: 0-1463337533
Opcode ID: 6376dd04eb4d4f38e522e2b32bcb2e79d8f3c61078d1b186782db861d1327d09
Instruction ID: ac801d31a26a3995267328474ff1f26110edfa6b5badc64f71841a4a04965ee2
Opcode Fuzzy Hash: 6376dd04eb4d4f38e522e2b32bcb2e79d8f3c61078d1b186782db861d1327d09
Instruction Fuzzy Hash: 602299B45083509BD300AF58E881A6FBBF0EF96744F44891DE4C49B3A2D379D944CBAB

Function 00443B90 Relevance: 1.8, Strings: 1, Instructions: 575COMMON

Download Yara Rule

Strings

f, xrefs: 00443D58

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: e040c5057a3f72cd900cf1fe2fb5ff4faa927d87cbee2c36149412e56dde13ef
Instruction ID: 02c3e65df5dc82e77de20384eefab9ec62934292274990bd2c401de9fd9cb8ca
Opcode Fuzzy Hash: e040c5057a3f72cd900cf1fe2fb5ff4faa927d87cbee2c36149412e56dde13ef
Instruction Fuzzy Hash: AC12AC715083409FE714CF18C880B2FBBE5BB89719F188A2EF5959B391D739DA04CB96

Function 00404DB0 Relevance: 1.8, Strings: 1, Instructions: 558COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 00405170

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: aa9f1a21c995dff2338998c3e63092040a1ae2211e0ebbc115654cb93b89609f
Instruction ID: 6408a4430cc46c3a6ef511aa180ff04010dd97372e51880bce6f64ef2deecd4d
Opcode Fuzzy Hash: aa9f1a21c995dff2338998c3e63092040a1ae2211e0ebbc115654cb93b89609f
Instruction Fuzzy Hash: AB12F875A08B418BD7158E18844032BBBE2EFE1304F19857FD895AB3C1E7B9DC45CB8A

Function 00425EF0 Relevance: 1.8, APIs: 1, Instructions: 259comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0044CB80,00000000,00000001,0044CB70), ref: 00425F19

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 8e4d19bf807ef0195fa8bceccf05a9af39792f6acccdeb64a95ca69e6c9b1448
Instruction ID: 24ee66b28e91cc2c8977140821d827580296eb0a0c3a1e65ec68243aab2125ab
Opcode Fuzzy Hash: 8e4d19bf807ef0195fa8bceccf05a9af39792f6acccdeb64a95ca69e6c9b1448
Instruction Fuzzy Hash: 2D61DCB17002219BDB209F64DC92B7773A8EF85314F09452DF98ACB291F779E840C76A

Function 00447D70 Relevance: 1.7, Strings: 1, Instructions: 407COMMON

Download Yara Rule

Strings

P, xrefs: 00447F13

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: c20880023a5c27023bee3f1247dd408a660cdaf958e019c7c0263b056b29c3b8
Instruction ID: a6c4e31680c5805766badd30ffe1e12194a7ce8dfeb74f8f89fe91fa79627422
Opcode Fuzzy Hash: c20880023a5c27023bee3f1247dd408a660cdaf958e019c7c0263b056b29c3b8
Instruction Fuzzy Hash: 18D1D67290C2604FD725CE18989071FB6E1EBC5718F168A3DE8A5AB380DB79DC46C7C5

Function 0042FD10 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

", xrefs: 0042FFF8

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 784b5130c64c8c48357e978bc1772135aee257f53ddad6a8b07dd3f41cbacca3
Instruction ID: 8a869f11ebd8bbb994c18ceb502fc588c1dfcb42bf542e4d653c0931b03b5454
Opcode Fuzzy Hash: 784b5130c64c8c48357e978bc1772135aee257f53ddad6a8b07dd3f41cbacca3
Instruction Fuzzy Hash: C7C136B2B043119BD7158E24D49076BB7F5AF85314F998A3FE89987382E73CDC098786

Function 00415081 Relevance: 1.6, Strings: 1, Instructions: 352COMMON

Download Yara Rule

Strings

rMA, xrefs: 00415065

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID: rMA
API String ID: 1279760036-3963102562
Opcode ID: afd3db6b1d9c71f6c1a9615515b1e9b1ebc32e34958f437114d1f46ae9a93a8a
Instruction ID: 61801b64b76c2e54a6415a8b4b0c096645e279bd43305c8829362a52495bd3de
Opcode Fuzzy Hash: afd3db6b1d9c71f6c1a9615515b1e9b1ebc32e34958f437114d1f46ae9a93a8a
Instruction Fuzzy Hash: 92C1CF75608312CBC714CF18C880AABB7F2FFD9714F19856EE485873A5E7389991CB46

Function 0043F2AC Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0043F4A0

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 0b881855c6a97d7c5a77e23d3980c573fcc28612c0004cb89a9f9d7cf5a33e6f
Instruction ID: 4dd198a39bd733c52ebde65f0b5763d0f106c2a07d20f822aa20662818375c1a
Opcode Fuzzy Hash: 0b881855c6a97d7c5a77e23d3980c573fcc28612c0004cb89a9f9d7cf5a33e6f
Instruction Fuzzy Hash: 3991EE72A04215CFDB14CFA8D8907AFB7B1FB89306F14883EE51697292D379D905CB54

Function 004483F0 Relevance: 1.5, Strings: 1, Instructions: 295COMMON

Download Yara Rule

Strings

Pabc, xrefs: 0044856B

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: Pabc
API String ID: 0-539773038
Opcode ID: fa7c04be828a2432081a9e7be923ec4345e1aab41b16938aee436436347d590f
Instruction ID: aef4fcaa6a85ae55d130a5bc648f57aba88fd5ce1a65361f3b5a042c6c7bf656
Opcode Fuzzy Hash: fa7c04be828a2432081a9e7be923ec4345e1aab41b16938aee436436347d590f
Instruction Fuzzy Hash: A391F2B5A08202CFDB04CF58D99066EB7B1FF89352F19486DD885A7351C374EE10CBA6

Function 004474C0 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

4`[b, xrefs: 004476E0

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: 4`[b
API String ID: 2994545307-3962175265
Opcode ID: eca3f27e3da1e6f9015881f4dcf11376f86e9a452c8b60de597b953f4acec9b1
Instruction ID: 09b9f34eb052b01ba082ac6d7aef20cb2f33ccc2ba28b49ca2baec844bbe62bd
Opcode Fuzzy Hash: eca3f27e3da1e6f9015881f4dcf11376f86e9a452c8b60de597b953f4acec9b1
Instruction Fuzzy Hash: B6A1AD7160C341ABE720DB19C881B6FBBE1EB89355F548C2EF58497352E734E841CB9A

Function 0042F5D0 Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

", xrefs: 0042F836

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 57fd4449aa32aaf9c518165ed4b054b0807d9bc42b656f856b1c71475467dfc6
Instruction ID: 0bb2159ff0f0aae890ba678f7f631fc362358c0ce6aef23b65b5806ee1124400
Opcode Fuzzy Hash: 57fd4449aa32aaf9c518165ed4b054b0807d9bc42b656f856b1c71475467dfc6
Instruction Fuzzy Hash: 3671ED32B047314BD7249D6DA98021BB6E3ABC5730FD9C77AE8648B3E5D7788C0A4749

Function 004362B0 Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00436389

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 0-442858466
Opcode ID: 83a08048a6e46e9e2b9576638f472dc4e4c161d428f535f792cd550b56cb5fc5
Instruction ID: 6b73f231b8c2899efd31550edadb09dcd8ae747ab8f6d8b12bd2ef0adb89132c
Opcode Fuzzy Hash: 83a08048a6e46e9e2b9576638f472dc4e4c161d428f535f792cd550b56cb5fc5
Instruction Fuzzy Hash: 7C712537B155926BC7248E7C4C412AAAA531BEA334B3FD377DC719B3D5C6298C024395

Function 004378C0 Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

0, xrefs: 0043791B

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: f3dcf3ce66a0237ef4315a7f533f402efff159f98205964269ad886de511a010
Instruction ID: 13f26a4241b994f0b92ad71affdc70fcf37ed744033f513335e096c96ae73cf8
Opcode Fuzzy Hash: f3dcf3ce66a0237ef4315a7f533f402efff159f98205964269ad886de511a010
Instruction Fuzzy Hash: 05717777B0DA9047D328597C4C523B96A934B9A334F2DD3BEE9F18B3E1C52C49068249

Function 004472C0 Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00447480

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: ee26ac0454014b8dbd70989fcf6e4ce1e80dad31d5681ba4f038ae1f6afbae8a
Instruction ID: 8ec4acbdec72fe2b7a16d44514e064f317dc58c936fdbb19920c26003c37d9a3
Opcode Fuzzy Hash: ee26ac0454014b8dbd70989fcf6e4ce1e80dad31d5681ba4f038ae1f6afbae8a
Instruction Fuzzy Hash: BE51D33160C2109BE7149E19CC90B2EBBE1EF85719F248A2DE9D55B392C739DC11C7AA

Function 00449A10 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

@, xrefs: 00449A90

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 7ea6179726910335d31d38e1c0b5ac9b7918f51674ab7a8ef1577102009c116e
Instruction ID: 4e80274fb9a3a095fb5014997246bd1c6b51eafc0e42ba671f9ab8c5bff91032
Opcode Fuzzy Hash: 7ea6179726910335d31d38e1c0b5ac9b7918f51674ab7a8ef1577102009c116e
Instruction Fuzzy Hash: D931AE719083448BE314DF18D840A1FBBE5FFC9319F14C92DE58897241D779A908CB9A

Function 0042C5E3 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

3<<3, xrefs: 0042C68A

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 3<<3
API String ID: 0-579374158
Opcode ID: a440403e9eff1357533c6402479118ab43cf603dddb0caae0cfa7bc94ace8b0f
Instruction ID: 8e956f948da48dc9f1c80ce0d7815a79e6ceb87f8755f9f8201be415072e1251
Opcode Fuzzy Hash: a440403e9eff1357533c6402479118ab43cf603dddb0caae0cfa7bc94ace8b0f
Instruction Fuzzy Hash: 6E31BC7440C390CFD324DF65E894B1FBBE0AF89305F464AADE1849B262DBB4C900CB96

Function 0040BC60 Relevance: .8, Instructions: 839COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a61cf8f9557713318e1927bc6a82629a140bba5c72cb8e1fc4a54313479d097
Instruction ID: 7aef5516330c16faf0c0e219547b9ca1f62e5a0c33f988676078ef9afd16876e
Opcode Fuzzy Hash: 3a61cf8f9557713318e1927bc6a82629a140bba5c72cb8e1fc4a54313479d097
Instruction Fuzzy Hash: 7452A231618311CBC725DF18D48026BB3E2FFD4314F298A3ED996A7385D739A855CB8A

Function 0040B150 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61c962738f6f5a3e3081c00ac1b01727c29e756136dbd0a8250a359abaf8a384
Instruction ID: 314f4cd21fe8e67b5289b78dcad843c0a4f505951129d3f57cfb3cc2c1067db8
Opcode Fuzzy Hash: 61c962738f6f5a3e3081c00ac1b01727c29e756136dbd0a8250a359abaf8a384
Instruction Fuzzy Hash: B1529F70A087889FE735CB24C4847A7BBE1EB91314F14487EC5D616BC2D37DA985878E

Function 00406F00 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b06f627f8f7063155f207e74ffce46a74d4b27d2ae33735865de5c38f21a1d3
Instruction ID: 88a4d8245188224da6c9b751cf84f3cedcc9263f93c1a029c290f0b4892f016f
Opcode Fuzzy Hash: 6b06f627f8f7063155f207e74ffce46a74d4b27d2ae33735865de5c38f21a1d3
Instruction Fuzzy Hash: A452C43190C3458FCB15CF14C4906AABBE1FF89314F198A7EE89967391D778E849CB86

Function 00407900 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18fa1045b97ec4fdc939129d5411673796127453c2a3e71193d93f43fcda9784
Instruction ID: 8b0ac580ad8a8574a2948a7e2fdf740ac116199dd3d12de69255e2921599d298
Opcode Fuzzy Hash: 18fa1045b97ec4fdc939129d5411673796127453c2a3e71193d93f43fcda9784
Instruction Fuzzy Hash: A0322570A19B118FC328CF29C68052ABBF1BF45310B604A2ED69797F90D73AF845CB59

Function 0040A0C0 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60dfa090c44278e5d20a68f1fa3937b32f657ebf4f912e448e8ba26d65979fb0
Instruction ID: 75344489bc0ab57383807ea6085cebb7762d72aa5257d1ff4e7be1646f7b2927
Opcode Fuzzy Hash: 60dfa090c44278e5d20a68f1fa3937b32f657ebf4f912e448e8ba26d65979fb0
Instruction Fuzzy Hash: 14F19B312087419FC724CF29C981A2BBBE2FFA9304F04892DE4D557791E279E954CB9B

Function 0040C9D0 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a069a071a93173e372eb9129e20244f868db9177c79cfb590b5fda3a74f84e0b
Instruction ID: ecefbda50fc47329cf713b84cd99d92f8c4c1583b38e74876665eb8b92c08c13
Opcode Fuzzy Hash: a069a071a93173e372eb9129e20244f868db9177c79cfb590b5fda3a74f84e0b
Instruction Fuzzy Hash: 8DA10B72F085618BC3218B2CD8C125A76D29BC1760F5A8777D8D9EB3D5E63D8C424BC9

Function 004487D0 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c455671bd025d005b433a51e0469e8370d01ca9758abecacc609c87ea03e06
Instruction ID: ac7e3f3e6e5479c3e065bd175b5e69573bc02051851fa4942dbc11871dacde35
Opcode Fuzzy Hash: d0c455671bd025d005b433a51e0469e8370d01ca9758abecacc609c87ea03e06
Instruction Fuzzy Hash: 80B1BC71A04245DFDB04CFA8D590AAEBBF1EF0A346F15446DE982A7352C734EE10CBA5

Function 00447870 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a3813e14db77b2cb9a3450bf8720e81b5ad4722adca260fba7699b3dbb7163d
Instruction ID: b7dd3dd3e325cf7d86234c861d4e01d0f23829e1fbe39d38d7a171eb711173df
Opcode Fuzzy Hash: 0a3813e14db77b2cb9a3450bf8720e81b5ad4722adca260fba7699b3dbb7163d
Instruction Fuzzy Hash: C8B1C372A083504FE714DB29CC8176FB7D5ABC4318F08492EE998D7341EB38ED05879A

Function 0041447C Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ead3a5117cc22d77092f48ed3b258af8e8bb16c4443d8aad8c1d6722b27ca9
Instruction ID: 98cd01fbc211ca26a9a869fa2a2d8f1f3adceaf59c644c3df58db15ce422b046
Opcode Fuzzy Hash: b4ead3a5117cc22d77092f48ed3b258af8e8bb16c4443d8aad8c1d6722b27ca9
Instruction Fuzzy Hash: 8AB14BB4508341ABD7209B19D880B5FBFF5EFC6399F14482EF58897261E335D884CB56

Function 0040ACC0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70e885100ee8c3020c2e8fccf12862dbe80f03903c8207277d6c2c14b44affc
Instruction ID: f95c4eb077f802b15b38e419b6c9903c98f03582394647806fb540568b8ecc18
Opcode Fuzzy Hash: d70e885100ee8c3020c2e8fccf12862dbe80f03903c8207277d6c2c14b44affc
Instruction Fuzzy Hash: D8C15BB29587418FC360CF28CC967ABB7E1EF85318F08492DD1D9D6342E778A155CB4A

Function 0044A120 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79433791699559868bdc0e945731e2f0696389a7b63cbe2b23ccd72ca7b612b1
Instruction ID: 8a2416afe2d281282f79af28e7c17a7bb68b599a179966db40d42b9256853c7f
Opcode Fuzzy Hash: 79433791699559868bdc0e945731e2f0696389a7b63cbe2b23ccd72ca7b612b1
Instruction Fuzzy Hash: A691BD316083429BE715DF28D850A2FB3E5FF89704F09892DE9819B351E779EC60C78A

Function 00449E50 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e19f8f2b447ff0d1c2a569f4bce7e06867d892fae1498706663e8fd8c7be0b1
Instruction ID: b9b7456e3e898ae08c004736da61932c89a793899f8116ecdeab59140d642e04
Opcode Fuzzy Hash: 3e19f8f2b447ff0d1c2a569f4bce7e06867d892fae1498706663e8fd8c7be0b1
Instruction Fuzzy Hash: AE81AE742083019BE724DF28C890A2BB7E5EF89705F15892DE585CB351E739EC64CB9A

Function 00437B70 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74259509137ecbd170bebebc6b90cf9cbd4d3917857fe4a9d87c816acedd5751
Instruction ID: 1a6c7fdaf38ec976c2c369d65c5c2586402de98e218efd40911625752064d79d
Opcode Fuzzy Hash: 74259509137ecbd170bebebc6b90cf9cbd4d3917857fe4a9d87c816acedd5751
Instruction Fuzzy Hash: 7561086664D5814BD338593C4CA13B97A834F9A334F2CA76FE5F28B3D1D95D4802534A

Function 00444590 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ca1b8d9a77166c1b677160230efae4332d9d52c123e1580d5caf22b2cf80d5
Instruction ID: 3cae9a0a0be4668727b7c9228231acf60a3d008ecc8f7892d8ba5f887888d518
Opcode Fuzzy Hash: a0ca1b8d9a77166c1b677160230efae4332d9d52c123e1580d5caf22b2cf80d5
Instruction Fuzzy Hash: F961E0706083419BE710EF24D880B2BF7E2EFC6315F14892EE5D587391D739D8528B5A

Function 0043DF50 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b175e41cfd5ab1b094b902e4e44bd05e6eb5a9d545e058933407e74115153e
Instruction ID: 92c67c4e5af2dbbff1c1cee7358f4c69d2d347d391894fccd4dbc5f215fc2c88
Opcode Fuzzy Hash: 52b175e41cfd5ab1b094b902e4e44bd05e6eb5a9d545e058933407e74115153e
Instruction Fuzzy Hash: 7A517EB15083548FE314DF69D89435BBBE1BB88318F044E2EE4E587391E379D9088F86

Function 0040E080 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69857838e868ea496fe3d781a8cf842591430edccf156ceb08f937b33f4bfcbd
Instruction ID: ab039a02a80f314ee8e2ea8da21cf5423e65df38b0b33378e975f8c554cc3564
Opcode Fuzzy Hash: 69857838e868ea496fe3d781a8cf842591430edccf156ceb08f937b33f4bfcbd
Instruction Fuzzy Hash: A951253775A59147D328853E4D52266AA870FE3338B3ECB7FE4B19B3E0D17D8812424A

Function 0042CB0F Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac44cf3505dbcf4aa9a0a94cad5d61f857b3b9226d4ef241e6036a54cf836ea
Instruction ID: b9503aa01e90e9fc89794a2b406f85230356ea0952fa98618da69fe5ca16201b
Opcode Fuzzy Hash: bac44cf3505dbcf4aa9a0a94cad5d61f857b3b9226d4ef241e6036a54cf836ea
Instruction Fuzzy Hash: 5E510D72A14B194BC719CE2DE89163FB6D2ABC4200F89863DDD578B385EF34AC14D785

Function 00408FCE Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702f50885f32e11826bfd141c7e6d9b53a87974598372aa5a53bc35ead145edc
Instruction ID: 0c096bf0a48a2ece951580887aff841bcef34a043dc188dd79488093ae476539
Opcode Fuzzy Hash: 702f50885f32e11826bfd141c7e6d9b53a87974598372aa5a53bc35ead145edc
Instruction Fuzzy Hash: 3F616679608301CFE708CF29D890B5AB7E1BB89318F08893DE55A87382D739E955CF56

Function 00443460 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b668032edd1ea6c30fbd6c0aba6a1b590ea9d65feef40b7cdc0df1040a1f0ec5
Instruction ID: 4ca86fcfcbd5e98f9933c92f7d78254957d96a8f55c19efe3dbc893325ad8b40
Opcode Fuzzy Hash: b668032edd1ea6c30fbd6c0aba6a1b590ea9d65feef40b7cdc0df1040a1f0ec5
Instruction Fuzzy Hash: 6A51E430208240ABEB25DF55D940A2FF7E5EF95B0AF14882EE4C587352D739DD11CB6A

Function 00405680 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c923bc061d144724924eee631eaffe2068d6121532fb1150f4d2eba213ac55
Instruction ID: 3f1097353d39c9b448db8e08d4b72fe7c57717c1b2b34319a097bad04f492d00
Opcode Fuzzy Hash: e7c923bc061d144724924eee631eaffe2068d6121532fb1150f4d2eba213ac55
Instruction Fuzzy Hash: C351DF75A04600DFC714AF19C88091BB7A5FF85314F15897EE899AB382D735EC51CF8A

Function 00449700 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dfbf597b608cc15cacbee23e73db1ebb21a7d587858155800cb759a7bd94348
Instruction ID: 46b514fad9d4ba0e836b30754f09da1419994bf251a08d8feb48d13db406a25e
Opcode Fuzzy Hash: 8dfbf597b608cc15cacbee23e73db1ebb21a7d587858155800cb759a7bd94348
Instruction Fuzzy Hash: 1D41E074618300AFE714AF19D880B2FBBA5EF86315F24882DF4899B342D339DC10DB5A

Function 00449890 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c0e24556b4ef4febd49ed4adf29d4457dd6e53382b3f6347526e291ff77a51
Instruction ID: 6e052296fd0dcab2690fd0caa101b1b27cd14735985a9a16b53f1f5c13408776
Opcode Fuzzy Hash: d9c0e24556b4ef4febd49ed4adf29d4457dd6e53382b3f6347526e291ff77a51
Instruction Fuzzy Hash: A441BFB4608340AFE7149F19D890B2FF7A5EF86315F24882DE4899B382D335DC10DB5A

Function 00410ED0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb018dc5399fef440a0a5bfc226585ef88f1009858cf4be889dd5e2cbe02a3a6
Instruction ID: 913b025f19300ea14e8e7db3c1f92cb7c94e5d626d7874abcda0b3d936cdedf8
Opcode Fuzzy Hash: fb018dc5399fef440a0a5bfc226585ef88f1009858cf4be889dd5e2cbe02a3a6
Instruction Fuzzy Hash: CC415872A0C3540FD358DE3A889422BBBD2AFC5210F08C63EF1E587391E6B4C986D755

Function 00443010 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d9c80b181140885a4e23291525b207c8202a98c8176bc804c0305fb56249e6
Instruction ID: 6b441722810fd5162f18476f3f0a4e624d4020b0db9190d821e3f87b000494af
Opcode Fuzzy Hash: 85d9c80b181140885a4e23291525b207c8202a98c8176bc804c0305fb56249e6
Instruction Fuzzy Hash: 3A313970608340ABE300DF19D984B1FBBE2EB85B19F54C91EE0C88B252C77AC945DB5A

Function 00406B60 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d725d4ba4fd802df6fd221755dba927b50fb6f514e6c667997e14eddbb661b2
Instruction ID: a44188594f51d93899a0d3a3c9f1e0ba89db535253101c4496d7ebf2247cf6cf
Opcode Fuzzy Hash: 5d725d4ba4fd802df6fd221755dba927b50fb6f514e6c667997e14eddbb661b2
Instruction Fuzzy Hash: 7811C43BB2863207E350CE76DCC451B7352EBC6315B0A4539EA82E7386CA36F821D194

Function 0043A3F0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: a4fd78833d8513809fe3c628109cd5133cd2f1b88e9461769b84b90a1fc31938
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 26112933A451D00EC3128D3C8404565BFA30AF7238F69939AF4F49B2D2D62B8D8B835A

Function 0042F530 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6226d561c1d27d01699578d317e276bd1f24f219ef86e3f1c74ed20e0dd609fe
Instruction ID: cb0eae2fb7acbbfeafe59c0e2916fd7f900f4330164cce7174c8d37270c7c677
Opcode Fuzzy Hash: 6226d561c1d27d01699578d317e276bd1f24f219ef86e3f1c74ed20e0dd609fe
Instruction Fuzzy Hash: D6015EB2B01322A7DA209E55F4C1727B2B86F94B0CF98453EE80457343EB79ED4986D9

Function 004373B7 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36e52846e7e99f775e09d76f0d208612c87688ff97583b2ae0e4e9e25c56006
Instruction ID: b2e550eaf7414c0d81ebe6c234304ab60717b00b9d94b40c181f57cfb3f5192a
Opcode Fuzzy Hash: e36e52846e7e99f775e09d76f0d208612c87688ff97583b2ae0e4e9e25c56006
Instruction Fuzzy Hash: 2D21A3F0901B00AFD360EF3AC946747BEE8FB49354F004A1EF8AA87691D371A4148BD6

Function 0041A040 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b8d582fb4d510ac0465848603293de85f1cbeddc4253f33f89fcd910c8992e
Instruction ID: 8978fa5e65e77a9da2c654727caed3dfa08f5c409a696a9f95d22ff50669cf16
Opcode Fuzzy Hash: a1b8d582fb4d510ac0465848603293de85f1cbeddc4253f33f89fcd910c8992e
Instruction Fuzzy Hash: C4F0A7B1A4421027DB218D959C80BB7BF9CCB8F268F191456E84557202D1755D9083EF

Function 00414C30 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c63062348bac05b3489201115881a8b8b5ef881d48c6822ad6dc8ee5318a706
Instruction ID: 9a53c4e357b4c2264a087e22a8602c94998b4a176c526ad16f9447cb2898ea6a
Opcode Fuzzy Hash: 7c63062348bac05b3489201115881a8b8b5ef881d48c6822ad6dc8ee5318a706
Instruction Fuzzy Hash: 90F062B59083016BD2009A55E894A5FBEF8DBC7394F144C1EF5C493252E33AD890875B

Function 00440D00 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 4b6cc08ffd9d8970d7b809c044d9f62d4b06ae7fb849665ee62dc28a23279fe5
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 20D0A761A0833146BB748E19E400977F7F0EAC7B12F49955FFA82E3248D634EC41C2AD

Function 0043ED40 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 315memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0043ED9C
SysAllocString.OLEAUT32 ref: 0043EE5C
VariantInit.OLEAUT32(00000000), ref: 0043EEE1
SysStringLen.OLEAUT32(?), ref: 0043EF9B

Strings

3e5g, xrefs: 0043EDFE
dElG, xrefs: 0043EDBE
n]9_, xrefs: 0043EDEE
h=s?, xrefs: 0043EDAE
{9f;, xrefs: 0043EDB6
&QaS, xrefs: 0043EDE6
`a, xrefs: 0043EE06

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: String$Alloc$InitVariant
String ID: &QaS$3e5g$`a$dElG$h=s?$n]9_${9f;
API String ID: 3520221836-1152898833
Opcode ID: b7bc189fa02a770cffbd05b039091e2ac4dff470afe79c3d9d598ee5c7fe773e
Instruction ID: 245ce608caa8d0e7e32c98528556309af1013292badbe1e32265ea97ba019c18
Opcode Fuzzy Hash: b7bc189fa02a770cffbd05b039091e2ac4dff470afe79c3d9d598ee5c7fe773e
Instruction Fuzzy Hash: 2CC16575608341AFD3049F29C894A2FBBE2EFCA355F14892EF5858B3A1C739D845CB46

Function 0043461B Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 74COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00434625
VariantInit.OLEAUT32 ref: 00434638

Strings

%, xrefs: 00434694
3, xrefs: 00434662
/, xrefs: 00434676
', xrefs: 0043469E
), xrefs: 00434680
#, xrefs: 004346B2
+, xrefs: 0043468A
1, xrefs: 00434658
!, xrefs: 004346A8
-, xrefs: 0043466C

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$#$%$'$)$+$-$/$1$3
API String ID: 2610073882-2331977360
Opcode ID: 99523f8bbb05e30d50f7c527ba3f9859542442d6fc68eabb47c10e4df14aebea
Instruction ID: aa229d8ffd08d770e0b442ce0ab2aea3d278b942b7494f66e186f87a6f4e071a
Opcode Fuzzy Hash: 99523f8bbb05e30d50f7c527ba3f9859542442d6fc68eabb47c10e4df14aebea
Instruction Fuzzy Hash: 5941F47010C3C1CED361DB28908879EBFE0AB9A328F481A5DF4E947392C7759545CB57

Function 00435903 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 67COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0043590D
VariantInit.OLEAUT32 ref: 00435920

Strings

#, xrefs: 0043599A
-, xrefs: 00435954
1, xrefs: 00435940
+, xrefs: 00435972
/, xrefs: 0043595E
!, xrefs: 00435990
), xrefs: 00435968
', xrefs: 00435986
%, xrefs: 0043597C
3, xrefs: 0043594A

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$#$%$'$)$+$-$/$1$3
API String ID: 2610073882-2331977360
Opcode ID: 2512a766d295c700951f2732db7a39628cb522d6d9a4e055db7e4e3488698b6b
Instruction ID: 3b4e2062160fae6eab703fa3f9d35db381feae730c8683086966fded026d42fd
Opcode Fuzzy Hash: 2512a766d295c700951f2732db7a39628cb522d6d9a4e055db7e4e3488698b6b
Instruction Fuzzy Hash: 8441C47000C3C1DED361DB28948879EBFE06B9A328F445A9DF4E947392C7758545CB97

Function 004353F8 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 84COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00435402
VariantInit.OLEAUT32 ref: 00435415

Strings

K, xrefs: 00435488
I, xrefs: 00435478
G, xrefs: 00435468
A, xrefs: 00435438
M, xrefs: 00435498
O, xrefs: 004354A8
C, xrefs: 00435448
E, xrefs: 00435458

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: A$C$E$G$I$K$M$O
API String ID: 2610073882-1863964857
Opcode ID: 0c16f3b9fbccda87c429147e394ee525b0fa4a12563483afe3bff2e100649278
Instruction ID: 25b6affae47083c67d52bd4909601d4e74bf15511364d10ab50ff0a356e8b788
Opcode Fuzzy Hash: 0c16f3b9fbccda87c429147e394ee525b0fa4a12563483afe3bff2e100649278
Instruction Fuzzy Hash: 7B51B07100CBC1CAD3319B2888487DFBFE0ABA6315F484A9DD5E94B3A2C7794545CBA7

Function 00434CD6 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 69COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00434CE0

Strings

[, xrefs: 00434D73
U, xrefs: 00434D23
I, xrefs: 00434D03
], xrefs: 00434D63
_, xrefs: 00434D53
S, xrefs: 00434D33
W, xrefs: 00434D13
Z, xrefs: 00434D6B
Q, xrefs: 00434D43

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: InitVariant
String ID: I$Q$S$U$W$Z$[$]$_
API String ID: 1927566239-1271914970
Opcode ID: 87118c07b2a6d8f9c7bd25abf49c843bc063277f88a37e2ade06f75478a6da63
Instruction ID: e01ddb18093a994b9e8a4c7fc898ceeb5035d42aac5db9fae9b447c4485569f9
Opcode Fuzzy Hash: 87118c07b2a6d8f9c7bd25abf49c843bc063277f88a37e2ade06f75478a6da63
Instruction Fuzzy Hash: 3B41CF7450C7C18AD3329B3884587DBBBE0ABAA315F440A9DE4ED87382C7B59545CB53

Function 0043420C Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 191COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 0043421A

Strings

8, xrefs: 004342F8
%, xrefs: 004342E8
9, xrefs: 00434308
<, xrefs: 004342F0
5, xrefs: 00434300

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: String
String ID: %$5$8$9$<
API String ID: 2568140703-2114583083
Opcode ID: d6b833df3eabf35734ea8fbe1b72c0da4bd9f9b9070a46d2ad50359e314a3bd7
Instruction ID: 28eb285daa382a9161e2b9b2f35719fdda1a369a125a388b0c418c1ff5801e39
Opcode Fuzzy Hash: d6b833df3eabf35734ea8fbe1b72c0da4bd9f9b9070a46d2ad50359e314a3bd7
Instruction Fuzzy Hash: 267182717083908FC7399E28C4903EEBAD2AFD9324F194A2ED9E9873C1DB3858018747

Function 00435C31 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 184COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00435C3F

Strings

5, xrefs: 00435D2B
<, xrefs: 00435D1B
%, xrefs: 00435D13
9, xrefs: 00435D33
8, xrefs: 00435D23

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: String
String ID: %$5$8$9$<
API String ID: 2568140703-2114583083
Opcode ID: 8b4c388986064e429a83c3ed4a430769f75a94a30a44882467d4e8bfcb38c0dc
Instruction ID: 129bdd31e0ffa021cc1d2541c5a4e532b4f4a2daf0576048555f6edd8f38ff03
Opcode Fuzzy Hash: 8b4c388986064e429a83c3ed4a430769f75a94a30a44882467d4e8bfcb38c0dc
Instruction Fuzzy Hash: 5E71B971A087908FC7358F28C4943EEBAD26BD9324F198A2DD8E9873D1DB785841C786

Function 0043F159 Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(00000008), ref: 0043F166
SysFreeString.OLEAUT32(?), ref: 0043F18A
SysFreeString.OLEAUT32(?), ref: 0043F193
SysFreeString.OLEAUT32(?), ref: 0043F1A7

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID:
API String ID: 3349467263-0
Opcode ID: 58560392ab47aa2114563f4356d1c8e52c57eeadeae5f7abc4f76f34a86f5ef2
Instruction ID: 5279a49c251f6cef890a6ffb760737a9ccd1b9896b499edf198907c40db6c3dd
Opcode Fuzzy Hash: 58560392ab47aa2114563f4356d1c8e52c57eeadeae5f7abc4f76f34a86f5ef2
Instruction Fuzzy Hash: 71F06279504204DFC610ABA0D88891ABBB9FFC931AF144969F989D7321CB35E842CF12

Function 004384A5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004384F0
GetSystemMetrics.USER32 ref: 004384FF

Strings

, xrefs: 004385D3

Memory Dump Source

Source File: 00000002.00000002.1748977401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 69ed578ce1acf7b87b7e3154842484afe7b10fd4941e1b907889245d867a2c86
Instruction ID: 9cac62dfbca176997423f0e393eeb876a9d6a0ba46be18ccb869142c9ab307b0
Opcode Fuzzy Hash: 69ed578ce1acf7b87b7e3154842484afe7b10fd4941e1b907889245d867a2c86
Instruction Fuzzy Hash: D25150B4E142189FDB40EFACD985A9DBBF0BF49300F118529E898E7350D734A945CF96

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cccc2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cccc2.exe.log

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
cccc2.exe

Function 033A212D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Function 017A1279 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Function 017A1280 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Function 0040E9C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141
libraryCOMMON

Function 00445D10 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 0040CE80 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 165
threadCOMMON

Function 00442CE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Function 00444CCE Relevance: 1.6, APIs: 1, Instructions: 71
libraryCOMMON

Function 00442D62 Relevance: 1.5, APIs: 1, Instructions: 44
memoryCOMMON