Edit tour

Windows Analysis Report
aqbjn3fl.exe

Overview

General Information

Sample name:	aqbjn3fl.exe
Analysis ID:	1577504
MD5:	34a152eb5d1d3e63dafef23579042933
SHA1:	9e1c23718d5b30c13d0cec51ba3484ddc32a3184
SHA256:	42365467efe5746a0b0076a3e609219a9cffe827d5a95f4e10221f081a3bf8fa
Tags:	18521511316185215113209bulletproofexeLummaStealeruser-abus3reports
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

aqbjn3fl.exe (PID: 6740 cmdline: "C:\Users\user\Desktop\aqbjn3fl.exe" MD5: 34A152EB5D1D3E63DAFEF23579042933)

conhost.exe (PID: 6748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aqbjn3fl.exe (PID: 6872 cmdline: "C:\Users\user\Desktop\aqbjn3fl.exe" MD5: 34A152EB5D1D3E63DAFEF23579042933)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["processhol.sbs", "3xp3cts1aim.sbs", "befall-sm0ker.sbs", "push-hook.cyou", "owner-vacat10n.sbs", "librari-night.sbs", "p3ar11fter.sbs", "peepburry828.sbs", "p10tgrace.sbs"], "Build id": "FATE99--november"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.2416307371.00000000029DA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.aqbjn3fl.exe.400000.1.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
3.2.aqbjn3fl.exe.400000.1.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:30:25.378885+0100	2028371	3	Unknown Traffic	192.168.2.12	49716	23.55.153.106	443	TCP
2024-12-18T14:30:28.010095+0100	2028371	3	Unknown Traffic	192.168.2.12	49717	172.67.157.254	443	TCP
2024-12-18T14:30:29.808481+0100	2028371	3	Unknown Traffic	192.168.2.12	49718	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:30:28.753015+0100	2054653	1	A Network Trojan was detected	192.168.2.12	49717	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:30:28.753015+0100	2049836	1	A Network Trojan was detected	192.168.2.12	49717	172.67.157.254	443	TCP

ET MALWARE Observed DNS Query to Lumma Stealer Domain (3xp3cts1aim .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:30:23.485114+0100	2057695	1	A Network Trojan was detected	192.168.2.12	54571	1.1.1.1	53	UDP

ET MALWARE Observed DNS Query to Lumma Stealer Domain (p3ar11fter .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:30:23.667247+0100	2057698	1	A Network Trojan was detected	192.168.2.12	53967	1.1.1.1	53	UDP

ET MALWARE Observed DNS Query to Lumma Stealer Domain (peepburry828 .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:30:23.206406+0100	2057696	1	A Network Trojan was detected	192.168.2.12	58022	1.1.1.1	53	UDP

ET MALWARE Observed DNS Query to Lumma Stealer Domain (processhol .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:30:22.545634+0100	2057697	1	A Network Trojan was detected	192.168.2.12	49972	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (3xp3cts1aim .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:30:23.485114+0100	2057652	1	Domain Observed Used for C2 Detected	192.168.2.12	54571	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (befall-sm0ker .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:30:22.828568+0100	2057654	1	Domain Observed Used for C2 Detected	192.168.2.12	55691	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (librari-night .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:30:22.686920+0100	2057658	1	Domain Observed Used for C2 Detected	192.168.2.12	50487	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (owner-vacat10n .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:30:23.345438+0100	2057660	1	Domain Observed Used for C2 Detected	192.168.2.12	54215	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (p10tgrace .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:30:23.055795+0100	2057662	1	Domain Observed Used for C2 Detected	192.168.2.12	58670	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (p3ar11fter .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:30:23.667247+0100	2057664	1	Domain Observed Used for C2 Detected	192.168.2.12	53967	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (peepburry828 .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:30:23.206406+0100	2057666	1	Domain Observed Used for C2 Detected	192.168.2.12	58022	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (processhol .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:30:22.545634+0100	2057668	1	Domain Observed Used for C2 Detected	192.168.2.12	49972	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (push-hook .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:30:21.818147+0100	2057838	1	Domain Observed Used for C2 Detected	192.168.2.12	59712	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:30:26.159414+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.12	49716	23.55.153.106	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: aqbjn3fl.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://p3ar11fter.sbs:443/apipi	Avira URL Cloud: Label: malware
Source: push-hook.cyou	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2416307371.00000000029DA000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["processhol.sbs", "3xp3cts1aim.sbs", "befall-sm0ker.sbs", "push-hook.cyou", "owner-vacat10n.sbs", "librari-night.sbs", "p3ar11fter.sbs", "peepburry828.sbs", "p10tgrace.sbs"], "Build id": "FATE99--november"}

Multi AV Scanner detection for submitted file

Source: aqbjn3fl.exe

ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.0% probability

Machine Learning detection for sample

Source: aqbjn3fl.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: p3ar11fter.sbs
Source: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 3xp3cts1aim.sbs
Source: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: owner-vacat10n.sbs
Source: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: peepburry828.sbs
Source: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: p10tgrace.sbs
Source: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: befall-sm0ker.sbs
Source: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: librari-night.sbs
Source: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: processhol.sbs
Source: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: push-hook.cyou
Source: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: FATE99--november

Source: aqbjn3fl.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.12:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.12:49717 version: TLS 1.2

Source: aqbjn3fl.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_0003F6A0 FindFirstFileExW,	0_2_0003F6A0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_0003F751 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_0003F751
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0003F6A0 FindFirstFileExW,	3_2_0003F6A0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0003C320 EnterCriticalSection,FindClose,FindFirstFileExW,	3_2_0003C320
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0003F751 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_0003F751

Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-532F9054h]	3_2_0040A874
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-05h]	3_2_0040BDB0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then mov byte ptr [eax], bl	3_2_0040CEF5
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	3_2_00403060
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	3_2_00424800
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then jmp dword ptr [00446B78h]	3_2_0041ECF4
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then jmp eax	3_2_00418940
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then mov ebp, dword ptr [ecx+esi*4-000009BCh]	3_2_00409150
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000011E4h]	3_2_00425150
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	3_2_00423560
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	3_2_00441160
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then push eax	3_2_00418D27
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_004195D1
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then mov esi, edx	3_2_00427E50
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-69h]	3_2_00427E50
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+4B5D9729h]	3_2_0040CA6A
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-29h]	3_2_0041DE73
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then mov ecx, eax	3_2_00425A75
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then mov ecx, eax	3_2_00425A75
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax+08h]	3_2_0041B634
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3DC4CF7Bh]	3_2_004252A2
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then movzx edx, byte ptr [edi+ecx+26702EC9h]	3_2_0041A6A3
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then mov ecx, eax	3_2_004272A0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then movzx ebp, word ptr [eax]	3_2_004412A0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	3_2_00401F50
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 1B6183F2h	3_2_0043BF10
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then mov ecx, edx	3_2_004237C0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then movzx edi, byte ptr [esp+esi+04h]	3_2_0043BFC0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-29h]	3_2_0041DBD4
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6Ah]	3_2_0041DBDB
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then movzx edi, word ptr [edi+ecx*4]	3_2_00407BB0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+34h]	3_2_00407BB0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	3_2_00407BB0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 4x nop then mov ebx, edx	3_2_004277BD

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2057662 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (p10tgrace .sbs) : 192.168.2.12:58670 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057838 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (push-hook .cyou) : 192.168.2.12:59712 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057666 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (peepburry828 .sbs) : 192.168.2.12:58022 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057696 - Severity 1 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (peepburry828 .sbs) : 192.168.2.12:58022 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057654 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (befall-sm0ker .sbs) : 192.168.2.12:55691 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057652 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (3xp3cts1aim .sbs) : 192.168.2.12:54571 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057695 - Severity 1 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (3xp3cts1aim .sbs) : 192.168.2.12:54571 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057668 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (processhol .sbs) : 192.168.2.12:49972 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057697 - Severity 1 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (processhol .sbs) : 192.168.2.12:49972 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057660 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (owner-vacat10n .sbs) : 192.168.2.12:54215 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057664 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (p3ar11fter .sbs) : 192.168.2.12:53967 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057698 - Severity 1 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (p3ar11fter .sbs) : 192.168.2.12:53967 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057658 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (librari-night .sbs) : 192.168.2.12:50487 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.12:49716 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.12:49717 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.12:49717 -> 172.67.157.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: processhol.sbs
Source: Malware configuration extractor	URLs: 3xp3cts1aim.sbs
Source: Malware configuration extractor	URLs: befall-sm0ker.sbs
Source: Malware configuration extractor	URLs: push-hook.cyou
Source: Malware configuration extractor	URLs: owner-vacat10n.sbs
Source: Malware configuration extractor	URLs: librari-night.sbs
Source: Malware configuration extractor	URLs: p3ar11fter.sbs
Source: Malware configuration extractor	URLs: peepburry828.sbs
Source: Malware configuration extractor	URLs: p10tgrace.sbs

Source: Joe Sandbox View	IP Address: 172.67.157.254 172.67.157.254
Source: Joe Sandbox View	IP Address: 23.55.153.106 23.55.153.106

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49718 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49717 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49716 -> 23.55.153.106:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: push-hook.cyou
Source: global traffic	DNS traffic detected: DNS query: processhol.sbs
Source: global traffic	DNS traffic detected: DNS query: librari-night.sbs
Source: global traffic	DNS traffic detected: DNS query: befall-sm0ker.sbs
Source: global traffic	DNS traffic detected: DNS query: p10tgrace.sbs
Source: global traffic	DNS traffic detected: DNS query: peepburry828.sbs
Source: global traffic	DNS traffic detected: DNS query: owner-vacat10n.sbs
Source: global traffic	DNS traffic detected: DNS query: 3xp3cts1aim.sbs
Source: global traffic	DNS traffic detected: DNS query: p3ar11fter.sbs
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: lev-tolstoi.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: aqbjn3fl.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: aqbjn3fl.exe, 00000003.00000002.2498018235.0000000003316000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.0000000003316000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: aqbjn3fl.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: aqbjn3fl.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: aqbjn3fl.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: aqbjn3fl.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: aqbjn3fl.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: aqbjn3fl.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: aqbjn3fl.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: aqbjn3fl.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: aqbjn3fl.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: aqbjn3fl.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: aqbjn3fl.exe, 00000003.00000003.2496867936.000000000330A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.2498018235.000000000330A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3xp3cts1aim.sbs/api
Source: aqbjn3fl.exe, 00000003.00000002.2498018235.00000000032D2000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.00000000032D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3xp3cts1aim.sbs:443/apii
Source: aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: aqbjn3fl.exe, 00000003.00000002.2498018235.000000000334A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.000000000334A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly
Source: aqbjn3fl.exe, 00000003.00000002.2498018235.000000000334A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.000000000334A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: aqbjn3fl.exe, 00000003.00000002.2498018235.000000000334A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.000000000334A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/g
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: aqbjn3fl.exe, 00000003.00000002.2498018235.000000000334A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.000000000334A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=E
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: aqbjn3fl.exe, 00000003.00000002.2498018235.000000000334A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.000000000334A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: aqbjn3fl.exe, 00000003.00000003.2496867936.00000000032BC000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.2498018235.00000000032BC000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=THDq-gsQ
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=0Xxx
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=kOc26QwM0vlX&l=e
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: aqbjn3fl.exe, 00000003.00000002.2498018235.000000000334A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.000000000334A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?Y
Source: aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: aqbjn3fl.exe, 00000003.00000002.2498018235.000000000334A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.000000000334A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&am
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: aqbjn3fl.exe, 00000003.00000002.2498018235.000000000334A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.000000000334A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: aqbjn3fl.exe, 00000003.00000002.2498018235.000000000334A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.000000000334A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstaticI
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: aqbjn3fl.exe, 00000003.00000002.2498018235.0000000003361000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496706707.0000000003361000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496758194.0000000003361000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/:
Source: aqbjn3fl.exe, 00000003.00000003.2496867936.000000000330A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.2498018235.000000000330A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.2498018235.0000000003316000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.0000000003316000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api
Source: aqbjn3fl.exe, 00000003.00000002.2498018235.0000000003316000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.0000000003316000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api2
Source: aqbjn3fl.exe, 00000003.00000003.2496867936.000000000330A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.2498018235.000000000330A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apilE
Source: aqbjn3fl.exe, 00000003.00000002.2498018235.0000000003361000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496706707.0000000003361000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496758194.0000000003361000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/ineIntz
Source: aqbjn3fl.exe, 00000003.00000002.2498018235.0000000003361000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496706707.0000000003361000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496758194.0000000003361000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/pi
Source: aqbjn3fl.exe, 00000003.00000002.2498018235.00000000032D2000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.00000000032D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/api
Source: aqbjn3fl.exe, 00000003.00000002.2498018235.00000000032D2000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.00000000032D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/apipi&
Source: aqbjn3fl.exe, 00000003.00000002.2498018235.00000000032D2000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.00000000032D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://p3ar11fter.sbs:443/apipi
Source: aqbjn3fl.exe, 00000003.00000002.2498018235.00000000032D2000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.00000000032D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://processhol.sbs:443/api
Source: aqbjn3fl.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: aqbjn3fl.exe, 00000003.00000003.2496867936.000000000330A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.2498018235.000000000330A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/=
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: aqbjn3fl.exe, 00000003.00000003.2496867936.000000000330A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.2498018235.000000000330A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/io
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: aqbjn3fl.exe, 00000003.00000002.2498018235.00000000032D2000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.00000000032D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900O
Source: aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.12:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.12:49717 version: TLS 1.2

Source: C:\Users\user\Desktop\aqbjn3fl.exe

Code function: 3_2_00433CD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00433CD0

Source: C:\Users\user\Desktop\aqbjn3fl.exe

Code function: 3_2_00433CD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00433CD0

Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00036820	0_2_00036820
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00023460	0_2_00023460
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00037860	0_2_00037860
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_0002D4C0	0_2_0002D4C0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00024CE0	0_2_00024CE0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00034CF0	0_2_00034CF0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00036CF0	0_2_00036CF0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_0002DD20	0_2_0002DD20
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00015930	0_2_00015930
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00024930	0_2_00024930
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00028149	0_2_00028149
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00031D50	0_2_00031D50
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_0001B964	0_2_0001B964
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00034190	0_2_00034190
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00025610	0_2_00025610
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00045E42	0_2_00045E42
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00022B07	0_2_00022B07
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00026350	0_2_00026350
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00037350	0_2_00037350
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_0002F360	0_2_0002F360
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_0001A36B	0_2_0001A36B
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00027F74	0_2_00027F74
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00025F80	0_2_00025F80
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00031387	0_2_00031387
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00029BA0	0_2_00029BA0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00023FA0	0_2_00023FA0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00011000	3_2_00011000
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00036820	3_2_00036820
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00023460	3_2_00023460
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00033C60	3_2_00033C60
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00037860	3_2_00037860
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0001CCC0	3_2_0001CCC0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0002D4C0	3_2_0002D4C0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00024CE0	3_2_00024CE0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00034CF0	3_2_00034CF0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00036CF0	3_2_00036CF0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00015930	3_2_00015930
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00024930	3_2_00024930
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00015540	3_2_00015540
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00031D50	3_2_00031D50
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0001A180	3_2_0001A180
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00034190	3_2_00034190
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_000201B0	3_2_000201B0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00025610	3_2_00025610
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00045E42	3_2_00045E42
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00013E60	3_2_00013E60
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0002DE90	3_2_0002DE90
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00022AC0	3_2_00022AC0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00031330	3_2_00031330
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00026350	3_2_00026350
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00037350	3_2_00037350
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00025F80	3_2_00025F80
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00029BA0	3_2_00029BA0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00023FA0	3_2_00023FA0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00027BF0	3_2_00027BF0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0040B6E0	3_2_0040B6E0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0040CEF5	3_2_0040CEF5
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00439310	3_2_00439310
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00408F20	3_2_00408F20
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00404440	3_2_00404440
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00403060	3_2_00403060
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00424800	3_2_00424800
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00406C10	3_2_00406C10
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00402CC0	3_2_00402CC0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00420CD0	3_2_00420CD0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_004418D0	3_2_004418D0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0041FC80	3_2_0041FC80
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00406090	3_2_00406090
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0041F090	3_2_0041F090
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_004070A0	3_2_004070A0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_004400A0	3_2_004400A0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0040DCB7	3_2_0040DCB7
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00409940	3_2_00409940
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00406550	3_2_00406550
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00409150	3_2_00409150
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0042F960	3_2_0042F960
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00438970	3_2_00438970
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00409DC0	3_2_00409DC0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_004195D1	3_2_004195D1
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0040ADE0	3_2_0040ADE0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_004415B0	3_2_004415B0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00427E50	3_2_00427E50
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00403A60	3_2_00403A60
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00425A75	3_2_00425A75
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0040B220	3_2_0040B220
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0043FB70	3_2_0043FB70
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00424EE0	3_2_00424EE0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0041BAE6	3_2_0041BAE6
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0041B2F0	3_2_0041B2F0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00439AF0	3_2_00439AF0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0041CA80	3_2_0041CA80
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00420EA0	3_2_00420EA0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0041A6A3	3_2_0041A6A3
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_004412A0	3_2_004412A0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0041DF60	3_2_0041DF60
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0043FB70	3_2_0043FB70
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0043BB70	3_2_0043BB70
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0041F710	3_2_0041F710
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00438710	3_2_00438710
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0041AB3B	3_2_0041AB3B
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_004237C0	3_2_004237C0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0043FFD0	3_2_0043FFD0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00427BEB	3_2_00427BEB
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0042A3F0	3_2_0042A3F0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00441BF0	3_2_00441BF0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0041C3FA	3_2_0041C3FA
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00404F8F	3_2_00404F8F
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00422BA0	3_2_00422BA0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00407BB0	3_2_00407BB0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_004277BD	3_2_004277BD

Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: String function: 000398B0 appears 64 times
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: String function: 0003CB18 appears 36 times

Source: aqbjn3fl.exe

Static PE information: invalid certificate

Source: aqbjn3fl.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: aqbjn3fl.exe

Static PE information: Section: .bOS ZLIB complexity 1.0003366361788617

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/0@11/2

Source: C:\Users\user\Desktop\aqbjn3fl.exe

Code function: 3_2_00439310 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

3_2_00439310

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_03

Source: aqbjn3fl.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\aqbjn3fl.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aqbjn3fl.exe

ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\aqbjn3fl.exe

File read: C:\Users\user\Desktop\aqbjn3fl.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\aqbjn3fl.exe "C:\Users\user\Desktop\aqbjn3fl.exe"
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Process created: C:\Users\user\Desktop\aqbjn3fl.exe "C:\Users\user\Desktop\aqbjn3fl.exe"
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Process created: C:\Users\user\Desktop\aqbjn3fl.exe "C:\Users\user\Desktop\aqbjn3fl.exe"	Jump to behavior

Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: aqbjn3fl.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

Source: aqbjn3fl.exe	Static PE information: section name: .00cfg
Source: aqbjn3fl.exe	Static PE information: section name: .bOS

Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_0004011A push ecx; ret		0_2_0004012D
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0004011A push ecx; ret		3_2_0004012D

Source: aqbjn3fl.exe

Static PE information: section name: .text entropy: 6.95731113161578

Source: C:\Users\user\Desktop\aqbjn3fl.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\aqbjn3fl.exe

API coverage: 8.4 %

Source: C:\Users\user\Desktop\aqbjn3fl.exe TID: 6892	Thread sleep time: -90000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\aqbjn3fl.exe TID: 6892	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\aqbjn3fl.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_0003F6A0 FindFirstFileExW,	0_2_0003F6A0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_0003F751 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_0003F751
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0003F6A0 FindFirstFileExW,	3_2_0003F6A0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0003C320 EnterCriticalSection,FindClose,FindFirstFileExW,	3_2_0003C320
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0003F751 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_0003F751

Source: aqbjn3fl.exe, 00000003.00000003.2496867936.00000000032BC000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.2498018235.00000000032BC000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.2498018235.0000000003316000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.0000000003316000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\aqbjn3fl.exe

Code function: 3_2_0043E470 LdrInitializeThunk,

3_2_0043E470

Source: C:\Users\user\Desktop\aqbjn3fl.exe

Code function: 0_2_000396CF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000396CF

Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_0004D18D mov edi, dword ptr fs:[00000030h]	0_2_0004D18D
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00022C60 mov eax, dword ptr fs:[00000030h]	0_2_00022C60
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00022C60 mov eax, dword ptr fs:[00000030h]	0_2_00022C60
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_0001D478 mov edi, dword ptr fs:[00000030h]	0_2_0001D478
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_0001D07E mov edi, dword ptr fs:[00000030h]	0_2_0001D07E
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_0001CD0A mov edi, dword ptr fs:[00000030h]	0_2_0001CD0A
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_0001E946 mov edi, dword ptr fs:[00000030h]	0_2_0001E946
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_0001CD0A mov edi, dword ptr fs:[00000030h]	0_2_0001CD0A
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_0001D6BB mov edi, dword ptr fs:[00000030h]	0_2_0001D6BB
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_0001D6BB mov edi, dword ptr fs:[00000030h]	0_2_0001D6BB
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_0001E359 mov edi, dword ptr fs:[00000030h]	0_2_0001E359
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00022BBB mov eax, dword ptr fs:[00000030h]	0_2_00022BBB
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_00022BBB mov eax, dword ptr fs:[00000030h]	0_2_00022BBB
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0001CCC0 mov edi, dword ptr fs:[00000030h]	3_2_0001CCC0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0001CCC0 mov edi, dword ptr fs:[00000030h]	3_2_0001CCC0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0001CCC0 mov edi, dword ptr fs:[00000030h]	3_2_0001CCC0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0001CCC0 mov edi, dword ptr fs:[00000030h]	3_2_0001CCC0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0001CCC0 mov edi, dword ptr fs:[00000030h]	3_2_0001CCC0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0001CCC0 mov edi, dword ptr fs:[00000030h]	3_2_0001CCC0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0001CCC0 mov edi, dword ptr fs:[00000030h]	3_2_0001CCC0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0001CCC0 mov edi, dword ptr fs:[00000030h]	3_2_0001CCC0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00022AC0 mov eax, dword ptr fs:[00000030h]	3_2_00022AC0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00022AC0 mov eax, dword ptr fs:[00000030h]	3_2_00022AC0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00022AC0 mov eax, dword ptr fs:[00000030h]	3_2_00022AC0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00022AC0 mov eax, dword ptr fs:[00000030h]	3_2_00022AC0
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_00022AC0 mov eax, dword ptr fs:[00000030h]	3_2_00022AC0

Source: C:\Users\user\Desktop\aqbjn3fl.exe

Code function: 0_2_0003CB30 GetProcessHeap,

0_2_0003CB30

Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_0003904F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0003904F
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_000396C3 SetUnhandledExceptionFilter,	0_2_000396C3
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_000396CF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000396CF
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 0_2_0003B7BA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0003B7BA
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0003904F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0003904F
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_000396C3 SetUnhandledExceptionFilter,	3_2_000396C3
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_000396CF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_000396CF
Source: C:\Users\user\Desktop\aqbjn3fl.exe	Code function: 3_2_0003B7BA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0003B7BA

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\aqbjn3fl.exe

Code function: 0_2_0004D18D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_0004D18D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\aqbjn3fl.exe

Memory written: C:\Users\user\Desktop\aqbjn3fl.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: aqbjn3fl.exe, 00000000.00000002.2416307371.00000000029DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: p3ar11fter.sbs
Source: aqbjn3fl.exe, 00000000.00000002.2416307371.00000000029DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 3xp3cts1aim.sbs
Source: aqbjn3fl.exe, 00000000.00000002.2416307371.00000000029DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: peepburry828.sbs
Source: aqbjn3fl.exe, 00000000.00000002.2416307371.00000000029DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: p10tgrace.sbs
Source: aqbjn3fl.exe, 00000000.00000002.2416307371.00000000029DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: processhol.sbs

Source: C:\Users\user\Desktop\aqbjn3fl.exe

Process created: C:\Users\user\Desktop\aqbjn3fl.exe "C:\Users\user\Desktop\aqbjn3fl.exe"

Jump to behavior

Source: C:\Users\user\Desktop\aqbjn3fl.exe

Code function: 0_2_000398F5 cpuid

0_2_000398F5

Source: C:\Users\user\Desktop\aqbjn3fl.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\aqbjn3fl.exe

Code function: 0_2_00039586 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00039586

Source: C:\Users\user\Desktop\aqbjn3fl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 3.2.aqbjn3fl.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.aqbjn3fl.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2416307371.00000000029DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 3.2.aqbjn3fl.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.aqbjn3fl.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2416307371.00000000029DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	2 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	33 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
aqbjn3fl.exe	79%	ReversingLabs	Win32.Trojan.Stealerc
aqbjn3fl.exe	100%	Avira	HEUR/AGEN.1361736
aqbjn3fl.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://lev-tolstoi.com/ineIntz	0%	Avira URL Cloud	safe
https://lev-tolstoi.com:443/apipi&	0%	Avira URL Cloud	safe
https://community.fastly.steamstaticI	0%	Avira URL Cloud	safe
https://p3ar11fter.sbs:443/apipi	100%	Avira URL Cloud	malware
push-hook.cyou	100%	Avira URL Cloud	malware
https://community.fastly	0%	Avira URL Cloud	safe
https://lev-tolstoi.com:443/api	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/api2	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/apilE	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/:	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/pi	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	23.55.153.106	true	false	high
lev-tolstoi.com	172.67.157.254	true	false	high
librari-night.sbs	unknown	unknown	false	high
owner-vacat10n.sbs	unknown	unknown	false	high
p10tgrace.sbs	unknown	unknown	false	high
befall-sm0ker.sbs	unknown	unknown	false	high
3xp3cts1aim.sbs	unknown	unknown	false	high
p3ar11fter.sbs	unknown	unknown	false	high
push-hook.cyou	unknown	unknown	false	high
peepburry828.sbs	unknown	unknown	false	high
processhol.sbs	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
peepburry828.sbs	false		high
processhol.sbs	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
befall-sm0ker.sbs	false		high
https://lev-tolstoi.com/api	false		high
librari-night.sbs	false		high
owner-vacat10n.sbs	false		high
p10tgrace.sbs	false		high
push-hook.cyou	true	Avira URL Cloud: malware	unknown
p3ar11fter.sbs	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	aqbjn3fl.exe	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	aqbjn3fl.exe	false		high
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/io	aqbjn3fl.exe, 00000003.00000003.2496867936.000000000330A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.2498018235.000000000330A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	aqbjn3fl.exe, 00000003.00000002.2498018235.000000000334A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.000000000334A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=0Xxx	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/ineIntz	aqbjn3fl.exe, 00000003.00000002.2498018235.0000000003361000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496706707.0000000003361000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496758194.0000000003361000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	aqbjn3fl.exe	false		high
https://p3ar11fter.sbs:443/apipi	aqbjn3fl.exe, 00000003.00000002.2498018235.00000000032D2000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.00000000032D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstaticI	aqbjn3fl.exe, 00000003.00000002.2498018235.000000000334A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.000000000334A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://processhol.sbs:443/api	aqbjn3fl.exe, 00000003.00000002.2498018235.00000000032D2000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.00000000032D2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com	aqbjn3fl.exe, 00000003.00000002.2498018235.000000000334A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.000000000334A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/inventory/	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	aqbjn3fl.exe	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=THDq-gsQ	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	aqbjn3fl.exe, 00000003.00000002.2498018235.000000000334A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.000000000334A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	aqbjn3fl.exe	false		high
https://help.steampowered.com/en/	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=E	aqbjn3fl.exe, 00000003.00000002.2498018235.000000000334A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.000000000334A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	aqbjn3fl.exe	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/g	aqbjn3fl.exe, 00000003.00000002.2498018235.000000000334A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.000000000334A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com:443/apipi&	aqbjn3fl.exe, 00000003.00000002.2498018235.00000000032D2000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.00000000032D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/discussions/	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	aqbjn3fl.exe	false		high
https://store.steampowered.com/stats/	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/=	aqbjn3fl.exe, 00000003.00000003.2496867936.000000000330A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.2498018235.000000000330A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=kOc26QwM0vlX&l=e	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&am	aqbjn3fl.exe, 00000003.00000002.2498018235.000000000334A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.000000000334A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	aqbjn3fl.exe	false		high
https://lev-tolstoi.com/:	aqbjn3fl.exe, 00000003.00000002.2498018235.0000000003361000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496706707.0000000003361000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496758194.0000000003361000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/apilE	aqbjn3fl.exe, 00000003.00000003.2496867936.000000000330A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.2498018235.000000000330A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	aqbjn3fl.exe	false		high
https://lev-tolstoi.com/api2	aqbjn3fl.exe, 00000003.00000002.2498018235.0000000003316000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.0000000003316000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/	aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	aqbjn3fl.exe, 00000003.00000003.2496867936.00000000032BC000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000002.2498018235.00000000032BC000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	aqbjn3fl.exe	false		high
https://lev-tolstoi.com:443/api	aqbjn3fl.exe, 00000003.00000002.2498018235.00000000032D2000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.00000000032D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?Y	aqbjn3fl.exe, 00000003.00000002.2498018235.000000000334A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.000000000334A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/account/cookiepreferences/	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly	aqbjn3fl.exe, 00000003.00000002.2498018235.000000000334A000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.000000000334A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/mobile	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com:443/profiles/76561199724331900O	aqbjn3fl.exe, 00000003.00000002.2498018235.00000000032D2000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496867936.00000000032D2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/	aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/pi	aqbjn3fl.exe, 00000003.00000002.2498018235.0000000003361000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496706707.0000000003361000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2496758194.0000000003361000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/badges	aqbjn3fl.exe, 00000003.00000003.2463763248.0000000003359000.00000004.00000020.00020000.00000000.sdmp, aqbjn3fl.exe, 00000003.00000003.2486040588.000000000336C000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.157.254	lev-tolstoi.com	United States		13335	CLOUDFLARENETUS	false
23.55.153.106	steamcommunity.com	United States		20940	AKAMAI-ASN1EU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577504
Start date and time:	2024-12-18 14:29:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	aqbjn3fl.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/0@11/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 72% Number of executed functions: 21 Number of non-executed functions: 108
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: aqbjn3fl.exe

Simulations

Behavior and APIs

Time	Type	Description
08:30:21	API Interceptor	6x Sleep call for process: aqbjn3fl.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.157.254	v_dolg.exe	Get hash	malicious	LummaC Stealer	Browse
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse
	ardware-v1.exe	Get hash	malicious	LummaC	Browse
	https://t.co/nq9BYOxCg9	Get hash	malicious	HTMLPhisher	Browse
23.55.153.106	zq6a1iqg.exe	Get hash	malicious	LummaC Stealer	Browse
	v_dolg.exe	Get hash	malicious	LummaC Stealer	Browse
	cccc2.exe	Get hash	malicious	LummaC	Browse
	CompleteStudio.exe	Get hash	malicious	LummaC	Browse
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse
	99awhy8l.exe	Get hash	malicious	LummaC	Browse
	5_6253708004881862888.exe	Get hash	malicious	LummaC	Browse
	noll.exe	Get hash	malicious	Stealc, Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lev-tolstoi.com	v_dolg.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254
	CompleteStudio.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	172.67.157.254
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254
	5_6253708004881862888.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
steamcommunity.com	zq6a1iqg.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	v_dolg.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	cccc2.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	CompleteStudio.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	23.55.153.106
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	99awhy8l.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	5_6253708004881862888.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	noll.exe	Get hash	malicious	Stealc, Vidar	Browse	23.55.153.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	http://www.mynylgbs.com	Get hash	malicious	Unknown	Browse	23.195.38.175
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	96.17.102.118
	zq6a1iqg.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	v_dolg.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	cccc2.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	CompleteStudio.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	23.55.153.106
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	99awhy8l.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
CLOUDFLARENETUS	https://pluginvest.freshdesk.com/en/support/solutions/articles/157000010678-pluginvest-laadoplossing	Get hash	malicious	Unknown	Browse	162.159.140.147
	goldlummaa.exe	Get hash	malicious	LummaC	Browse	104.21.50.161
	hnsjdghf18.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	ko.ps1.2.ps1	Get hash	malicious	Unknown	Browse	172.64.41.3
	kjshdgacg18.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.21.23.76
	InstallSetup.exe	Get hash	malicious	LummaC	Browse	172.67.220.223
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	ScreenUpdateSync.exe	Get hash	malicious	LummaC	Browse	104.21.24.223

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	goldlummaa.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	172.67.157.254 23.55.153.106
	InstallSetup.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	ScreenUpdateSync.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	random.exe.10.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	zq6a1iqg.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254 23.55.153.106
	v_dolg.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254 23.55.153.106
	winrar-x64-701.exe	Get hash	malicious	Unknown	Browse	172.67.157.254 23.55.153.106
	cccc2.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.693168108127972
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	aqbjn3fl.exe
File size:	586'368 bytes
MD5:	34a152eb5d1d3e63dafef23579042933
SHA1:	9e1c23718d5b30c13d0cec51ba3484ddc32a3184
SHA256:	42365467efe5746a0b0076a3e609219a9cffe827d5a95f4e10221f081a3bf8fa
SHA512:	270298ca39c3ff0ab4c576374a5c091135efad3c1cb9930888a74ef7d421f43039c2545eadecb037fcff2b8ee4e22cd4d809b19e7958b44ba1c72100135a46fe
SSDEEP:	12288:9o3gygylSwAN2kLkhn23c7Abpzq/Dw3imKQJ4nTL35iDBrDEnchQm/71lr7v:i3gygnN2kLktsc7keDHQJqTk9Fr7v
TLSH:	D0C4D1125541E8A3F88318FF3DB6A32734A773B2B6B1CAD3C17574685B400C195EAE6E
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...<.=g.................V........................@.......................................@.................................T...(..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4292e0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x673DAB3C [Wed Nov 20 09:26:20 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	3a33a82bcd5969a5b19ce5fba049e5b4

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	30/08/2023 20:00:00 30/08/2026 19:59:59
Subject Chain	CN=Privacy Technologies OU, O=Privacy Technologies OU, S=Harjumaa, C=EE
Version:	3
Thumbprint MD5:	AD1BCBF19AE2F91BB114D33B85359E56
Thumbprint SHA-1:	141D90A1BA8F61863FBEDDF7DD1D66C1D1E0B128
Thumbprint SHA-256:	A08EA2A7A257AD690B988446951E9DEF2986A2F3F546B6F0902805330F3B6B48
Serial:	00D0461B529F67189D43744E9CEFE172AE

Entrypoint Preview

Instruction
call 00007FA584C5CEFBh
jmp 00007FA584C5CB0Dh
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007FA584C5CCAFh
neg eax
pop ecx
sbb eax, eax
neg eax
dec eax
pop ebp
ret
push ebp
mov ebp, esp
cmp dword ptr [0043E488h], FFFFFFFFh
push dword ptr [ebp+08h]
jne 00007FA584C5CCA9h
call 00007FA584C5EB2Bh
jmp 00007FA584C5CCADh
push 0043E488h
call 00007FA584C5EAAEh
pop ecx
neg eax
pop ecx
sbb eax, eax
not eax
and eax, dword ptr [ebp+08h]
pop ebp
ret
push 00000008h
push 0043C8E0h
call 00007FA584C5D21Dh
and dword ptr [ebp-04h], 00000000h
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
jne 00007FA584C5CCFFh
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007FA584C5CCEEh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007FA584C5CCE0h
mov eax, dword ptr [ebp+08h]
mov ecx, 00400000h
sub eax, ecx
push eax
push ecx
call 00007FA584C5CE22h
pop ecx
pop ecx
test eax, eax
je 00007FA584C5CCC9h
cmp dword ptr [eax+24h], 00000000h
jl 00007FA584C5CCC3h
mov dword ptr [ebp-04h], FFFFFFFEh
mov al, 01h
jmp 00007FA584C5CCC1h
mov eax, dword ptr [ebp-14h]
mov eax, dword ptr [eax]
xor ecx, ecx
cmp dword ptr [eax], C0000005h
sete cl
mov eax, ecx
ret
mov esp, dword ptr [ebp-18h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c054	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8c400	0x2e80	.bOS
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x40000	0x2604	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x37160	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3c198	0x11c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3546c	0x35600	f5361c54b25e15a938b45ad5e6bff8aa	False	0.49542136270491804	data	6.95731113161578	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x37000	0x5e44	0x6000	fd3796618028fe8f9db0ee4940ae629c	False	0.4084879557291667	data	4.760062424903548	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3d000	0x1ba4	0x1000	ff4f8fd6963b4f7d1c08f13031fa0788	False	0.470703125	OpenPGP Secret Key	4.849894766585126	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.00cfg	0x3f000	0x8	0x200	0412284a8fbf9e5e622314b9d7d68a8f	False	0.03125	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x40000	0x2604	0x2800	ea75b8bb4d2e2cb7f98c9cf7a2c3e9f3	False	0.78046875	data	6.61872461528721	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bOS	0x43000	0x4ce00	0x4ce00	76f523d6798942655c73d5441edae6bf	False	1.0003366361788617	data	7.999557020865279	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

CloseHandle, CompareStringW, CreateFileA, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileType, GetLastError, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadFile, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WideCharToMultiByte, WriteConsoleW, WriteFile

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-18T14:30:21.818147+0100	2057838	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (push-hook .cyou)	1	192.168.2.12	59712	1.1.1.1	53	UDP
2024-12-18T14:30:22.545634+0100	2057668	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (processhol .sbs)	1	192.168.2.12	49972	1.1.1.1	53	UDP
2024-12-18T14:30:22.545634+0100	2057697	ET MALWARE Observed DNS Query to Lumma Stealer Domain (processhol .sbs)	1	192.168.2.12	49972	1.1.1.1	53	UDP
2024-12-18T14:30:22.686920+0100	2057658	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (librari-night .sbs)	1	192.168.2.12	50487	1.1.1.1	53	UDP
2024-12-18T14:30:22.828568+0100	2057654	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (befall-sm0ker .sbs)	1	192.168.2.12	55691	1.1.1.1	53	UDP
2024-12-18T14:30:23.055795+0100	2057662	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (p10tgrace .sbs)	1	192.168.2.12	58670	1.1.1.1	53	UDP
2024-12-18T14:30:23.206406+0100	2057666	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (peepburry828 .sbs)	1	192.168.2.12	58022	1.1.1.1	53	UDP
2024-12-18T14:30:23.206406+0100	2057696	ET MALWARE Observed DNS Query to Lumma Stealer Domain (peepburry828 .sbs)	1	192.168.2.12	58022	1.1.1.1	53	UDP
2024-12-18T14:30:23.345438+0100	2057660	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (owner-vacat10n .sbs)	1	192.168.2.12	54215	1.1.1.1	53	UDP
2024-12-18T14:30:23.485114+0100	2057652	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (3xp3cts1aim .sbs)	1	192.168.2.12	54571	1.1.1.1	53	UDP
2024-12-18T14:30:23.485114+0100	2057695	ET MALWARE Observed DNS Query to Lumma Stealer Domain (3xp3cts1aim .sbs)	1	192.168.2.12	54571	1.1.1.1	53	UDP
2024-12-18T14:30:23.667247+0100	2057664	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (p3ar11fter .sbs)	1	192.168.2.12	53967	1.1.1.1	53	UDP
2024-12-18T14:30:23.667247+0100	2057698	ET MALWARE Observed DNS Query to Lumma Stealer Domain (p3ar11fter .sbs)	1	192.168.2.12	53967	1.1.1.1	53	UDP
2024-12-18T14:30:25.378885+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49716	23.55.153.106	443	TCP
2024-12-18T14:30:26.159414+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.12	49716	23.55.153.106	443	TCP
2024-12-18T14:30:28.010095+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49717	172.67.157.254	443	TCP
2024-12-18T14:30:28.753015+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.12	49717	172.67.157.254	443	TCP
2024-12-18T14:30:28.753015+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.12	49717	172.67.157.254	443	TCP
2024-12-18T14:30:29.808481+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49718	172.67.157.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 14:30:23.973855019 CET	49716	443	192.168.2.12	23.55.153.106
Dec 18, 2024 14:30:23.973886013 CET	443	49716	23.55.153.106	192.168.2.12
Dec 18, 2024 14:30:23.973964930 CET	49716	443	192.168.2.12	23.55.153.106
Dec 18, 2024 14:30:23.987082005 CET	49716	443	192.168.2.12	23.55.153.106
Dec 18, 2024 14:30:23.987098932 CET	443	49716	23.55.153.106	192.168.2.12
Dec 18, 2024 14:30:25.378787041 CET	443	49716	23.55.153.106	192.168.2.12
Dec 18, 2024 14:30:25.378885031 CET	49716	443	192.168.2.12	23.55.153.106
Dec 18, 2024 14:30:25.381505013 CET	49716	443	192.168.2.12	23.55.153.106
Dec 18, 2024 14:30:25.381511927 CET	443	49716	23.55.153.106	192.168.2.12
Dec 18, 2024 14:30:25.381726980 CET	443	49716	23.55.153.106	192.168.2.12
Dec 18, 2024 14:30:25.433367968 CET	49716	443	192.168.2.12	23.55.153.106
Dec 18, 2024 14:30:25.434109926 CET	49716	443	192.168.2.12	23.55.153.106
Dec 18, 2024 14:30:25.475358009 CET	443	49716	23.55.153.106	192.168.2.12
Dec 18, 2024 14:30:26.159389019 CET	443	49716	23.55.153.106	192.168.2.12
Dec 18, 2024 14:30:26.159411907 CET	443	49716	23.55.153.106	192.168.2.12
Dec 18, 2024 14:30:26.159420013 CET	443	49716	23.55.153.106	192.168.2.12
Dec 18, 2024 14:30:26.159446001 CET	443	49716	23.55.153.106	192.168.2.12
Dec 18, 2024 14:30:26.159459114 CET	443	49716	23.55.153.106	192.168.2.12
Dec 18, 2024 14:30:26.159511089 CET	49716	443	192.168.2.12	23.55.153.106
Dec 18, 2024 14:30:26.159527063 CET	443	49716	23.55.153.106	192.168.2.12
Dec 18, 2024 14:30:26.159554005 CET	49716	443	192.168.2.12	23.55.153.106
Dec 18, 2024 14:30:26.159579039 CET	49716	443	192.168.2.12	23.55.153.106
Dec 18, 2024 14:30:26.329011917 CET	443	49716	23.55.153.106	192.168.2.12
Dec 18, 2024 14:30:26.329056025 CET	443	49716	23.55.153.106	192.168.2.12
Dec 18, 2024 14:30:26.329137087 CET	49716	443	192.168.2.12	23.55.153.106
Dec 18, 2024 14:30:26.329159975 CET	443	49716	23.55.153.106	192.168.2.12
Dec 18, 2024 14:30:26.329199076 CET	49716	443	192.168.2.12	23.55.153.106
Dec 18, 2024 14:30:26.359700918 CET	443	49716	23.55.153.106	192.168.2.12
Dec 18, 2024 14:30:26.359744072 CET	443	49716	23.55.153.106	192.168.2.12
Dec 18, 2024 14:30:26.359774113 CET	443	49716	23.55.153.106	192.168.2.12
Dec 18, 2024 14:30:26.359822035 CET	49716	443	192.168.2.12	23.55.153.106
Dec 18, 2024 14:30:26.359886885 CET	49716	443	192.168.2.12	23.55.153.106
Dec 18, 2024 14:30:26.513665915 CET	49716	443	192.168.2.12	23.55.153.106
Dec 18, 2024 14:30:26.513695002 CET	443	49716	23.55.153.106	192.168.2.12
Dec 18, 2024 14:30:26.513705969 CET	49716	443	192.168.2.12	23.55.153.106
Dec 18, 2024 14:30:26.513711929 CET	443	49716	23.55.153.106	192.168.2.12
Dec 18, 2024 14:30:26.788006067 CET	49717	443	192.168.2.12	172.67.157.254
Dec 18, 2024 14:30:26.788068056 CET	443	49717	172.67.157.254	192.168.2.12
Dec 18, 2024 14:30:26.788163900 CET	49717	443	192.168.2.12	172.67.157.254
Dec 18, 2024 14:30:26.788559914 CET	49717	443	192.168.2.12	172.67.157.254
Dec 18, 2024 14:30:26.788578033 CET	443	49717	172.67.157.254	192.168.2.12
Dec 18, 2024 14:30:28.009991884 CET	443	49717	172.67.157.254	192.168.2.12
Dec 18, 2024 14:30:28.010094881 CET	49717	443	192.168.2.12	172.67.157.254
Dec 18, 2024 14:30:28.013725042 CET	49717	443	192.168.2.12	172.67.157.254
Dec 18, 2024 14:30:28.013756037 CET	443	49717	172.67.157.254	192.168.2.12
Dec 18, 2024 14:30:28.014183998 CET	443	49717	172.67.157.254	192.168.2.12
Dec 18, 2024 14:30:28.015531063 CET	49717	443	192.168.2.12	172.67.157.254
Dec 18, 2024 14:30:28.015567064 CET	49717	443	192.168.2.12	172.67.157.254
Dec 18, 2024 14:30:28.015640020 CET	443	49717	172.67.157.254	192.168.2.12
Dec 18, 2024 14:30:28.753072023 CET	443	49717	172.67.157.254	192.168.2.12
Dec 18, 2024 14:30:28.753336906 CET	443	49717	172.67.157.254	192.168.2.12
Dec 18, 2024 14:30:28.753432035 CET	49717	443	192.168.2.12	172.67.157.254
Dec 18, 2024 14:30:28.753660917 CET	49717	443	192.168.2.12	172.67.157.254
Dec 18, 2024 14:30:28.753680944 CET	443	49717	172.67.157.254	192.168.2.12
Dec 18, 2024 14:30:28.753691912 CET	49717	443	192.168.2.12	172.67.157.254
Dec 18, 2024 14:30:28.753696918 CET	443	49717	172.67.157.254	192.168.2.12
Dec 18, 2024 14:30:28.804709911 CET	49718	443	192.168.2.12	172.67.157.254
Dec 18, 2024 14:30:28.804747105 CET	443	49718	172.67.157.254	192.168.2.12
Dec 18, 2024 14:30:28.804896116 CET	49718	443	192.168.2.12	172.67.157.254
Dec 18, 2024 14:30:28.805167913 CET	49718	443	192.168.2.12	172.67.157.254
Dec 18, 2024 14:30:28.805181980 CET	443	49718	172.67.157.254	192.168.2.12
Dec 18, 2024 14:30:29.808480978 CET	49718	443	192.168.2.12	172.67.157.254

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 14:30:21.818146944 CET	59712	53	192.168.2.12	1.1.1.1
Dec 18, 2024 14:30:22.541521072 CET	53	59712	1.1.1.1	192.168.2.12
Dec 18, 2024 14:30:22.545634031 CET	49972	53	192.168.2.12	1.1.1.1
Dec 18, 2024 14:30:22.682956934 CET	53	49972	1.1.1.1	192.168.2.12
Dec 18, 2024 14:30:22.686919928 CET	50487	53	192.168.2.12	1.1.1.1
Dec 18, 2024 14:30:22.825598955 CET	53	50487	1.1.1.1	192.168.2.12
Dec 18, 2024 14:30:22.828567982 CET	55691	53	192.168.2.12	1.1.1.1
Dec 18, 2024 14:30:23.052493095 CET	53	55691	1.1.1.1	192.168.2.12
Dec 18, 2024 14:30:23.055794954 CET	58670	53	192.168.2.12	1.1.1.1
Dec 18, 2024 14:30:23.204844952 CET	53	58670	1.1.1.1	192.168.2.12
Dec 18, 2024 14:30:23.206406116 CET	58022	53	192.168.2.12	1.1.1.1
Dec 18, 2024 14:30:23.343770027 CET	53	58022	1.1.1.1	192.168.2.12
Dec 18, 2024 14:30:23.345438004 CET	54215	53	192.168.2.12	1.1.1.1
Dec 18, 2024 14:30:23.483659983 CET	53	54215	1.1.1.1	192.168.2.12
Dec 18, 2024 14:30:23.485114098 CET	54571	53	192.168.2.12	1.1.1.1
Dec 18, 2024 14:30:23.622920036 CET	53	54571	1.1.1.1	192.168.2.12
Dec 18, 2024 14:30:23.667247057 CET	53967	53	192.168.2.12	1.1.1.1
Dec 18, 2024 14:30:23.805118084 CET	53	53967	1.1.1.1	192.168.2.12
Dec 18, 2024 14:30:23.815126896 CET	53365	53	192.168.2.12	1.1.1.1
Dec 18, 2024 14:30:23.953197956 CET	53	53365	1.1.1.1	192.168.2.12
Dec 18, 2024 14:30:26.648303032 CET	54231	53	192.168.2.12	1.1.1.1
Dec 18, 2024 14:30:26.786679029 CET	53	54231	1.1.1.1	192.168.2.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 14:30:21.818146944 CET	192.168.2.12	1.1.1.1	0x4242	Standard query (0)	push-hook.cyou	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:30:22.545634031 CET	192.168.2.12	1.1.1.1	0x7690	Standard query (0)	processhol.sbs	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:30:22.686919928 CET	192.168.2.12	1.1.1.1	0x9d9	Standard query (0)	librari-night.sbs	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:30:22.828567982 CET	192.168.2.12	1.1.1.1	0xef39	Standard query (0)	befall-sm0ker.sbs	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:30:23.055794954 CET	192.168.2.12	1.1.1.1	0x9eb4	Standard query (0)	p10tgrace.sbs	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:30:23.206406116 CET	192.168.2.12	1.1.1.1	0x9e0a	Standard query (0)	peepburry828.sbs	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:30:23.345438004 CET	192.168.2.12	1.1.1.1	0x105a	Standard query (0)	owner-vacat10n.sbs	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:30:23.485114098 CET	192.168.2.12	1.1.1.1	0x5f20	Standard query (0)	3xp3cts1aim.sbs	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:30:23.667247057 CET	192.168.2.12	1.1.1.1	0xca63	Standard query (0)	p3ar11fter.sbs	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:30:23.815126896 CET	192.168.2.12	1.1.1.1	0xaff9	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:30:26.648303032 CET	192.168.2.12	1.1.1.1	0x9de2	Standard query (0)	lev-tolstoi.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 14:30:22.541521072 CET	1.1.1.1	192.168.2.12	0x4242	Name error (3)	push-hook.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:30:22.682956934 CET	1.1.1.1	192.168.2.12	0x7690	Name error (3)	processhol.sbs	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:30:22.825598955 CET	1.1.1.1	192.168.2.12	0x9d9	Name error (3)	librari-night.sbs	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:30:23.052493095 CET	1.1.1.1	192.168.2.12	0xef39	Name error (3)	befall-sm0ker.sbs	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:30:23.204844952 CET	1.1.1.1	192.168.2.12	0x9eb4	Name error (3)	p10tgrace.sbs	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:30:23.343770027 CET	1.1.1.1	192.168.2.12	0x9e0a	Name error (3)	peepburry828.sbs	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:30:23.483659983 CET	1.1.1.1	192.168.2.12	0x105a	Name error (3)	owner-vacat10n.sbs	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:30:23.622920036 CET	1.1.1.1	192.168.2.12	0x5f20	Name error (3)	3xp3cts1aim.sbs	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:30:23.805118084 CET	1.1.1.1	192.168.2.12	0xca63	Name error (3)	p3ar11fter.sbs	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:30:23.953197956 CET	1.1.1.1	192.168.2.12	0xaff9	No error (0)	steamcommunity.com		23.55.153.106	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:30:26.786679029 CET	1.1.1.1	192.168.2.12	0x9de2	No error (0)	lev-tolstoi.com		172.67.157.254	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:30:26.786679029 CET	1.1.1.1	192.168.2.12	0x9de2	No error (0)	lev-tolstoi.com		104.21.66.86	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

lev-tolstoi.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49716	23.55.153.106	443	6872	C:\Users\user\Desktop\aqbjn3fl.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 13:30:25 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-18 13:30:26 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Wed, 18 Dec 2024 13:30:25 GMT Content-Length: 35121 Connection: close Set-Cookie: sessionid=478cb7a3bcd02656fbde365a; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-18 13:30:26 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-18 13:30:26 UTC	10097	IN	Data Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09 Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
2024-12-18 13:30:26 UTC	10545	IN	Data Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 Data Ascii: NIVERSE":"public","LANGUAGE":"english","COUNTRY":"US","MEDIA_CDN_COMMUNITY_URL":"https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/","MEDIA_CDN_URL":"htt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.12	49717	172.67.157.254	443	6872	C:\Users\user\Desktop\aqbjn3fl.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 13:30:28 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: lev-tolstoi.com
2024-12-18 13:30:28 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-18 13:30:28 UTC	1032	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 13:30:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=llmeq345h15km3ff8o9m9qo1ht; expires=Sun, 13-Apr-2025 07:17:07 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L%2BJJA0mqoF09w6q8ArZevPQNjAE5O9uFi0cRUiH6zVpd2gkRmR9c9IrV1h1kev29oa47507mYJEpHSI8nG3hdT%2B6qSV0VvLjRTv3kEdyBGxcIcMeuW8ZPNmUCOUc90IEa6E%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f81f6bb50c34a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1615&min_rtt=1610&rtt_var=614&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=906&delivery_rate=1766485&cwnd=155&unsent_bytes=0&cid=edba3bccebaa9611&ts=758&x=0"
2024-12-18 13:30:28 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-18 13:30:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	08:30:18
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\aqbjn3fl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\aqbjn3fl.exe"
Imagebase:	0x10000
File size:	586'368 bytes
MD5 hash:	34A152EB5D1D3E63DAFEF23579042933
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2416307371.00000000029DA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:30:18
Start date:	18/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:30:21
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\aqbjn3fl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\aqbjn3fl.exe"
Imagebase:	0x10000
File size:	586'368 bytes
MD5 hash:	34A152EB5D1D3E63DAFEF23579042933
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0.7%
Signature Coverage:	3.4%
Total number of Nodes:	1111
Total number of Limit Nodes:	20

Executed Functions

Function 0004D18D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,0004D0FF,0004D0EF), ref: 0004D323
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0004D336
Wow64GetThreadContext.KERNEL32(000000D0,00000000), ref: 0004D354
ReadProcessMemory.KERNELBASE(000000D8,?,0004D143,00000004,00000000), ref: 0004D378
VirtualAllocEx.KERNELBASE(000000D8,?,?,00003000,00000040), ref: 0004D3A3
WriteProcessMemory.KERNELBASE(000000D8,00000000,?,?,00000000,?), ref: 0004D3FB
WriteProcessMemory.KERNELBASE(000000D8,00400000,?,?,00000000,?,00000028), ref: 0004D446
WriteProcessMemory.KERNELBASE(000000D8,?,?,00000004,00000000), ref: 0004D484
Wow64SetThreadContext.KERNEL32(000000D0,02770000), ref: 0004D4C0
ResumeThread.KERNELBASE(000000D0), ref: 0004D4CF

Strings

WriteProcessMemory, xrefs: 0004D29E
CreateProcessW, xrefs: 0004D23F
aryA, xrefs: 0004D1D1
GetThreadContext, xrefs: 0004D265
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 0004D322
GetP, xrefs: 0004D20D
ReadProcessMemory, xrefs: 0004D278
VirtualAllocEx, xrefs: 0004D28B
VirtualAlloc, xrefs: 0004D252
ress, xrefs: 0004D215
Load, xrefs: 0004D1C9
SetThreadContext, xrefs: 0004D2B1
ResumeThread, xrefs: 0004D2C7
TerminateProcess, xrefs: 0004D3B2

Memory Dump Source

Source File: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: dec9129becd6a32c06ae826e403022949160700ae6165e360608a4afa67cf2e5
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: 38B1077660064AAFDB60CF68CC80BDA73A5FF88714F158525EA0CAB341D770FA51CB94

Function 0001D478 Relevance: 1.5, Strings: 1, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XvIL, xrefs: 0001CDE8

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: XvIL
API String ID: 0-558896452
Opcode ID: 839567868054047157df3ce8d712c03bdea64ab93e400e3c6eb194eaac349caf
Instruction ID: 3b564756ba2882eec9b670566b37abbf5032438b0169e607dd2da4504dd2ee04
Opcode Fuzzy Hash: 839567868054047157df3ce8d712c03bdea64ab93e400e3c6eb194eaac349caf
Instruction Fuzzy Hash: C8618A753416019FAE2C9A28A9E59BC77E1DF98320B25413FF81757AF0C625ECC28786

Function 00040EA8 Relevance: 7.7, APIs: 5, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__alloca_probe_16.LIBCMT ref: 00040F2D
__alloca_probe_16.LIBCMT ref: 00040FF6
__freea.LIBCMT ref: 0004105D

Part of subcall function 0003EBBB: RtlAllocateHeap.NTDLL(00000000,000176E8,?,?,000176E8,01E84800), ref: 0003EBED

__freea.LIBCMT ref: 00041070
__freea.LIBCMT ref: 0004107D

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 244b86777bd589027b1e15e01b043b5589b7c9d3ba622c7084170db9988f6418
Instruction ID: 9f3e4158fd1ba72fe69e14923248d9a11bf14619091674203dc805778263ecab
Opcode Fuzzy Hash: 244b86777bd589027b1e15e01b043b5589b7c9d3ba622c7084170db9988f6418
Instruction Fuzzy Hash: 8F51A1B2600246ABEB215E61CC81EEB7BEDEF44710F190539FD18E6192EB71DD908664

Function 0003D4EA Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0003D6EF: GetOEMCP.KERNEL32(00000000,?,?,788496A7,?), ref: 0003D71A

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,0003D8FA,?,00000000,?,788496A7,?), ref: 0003D54B
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,0003D8FA,?,00000000,?,788496A7,?), ref: 0003D587

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 54ba5cc2fd628f6b712ad4ee65745f9984a2de206a29a23be9c980b9a1d21813
Instruction ID: 5058b98631339aa1152c4253251136e9f8dd885234275b16e4102cdb0510b92f
Opcode Fuzzy Hash: 54ba5cc2fd628f6b712ad4ee65745f9984a2de206a29a23be9c980b9a1d21813
Instruction Fuzzy Hash: B45135B0A007449FDB22CF75E882AEABBFDEF45304F18446FD09A87252E7749945CB91

Function 0003D2D2 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,0003D1C1,0004CB48,0000000C), ref: 0003D31E
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,0003D1C1,0004CB48,0000000C), ref: 0003D330

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 7387f8d28dd3b75c2d930af989f23150923b5ece5f6001d1f339ceb8d7b553f6
Instruction ID: a2d0b0528f5bfb7ac235b806e103aa12cf325a59bac1940724acd73ab701d47c
Opcode Fuzzy Hash: 7387f8d28dd3b75c2d930af989f23150923b5ece5f6001d1f339ceb8d7b553f6
Instruction Fuzzy Hash: AD11D6B1104B424AD7724E3EAC88626BADDA767330F38071BD0B6875F2C334DE46D246

Function 0001A0B0 Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 0001A146
ExitProcess.KERNEL32 ref: 0001A16C

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 95192161d06e232f77c07508fc7e0645b6dc9df6cc5ebdaa501c68285a89bd91
Instruction ID: 201d925357ed5f416f57de4990840706ed39bb697fb86e46778f34da88f4fdff
Opcode Fuzzy Hash: 95192161d06e232f77c07508fc7e0645b6dc9df6cc5ebdaa501c68285a89bd91
Instruction Fuzzy Hash: FE112775B111146BE7984A388960BAE37EB8BCF720F25407AE845D7380DE359C4A8781

Function 0003C7EC Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,00040F98,?,?,-00000008,?,00000000,00000000,00000000,00000000,00000000), ref: 0003C820
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,-00000008,-00000008,?,00040F98,?,?,-00000008,?,00000000), ref: 0003C83E

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: c7e58f6d1fcdaaf1d04b75c1f0d6313fd6cda65a7dfd533b28c72c648e4d47f9
Instruction ID: 38190bc81578fc9afc0eabbad1aa0eff87248127f86f0ea2f429e81babba534c
Opcode Fuzzy Hash: c7e58f6d1fcdaaf1d04b75c1f0d6313fd6cda65a7dfd533b28c72c648e4d47f9
Instruction Fuzzy Hash: A8F09D3600011ABBDF135F91DD05DDE3F6AFF88364F054020FA1865121CB36C932AB90

Function 0003DC6B Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,0003BCAC,0001782F), ref: 0003DC81
GetLastError.KERNEL32(?,?,0003BCAC,0001782F), ref: 0003DC8C

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 2b2bb7ea817be22919a18e35334c3c0d8eb7197f1149edb42b37ddafec264c49
Instruction ID: 0bfd26e544fdeb207849aac76a7c034c4b31239970d4d05b306bb4a0d14f832c
Opcode Fuzzy Hash: 2b2bb7ea817be22919a18e35334c3c0d8eb7197f1149edb42b37ddafec264c49
Instruction Fuzzy Hash: 8BE0CD755026496BEB523FE1FF0CBC53B9C9F45351F504151FA08860B1C7B88950C798

Function 0003DA79 Relevance: 1.6, APIs: 1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(00000083,?,00000005,0003D8FA,?), ref: 0003DAAB

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 4bb8b95590a02c03695d8f9a98eb81f66ca1fc3dd3fa7322ca4a31d602b1ee92
Instruction ID: e865d9a4263bdc01867067e51033d477e12cbd5c015a5f161ee965a414f6d596
Opcode Fuzzy Hash: 4bb8b95590a02c03695d8f9a98eb81f66ca1fc3dd3fa7322ca4a31d602b1ee92
Instruction Fuzzy Hash: 8C515BB1508158AFDB128F28DDC4BE9BBACEF16304F1401EAE599C7182D3759E45DB60

Function 0001B0E4 Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0001B0FC

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e7920baf7d4a0fbad8df97d7c9edeb8bb67e53e4bf821c6cd0b3499f8175cd88
Instruction ID: ac95ff3607dec4aaf8b6f6977db20aacc420f19404ebba380aee1852ae8aa57c
Opcode Fuzzy Hash: e7920baf7d4a0fbad8df97d7c9edeb8bb67e53e4bf821c6cd0b3499f8175cd88
Instruction Fuzzy Hash: CE11257570A3429FAE7C8A2849A48BD62937BD7320F38445EF403877A4DA6288C99607

Function 0003EBBB Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,000176E8,?,?,000176E8,01E84800), ref: 0003EBED

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0009ba35dadf56271f66e442727b8aaca7cd66a91f2de16a0e15191bf3e2470d
Instruction ID: f5c938ec7196f0846c04690bf73a0a25b7ce6ffe4b0eb61e188a614bcb8c8f86
Opcode Fuzzy Hash: 0009ba35dadf56271f66e442727b8aaca7cd66a91f2de16a0e15191bf3e2470d
Instruction Fuzzy Hash: 23E09B352052E65AE7732AA5ED05F9FB68C9F437B0F550321FC06961D2DF64DC0181E5

Non-executed Functions

Function 00026350 Relevance: 77.7, Strings: 61, Instructions: 1445COMMON

Download Yara Rule

Strings

i^', xrefs: 00027132
zL%, xrefs: 00026BD3
V?D, xrefs: 000271C5
zL%, xrefs: 000273EC
V?D, xrefs: 000273C6
zL%, xrefs: 00027044
V?D, xrefs: 00027B1B
zL%, xrefs: 00026F8C
zL%, xrefs: 00026B33
zL%, xrefs: 00026EBF
zL%, xrefs: 00027829
zL%, xrefs: 0002779C
zL%, xrefs: 00026BE8
zL%, xrefs: 00026BBE
zL%, xrefs: 0002783E
zL%, xrefs: 00026B09
i^', xrefs: 00027124
zL%, xrefs: 000273B6
zL%, xrefs: 00027BC6
zL%, xrefs: 00027600
LH%Y, xrefs: 000272E1
LH%Y, xrefs: 000276BD
i^', xrefs: 00027644
zL%, xrefs: 0002790E
KJn?, xrefs: 000279BD
zL%, xrefs: 00026658
zL%, xrefs: 00026A37
i^', xrefs: 00027354
zL%, xrefs: 00027967
{L%, xrefs: 00026D0C
V?D, xrefs: 000271BA
zL%, xrefs: 00027A49
zL%, xrefs: 00026B1E
V?D, xrefs: 00027183
zL%, xrefs: 00027173
zL%, xrefs: 000269BE
zL%, xrefs: 00027B20
zL%, xrefs: 00027282
zL%, xrefs: 0002691C
zL%, xrefs: 000264EF
{L%, xrefs: 00026C2C
LH%Y, xrefs: 00027023
zL%, xrefs: 000263B0
zL%, xrefs: 000268E6
zL%, xrefs: 00026FD8
KJn?, xrefs: 000271A4
zL%, xrefs: 00026A22
zL%, xrefs: 00027B71
zL%, xrefs: 0002797C
zL%, xrefs: 000276D2
zL%, xrefs: 00026611
KH%Y, xrefs: 0002700D
KJn?, xrefs: 000279AF
LH%Y, xrefs: 000272EF
{L%, xrefs: 0002729D
zL%, xrefs: 0002638E
h^', xrefs: 0002705B
zL%, xrefs: 000268B0
KJn?, xrefs: 00026D58
zL%, xrefs: 00027380
{L%, xrefs: 00026D1A

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: KH%Y$KJn?$KJn?$KJn?$KJn?$LH%Y$LH%Y$LH%Y$LH%Y$h^'$i^'$i^'$i^'$i^'$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%${L%${L%${L%${L%$V?D$V?D$V?D$V?D$V?D
API String ID: 0-3543999248
Opcode ID: 01e82bdda65773109ba1bd08b176dd7d8fa133b49ac6eeb208434b5371564cfa
Instruction ID: e5fa54cfe2324b00ff3d52d824d699b3512985e7ca238236e55b1862507d32ab
Opcode Fuzzy Hash: 01e82bdda65773109ba1bd08b176dd7d8fa133b49ac6eeb208434b5371564cfa
Instruction Fuzzy Hash: 1FB2187A2096204F5A78CA28B6C462D72D3AFD93347758B16D42ACF7F4CB36CD468742

Function 00029BA0 Relevance: 45.8, Strings: 35, Instructions: 2072COMMON

Download Yara Rule

Strings

2h`?, xrefs: 0002BE71
Hyol, xrefs: 0002B731
J+z7, xrefs: 0002AE17
fM@#, xrefs: 0002B840
Hyol, xrefs: 0002AF4E
Dt, xrefs: 0002B700
(, xrefs: 00029CC0
zN_, xrefs: 0002AC13
Hyol, xrefs: 0002B543
Hyol, xrefs: 0002B539
Yrf1, xrefs: 0002A320
[u, xrefs: 00029DAB
No, xrefs: 0002B177
X8|, xrefs: 0002BE8E
X8|, xrefs: 0002B865
2h`?, xrefs: 0002AC0E
W8|, xrefs: 0002B3BE
2h`?, xrefs: 0002B438
No, xrefs: 00029FBE
zN_, xrefs: 0002BC0C
sL, xrefs: 0002BB8E
zN_, xrefs: 0002B6BA
sL, xrefs: 0002B6F4
Dt, xrefs: 0002A4AE
fM@#, xrefs: 0002BE46
fM@#, xrefs: 0002BABF
Dt, xrefs: 0002ACC0
Yrf1, xrefs: 0002B2E2
J+z7, xrefs: 0002B1C9
Yrf1, xrefs: 0002B9CE
(, xrefs: 00029C90
[u, xrefs: 0002AC9F
2h`?, xrefs: 0002AC18
(, xrefs: 0002A480
[u, xrefs: 0002A048

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: ($($($sL$sL$2h`?$2h`?$2h`?$2h`?$Dt$Dt$Dt$Hyol$Hyol$Hyol$Hyol$J+z7$J+z7$W8|$X8|$X8|$Yrf1$Yrf1$Yrf1$fM@#$fM@#$fM@#$zN_$zN_$zN_$No$No$[u$[u$[u
API String ID: 0-1459843020
Opcode ID: da0b1d02567ae825d8c1464fcf7345ee323ecb9041d3c16f882e5c7b5f27353f
Instruction ID: 6ad63dcc3c355c87a25980f1b4da9639931ab6a6f28677a4f1f256307b2a2010
Opcode Fuzzy Hash: da0b1d02567ae825d8c1464fcf7345ee323ecb9041d3c16f882e5c7b5f27353f
Instruction Fuzzy Hash: 1CE2F47B7156218B5A78CA2CFAC846D73D397D5330B3B8663DC124B7E8DB388C858646

Function 00031D50 Relevance: 32.0, Strings: 24, Instructions: 1978COMMON

Download Yara Rule

Strings

&, xrefs: 000339A1
&qq!, xrefs: 0003376A
fVp, xrefs: 00031E20
"]j, xrefs: 000324A3
fVp, xrefs: 00032A00
>g[, xrefs: 00031F30
/YS, xrefs: 000336A9
"]j, xrefs: 00033A08
,I"w, xrefs: 00033B7F
&, xrefs: 000339AC
,I"w, xrefs: 00032E48
+I"w, xrefs: 000320F9
,I"w, xrefs: 000337A5
,I"w, xrefs: 00033797
/YS, xrefs: 00031F6C
&, xrefs: 000332E0
&qq!, xrefs: 000321C2
!]j, xrefs: 00031E30
&qq!, xrefs: 0003327B
&, xrefs: 0003299F
&qq!, xrefs: 0003375C
"]j, xrefs: 000339FE
/YS, xrefs: 000336BB
"]j, xrefs: 00032987

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: >g[$!]j$"]j$"]j$"]j$"]j$&qq!$&qq!$&qq!$&qq!$&$&$&$&$+I"w$,I"w$,I"w$,I"w$,I"w$fVp$fVp$/YS$/YS$/YS
API String ID: 0-635301867
Opcode ID: 0883a6ccc38ceb034d2eff05b6c9a6e666bcc359339cbe1af7d4287b90fdd29e
Instruction ID: 7b2e26f6240a49290859d7844864ae8c209857d46cbb757a33c70ad0d85ba80c
Opcode Fuzzy Hash: 0883a6ccc38ceb034d2eff05b6c9a6e666bcc359339cbe1af7d4287b90fdd29e
Instruction Fuzzy Hash: 2FD28A7F6055408B9A6DC624E9E457D72DBABD9370F34870FD9238BBE4C7368D818A02

Function 0002F360 Relevance: 19.6, Strings: 14, Instructions: 2099COMMON

Download Yara Rule

Strings

$^t0, xrefs: 00030423
$^t0, xrefs: 00030252
6Haz, xrefs: 00031176
lX]E, xrefs: 0002FD20
lX]E, xrefs: 000303A1
kX]E, xrefs: 0002F61B
6Haz, xrefs: 00030A2A
>am#, xrefs: 0002F3DF
>am#, xrefs: 00030232
lX]E, xrefs: 00030324
$^t0, xrefs: 00030031
>am#, xrefs: 0002FB35
=am#, xrefs: 0002F4B4
6Haz, xrefs: 0002F968

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: $^t0$$^t0$$^t0$6Haz$6Haz$6Haz$=am#$>am#$>am#$>am#$kX]E$lX]E$lX]E$lX]E
API String ID: 0-4155389939
Opcode ID: 757d0e80f9a58a9297aae68c1c3a9182fb70d1e907c0d759971e658464392a3e
Instruction ID: ad4cd20a80a31b04264fb0ea16c8433a371ebc5facb2a6bbb7c45c06f998408c
Opcode Fuzzy Hash: 757d0e80f9a58a9297aae68c1c3a9182fb70d1e907c0d759971e658464392a3e
Instruction Fuzzy Hash: 27D2707AF012258B8F3C9A2CE5E407EB3E1AF45750B25027FED23AB3A0C7629C458655

Function 00037860 Relevance: 17.1, Strings: 13, Instructions: 886COMMON

Download Yara Rule

Strings

WlUi, xrefs: 00037B77
U/, xrefs: 00037DBE
WlUi, xrefs: 00038381
WlUi, xrefs: 00037B85
1I#, xrefs: 00037BC2
WlUi, xrefs: 00037E41
U/, xrefs: 0003856A
1I#, xrefs: 00037BB0
VlUi, xrefs: 000380CD
U/, xrefs: 00038144
1I#, xrefs: 0003832E
U/, xrefs: 0003854D
1I#, xrefs: 00037CE2

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: VlUi$WlUi$WlUi$WlUi$WlUi$1I#$1I#$1I#$1I#$U/$U/$U/$U/
API String ID: 0-3233344364
Opcode ID: 41dafd44f283d62644efe03f6fa99898e7062b31112e7fa21e9c292e707c8a40
Instruction ID: 06e5e61dd23b61a03ff3e6f5bdc2de59c0e48afbd0d6b8df8d3f683efe7409ef
Opcode Fuzzy Hash: 41dafd44f283d62644efe03f6fa99898e7062b31112e7fa21e9c292e707c8a40
Instruction Fuzzy Hash: 2652827A6087044F5A79D728DAC802E76C9B7A5320F24C656EA29CF3F5FE64DC81C741

Function 0002DD20 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 293COMMON

Download Yara Rule

Strings

eIY, xrefs: 0002DE18
S@, xrefs: 0002E403
eIY, xrefs: 0002DDB8
string too long, xrefs: 0002DE7A
eIY, xrefs: 0002DD95

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: string too long$S@$eIY$eIY$eIY
API String ID: 0-2211027269
Opcode ID: 177d24e1cf10aad24d9a88396b0cdbacef37842087ec26e9c6f77c7e5373cdc7
Instruction ID: bdc4ccc44e5740010fcb472108928456d3508d6da8da9757291c1f6385f1bf2b
Opcode Fuzzy Hash: 177d24e1cf10aad24d9a88396b0cdbacef37842087ec26e9c6f77c7e5373cdc7
Instruction Fuzzy Hash: 11916B363046708F9E74C728FAD922D35D36BE1324B7A8917E815CFBA5D735CC858246

Function 00025F80 Relevance: 9.0, Strings: 7, Instructions: 233COMMON

Download Yara Rule

Strings

9z`, xrefs: 00026008
C`lB, xrefs: 00026020
9z`, xrefs: 000262CB
C`lB, xrefs: 0002606B
9z`, xrefs: 0002612C
C`lB, xrefs: 00026049
9z`, xrefs: 0002614A

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: C`lB$C`lB$C`lB$9z`$9z`$9z`$9z`
API String ID: 0-915920326
Opcode ID: 77186d82573ccb9f4f52ce08e53d22ba370073324501b3851b562ab4844a4924
Instruction ID: 591618f4161f3d7534bb3fb06acdb34b450eee5b2e648dfeb6b7a501ee20cde1
Opcode Fuzzy Hash: 77186d82573ccb9f4f52ce08e53d22ba370073324501b3851b562ab4844a4924
Instruction Fuzzy Hash: 0181453B5006608BDA744A286A8471D76D1AB91364F368763DC12EF7F0C73ACC0ADBC5

Function 0001A36B Relevance: 9.0, Strings: 7, Instructions: 230COMMON

Download Yara Rule

Strings

A\, xrefs: 0001A9AB
"!-, xrefs: 0001B46D
"!-, xrefs: 0001B872
"!-, xrefs: 0001B880
@\, xrefs: 0001A377
A\, xrefs: 0001B85B
A\, xrefs: 0001B86D

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: @\$A\$A\$A\$"!-$"!-$"!-
API String ID: 0-1374745079
Opcode ID: 5148075693be7e5c1249ed55b68453522c1ba53a94439fd7f0c763ccfed5064f
Instruction ID: 9e7e1ca56f57c86cddfb87af196f6e09e9b4aae4075f67185987c7895ce32c43
Opcode Fuzzy Hash: 5148075693be7e5c1249ed55b68453522c1ba53a94439fd7f0c763ccfed5064f
Instruction Fuzzy Hash: 52713D3A3452409B597CCA2859E54BD72C3ABE7330B39821FD9138B7E4DB358CC55A47

Function 0002D4C0 Relevance: 8.1, Strings: 6, Instructions: 552COMMON

Download Yara Rule

Strings

.'K`, xrefs: 0002D5A7
$\Z, xrefs: 0002DC83
.'K`, xrefs: 0002D654
-'K`, xrefs: 0002D55B
$\Z, xrefs: 0002D5D1
.'K`, xrefs: 0002DB06

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: -'K`$.'K`$.'K`$.'K`$$\Z$$\Z
API String ID: 0-1124325746
Opcode ID: 69fcdc068fcadf3d61089bedb391610d0c82f19904e0a01f70303dd70e97c104
Instruction ID: 3a7588f4b7ba3f0593e655d10e4b09d33c55aa6d0b092d3d2ca57361f2bd3b7d
Opcode Fuzzy Hash: 69fcdc068fcadf3d61089bedb391610d0c82f19904e0a01f70303dd70e97c104
Instruction Fuzzy Hash: CB125E7AF045308F9F684B2C78E45BD77E29B46360B7A461BED12E73A0C629CD85C781

Function 00023460 Relevance: 6.9, Strings: 5, Instructions: 687COMMON

Download Yara Rule

Strings

?B;, xrefs: 000234D2
@B;, xrefs: 00023CE9
@B;, xrefs: 000234E8
@B;, xrefs: 00023BE6
@B;, xrefs: 00023CF7

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: ?B;$@B;$@B;$@B;$@B;
API String ID: 0-1209347523
Opcode ID: eb136254f393604f9be41b128146305603841a65d93a563d90eb5b369939e268
Instruction ID: 3392be7e23b47e4f997f414efcdc282590c64f7d4d3e91c16b1e2cc29bce07ad
Opcode Fuzzy Hash: eb136254f393604f9be41b128146305603841a65d93a563d90eb5b369939e268
Instruction Fuzzy Hash: 8D32277A3002145F4B78CA28BA8446DB3D7ABD93307348A53D926CB7F4D73CEE4A8641

Function 00023FA0 Relevance: 6.8, Strings: 5, Instructions: 572COMMON

Download Yara Rule

Strings

CyN, xrefs: 00024033
CyN, xrefs: 000244CE
CyN, xrefs: 000244C0
CyN, xrefs: 00024148
CyN, xrefs: 0002413A

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: CyN$CyN$CyN$CyN$CyN
API String ID: 0-4075027903
Opcode ID: bffde2e22fa23eb950c1d6a584719298cfc76895d6f3cca2ffe24c8ae0624397
Instruction ID: e76c4704fd35b21fd7207cfe6075a3e47b126f50a610b014df2cd755dd9da6a5
Opcode Fuzzy Hash: bffde2e22fa23eb950c1d6a584719298cfc76895d6f3cca2ffe24c8ae0624397
Instruction Fuzzy Hash: 9712387F2147204B5AB8C62AB7D462D72D287DA3303768A16E512CB7F4DB39CD8A8741

Function 00037350 Relevance: 6.6, Strings: 5, Instructions: 310COMMON

Download Yara Rule

Strings

b~N, xrefs: 00037410
c~N, xrefs: 00037563
c~N, xrefs: 00037602
c~N, xrefs: 0003760D
c~N, xrefs: 000373F6

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: b~N$c~N$c~N$c~N$c~N
API String ID: 0-1905032987
Opcode ID: 26e872a525b8e32c37703cb9a6c68106f9085a17fe8edaabc32ddb52d9170f20
Instruction ID: 940ec123e78f91a1a06070ee4a0c06c787bfe6d52ca00f7b97e3779fc7844ffb
Opcode Fuzzy Hash: 26e872a525b8e32c37703cb9a6c68106f9085a17fe8edaabc32ddb52d9170f20
Instruction Fuzzy Hash: CFA19EF520C6444B5E79973C9BC412D73DAABE9320F248A66ED29CB3E4DB34DD805742

Function 0001B964 Relevance: 6.5, Strings: 5, Instructions: 235COMMON

Download Yara Rule

Strings

"!-, xrefs: 0001B872
"!-, xrefs: 0001B880
PbQ, xrefs: 0001C1F9
A\, xrefs: 0001B86D
A\, xrefs: 0001B85B

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: A\$A\$PbQ$"!-$"!-
API String ID: 0-1954403065
Opcode ID: fd3091fe2f3d4b27947628ac934f65fe040fa704aa562e9ab64217c1b1383f9f
Instruction ID: 6974a3595b1e21d10b6e2482808619c5ce893cb36e271822a8d3c2eb368a4bf3
Opcode Fuzzy Hash: fd3091fe2f3d4b27947628ac934f65fe040fa704aa562e9ab64217c1b1383f9f
Instruction Fuzzy Hash: E071383A3452408B5E7CCA285AE44BD7283AFDA330B39821FD8174B7E8DB358CC55A47

Function 0003F751 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0003F841

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 8da103c2af4e4762f22604f0469dd49f7096372ee5094c120257501c33175737
Instruction ID: 101152d662b1bf1a3636b1c3663431b5485a2a90d8cba954d4d164f716f3584b
Opcode Fuzzy Hash: 8da103c2af4e4762f22604f0469dd49f7096372ee5094c120257501c33175737
Instruction Fuzzy Hash: 4171E5B5D0511AAFDF62AF38DC89BFEB7BCAB05300F1441EAE00997112DA348E858F14

Function 000396CF Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 000396DB
IsDebuggerPresent.KERNEL32 ref: 000397A7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000397C7
UnhandledExceptionFilter.KERNEL32(?), ref: 000397D1

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: a00cd3dbd59feea906de11960c87259eb0c828789abf3e2ac7b0680c1514cd83
Instruction ID: 40db376edfceb01d373a535dbd2ad48907e01819a476f01aba93920589bf808a
Opcode Fuzzy Hash: a00cd3dbd59feea906de11960c87259eb0c828789abf3e2ac7b0680c1514cd83
Instruction Fuzzy Hash: 31312BB5D062189BEB51DFA4D989BCCBBF8AF08304F1041DAE44DA7250EBB55A84CF05

Function 00034CF0 Relevance: 4.8, APIs: 3, Instructions: 287COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00034D86

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: ___std_exception_destroy
String ID:
API String ID: 4194217158-0
Opcode ID: e8e0c724dd50c85f9c8642d1990882abe3701897b50a3a007e3dc8dd8ff18055
Instruction ID: 76e905a26f100d87f238e8641e0f9e1a15d9a25480a5bc88d6a2d22d063c03d1
Opcode Fuzzy Hash: e8e0c724dd50c85f9c8642d1990882abe3701897b50a3a007e3dc8dd8ff18055
Instruction Fuzzy Hash: C2913E7D2146004F6D6ACE24E9C412D73EA5BA6331F68CE62E522CF3F9D728AC45C745

Function 0003B7BA Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0003B8B2
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0003B8BC
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0003B8C9

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d71cdd2105283e76a090b49415e40a6ecb2e4c2eb0c0abd80c104316de59a714
Instruction ID: aa5db9d39038460c5605381ae881584e045b2cd8e117b6d3669385d994011d15
Opcode Fuzzy Hash: d71cdd2105283e76a090b49415e40a6ecb2e4c2eb0c0abd80c104316de59a714
Instruction Fuzzy Hash: 4531C4759012189BCB61DF68D989BCCBBB8BF18314F5041EAE50CA7251EB749F818F45

Function 00031387 Relevance: 4.2, Strings: 3, Instructions: 413COMMON

Download Yara Rule

Strings

dUb, xrefs: 00031750
dUb, xrefs: 0003174B
dUb, xrefs: 00031CBB

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: dUb$ dUb$ dUb
API String ID: 0-1696577624
Opcode ID: c38aaf2ce4051cfc79baf4d9592e95329667e2e183969af9935ecb6a221c3973
Instruction ID: beb6146cbc4b5c442294cbdf0dc2f055fc46c7d3b62819bf10a787a928b7f892
Opcode Fuzzy Hash: c38aaf2ce4051cfc79baf4d9592e95329667e2e183969af9935ecb6a221c3973
Instruction Fuzzy Hash: F5D1713D9043484B5A3EEB2896C40FDB2DB5BDD370F24421AD9264BFE4F6264D868646

Function 00024CE0 Relevance: 4.2, Strings: 3, Instructions: 404COMMON

Download Yara Rule

Strings

Mnj, xrefs: 00024F6F
Mnj, xrefs: 0002500B
Mnj, xrefs: 000251BB

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: Mnj$Mnj$Mnj
API String ID: 0-3324928681
Opcode ID: cd57dc0e5a490013572c34edd772ad77fd9362f471465976063f4fc7c5937a33
Instruction ID: c5fc6f8abad0d5b8713658dd008b1f8f97aa83ce1453a9cc734d5cfcac31bc5f
Opcode Fuzzy Hash: cd57dc0e5a490013572c34edd772ad77fd9362f471465976063f4fc7c5937a33
Instruction Fuzzy Hash: 2DD160B9205524CBA93CC638BDC813D72D777593207B94A27E427CB3B0DA28CD499A4B

Function 00027F74 Relevance: 4.0, Strings: 3, Instructions: 243COMMON

Download Yara Rule

Strings

i.^, xrefs: 00027DE0
j.^, xrefs: 00027DEC
.Q_, xrefs: 00028587

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: .Q_$i.^$j.^
API String ID: 0-3437208586
Opcode ID: a792a8e21cd47970161c7de7db4c8893e6e1347a8badca73c1f1ee3607d29c44
Instruction ID: 8fe932ddd87169cdaa294a2c5564984c98e0997f9e57be82134ab4f2271c9238
Opcode Fuzzy Hash: a792a8e21cd47970161c7de7db4c8893e6e1347a8badca73c1f1ee3607d29c44
Instruction Fuzzy Hash: FD817B7D30A1208B9A3D8624BDE453DF2CAAF96374B79852FE903C77A0DF249C458746

Function 0001D07E Relevance: 4.0, Strings: 3, Instructions: 203COMMON

Download Yara Rule

Strings

jiX, xrefs: 0001D096
F- , xrefs: 0001EE17
XvIL, xrefs: 0001CDE8

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: F- $XvIL$jiX
API String ID: 0-1826392768
Opcode ID: bf6fa79e1ea8ba1ae035c6f77f5325fca94ebd8ed769f428857d14fd5c946795
Instruction ID: 83662a091ecff33b5261b4103bddb42f229be40f222bcaecd10a99591ed3455f
Opcode Fuzzy Hash: bf6fa79e1ea8ba1ae035c6f77f5325fca94ebd8ed769f428857d14fd5c946795
Instruction Fuzzy Hash: EC61BE757816059BBE7C9A28ADE99BC7AE19F58320B35413FF81757AF0C224ECC14782

Function 00028149 Relevance: 2.7, Strings: 2, Instructions: 235COMMON

Download Yara Rule

Strings

i.^, xrefs: 00027DE0
j.^, xrefs: 00027DEC

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: i.^$j.^
API String ID: 0-1036069679
Opcode ID: 519649b6ef726278eaf79a3d6ea4859d35d0c4310c8214dc2aa41d36c461b945
Instruction ID: 181bf1c1028fc1d636125cff3fff59a2990c9134398f25df142c83f54bee8a62
Opcode Fuzzy Hash: 519649b6ef726278eaf79a3d6ea4859d35d0c4310c8214dc2aa41d36c461b945
Instruction Fuzzy Hash: 5D819D3D3065208F9A6C8634BDE413DB2C9AF96364B79862EE913D76F0CF248D498346

Function 00045E42 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00045D9D,?,?,00000008,?,?,0004596F,00000000), ref: 0004606F

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: e563461c46cc0fec3d261b3be82f25235c91a784fa9d27a6d383c5ce6a4796ce
Instruction ID: 858c8198f02175900eda9171bfccd818f56b6a8b4dc851f3e0761f449ed5dc2c
Opcode Fuzzy Hash: e563461c46cc0fec3d261b3be82f25235c91a784fa9d27a6d383c5ce6a4796ce
Instruction Fuzzy Hash: 53B1A2B1110608DFD755CF28C48AB557BE0FF45325F298668E89ACF2A2C336DD81CB45

Function 0003F6A0 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0003EB5E: HeapAlloc.KERNEL32(00000008,?,00000000,?,0003CD48,00000001,00000364,00000000,00000002,000000FF,?,?,0003E441,0003DCA0), ref: 0003EB9F

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0003F841
FindNextFileW.KERNEL32(00000000,?), ref: 0003F935
FindClose.KERNEL32(00000000), ref: 0003F974
FindClose.KERNEL32(00000000), ref: 0003F9A7

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: Find$CloseFile$AllocFirstHeapNext
String ID:
API String ID: 2701053895-0
Opcode ID: 6999ea7f1d7ca10aedeb56dd3d918f7c4aa8b019fd2d54696063f6da10b16670
Instruction ID: 302bae0cac3b630b18815b926a7221f9a93e639a79da90d4c0e47f7b4fd473bb
Opcode Fuzzy Hash: 6999ea7f1d7ca10aedeb56dd3d918f7c4aa8b019fd2d54696063f6da10b16670
Instruction Fuzzy Hash: D25156B5D0420AAFDF26AF389C85AFE77EDDF45314F1441BAF40993202EA308D429B24

Function 000398F5 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0003990B

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 69b91f1c8e2eab09230e68bdb2613ffdc14c0910f15861e1e716988890333542
Instruction ID: a1d6a96965c9c2e8e63134bbd5e586a7bbbba4a8228b89fe7a7c91e8d2b3f18a
Opcode Fuzzy Hash: 69b91f1c8e2eab09230e68bdb2613ffdc14c0910f15861e1e716988890333542
Instruction Fuzzy Hash: CF51AEB1A016058FFB56CF58D9817AABBF4FB49314F25856AC409EB260D3B8D940CF90

Function 000396C3 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000297F0,00039145), ref: 000396C8

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 11e53f6e89634ab9533562d0d151db0ab7d66dbf9dd9fffd87b4ce1d7750ec00
Instruction ID: 32d207edefa6697b252501ed5aef44fa472c5d20c4f7000ea4418ea034a5a85a
Opcode Fuzzy Hash: 11e53f6e89634ab9533562d0d151db0ab7d66dbf9dd9fffd87b4ce1d7750ec00
Instruction Fuzzy Hash:

Function 00022B07 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

~bD`, xrefs: 00022F87

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: ~bD`
API String ID: 0-944831652
Opcode ID: b833c65f0bcccedf916b5006c877a3ad560cf368d54926262c8b471c79656cee
Instruction ID: b7c80de3f8e325d96da92eed3e0c30e41218829eb33fd412b61eed65c2ead5cc
Opcode Fuzzy Hash: b833c65f0bcccedf916b5006c877a3ad560cf368d54926262c8b471c79656cee
Instruction Fuzzy Hash: 8071ADBA305520BB4A7C8D7C3AD827D73D19B96320379473BE813CB2E1D715CC4A8206

Function 00022BBB Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

~bD`, xrefs: 00022F87

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: ~bD`
API String ID: 0-944831652
Opcode ID: 778fae87f4952c1d960fb29f7fe0211357f7bd0e7ed1274a73dda969f6d9f2c5
Instruction ID: 914f825c982bf2e9cb9dc1f678c4559562c98682c81bfbddf64cf46e59909f3f
Opcode Fuzzy Hash: 778fae87f4952c1d960fb29f7fe0211357f7bd0e7ed1274a73dda969f6d9f2c5
Instruction Fuzzy Hash: 0A516DB9300620BFDB65DE68BDD5B2D73D5EB99320F284672E815CB3A2E325C855C602

Function 00022C60 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

~bD`, xrefs: 00022F87

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: ~bD`
API String ID: 0-944831652
Opcode ID: 1eb38f3bdf39bd827cefbb63292efdd7d3439c6a54b874230a2fcaaa3f01bf24
Instruction ID: bd1642d55de0abf253cf76eb119c9ea85e28fbf99f92f75a881f72a7cdaa5a7f
Opcode Fuzzy Hash: 1eb38f3bdf39bd827cefbb63292efdd7d3439c6a54b874230a2fcaaa3f01bf24
Instruction Fuzzy Hash: FD412BBA300620AFD655DF38BDD5B2973D5EB99320F294531E815CB3A6E335C859C602

Function 0001D6BB Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

XvIL, xrefs: 0001CDE8

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: XvIL
API String ID: 0-558896452
Opcode ID: a305701c6b9042605e50842e0f4a3562db16e5b33cf53bfbe2ca0dbcc85b3a3c
Instruction ID: b98c774f83bfe3d2774b25fd1a222281b87ca4da5308e7a8faffb529379cb1db
Opcode Fuzzy Hash: a305701c6b9042605e50842e0f4a3562db16e5b33cf53bfbe2ca0dbcc85b3a3c
Instruction Fuzzy Hash: 5741E7B4680605AFEB686F14DC96EB87BA1EF14314F14406EF9066B766D631ECC18782

Function 0001CD0A Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

XvIL, xrefs: 0001CDE8

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: XvIL
API String ID: 0-558896452
Opcode ID: 456e59b4c00ddc138c3f9da0371ab219b0c8dbfb133bfa87e4c5e0b9e8e285ab
Instruction ID: efcfd07a2a103e73d31e6c9c2d2b43205d4fe25de4b2d5e0d974f235bc7ecbfb
Opcode Fuzzy Hash: 456e59b4c00ddc138c3f9da0371ab219b0c8dbfb133bfa87e4c5e0b9e8e285ab
Instruction Fuzzy Hash: 213148B4680600AFEA2C9F14A8D5ABC77A1AF15314F64407EF8076B662C630ECC18642

Function 0001E359 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

XvIL, xrefs: 0001CDE8

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: XvIL
API String ID: 0-558896452
Opcode ID: 5965e2912b74138ab1fbcc70744f8f23bed623ca00e05175ff75af2c5824d684
Instruction ID: cf4a4cabf385eccf1d11eefa0113b7b2204167ed8d5c28fcda4aea76aafd6da8
Opcode Fuzzy Hash: 5965e2912b74138ab1fbcc70744f8f23bed623ca00e05175ff75af2c5824d684
Instruction Fuzzy Hash: AA3108B4580605ABFE7C5B14A8D6EFC7BA1AF14314F24406FF9072BA66D631ECC08683

Function 0001E946 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

XvIL, xrefs: 0001CDE8

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: XvIL
API String ID: 0-558896452
Opcode ID: 2273ec6f98b423bc6b154661b8749e6104e7ed58b0ba8ba11157b20ff769c870
Instruction ID: 6ddac4f8ecdcca08705a91e03a528cecd3a5f0c95340f00cf1916ea668171a93
Opcode Fuzzy Hash: 2273ec6f98b423bc6b154661b8749e6104e7ed58b0ba8ba11157b20ff769c870
Instruction Fuzzy Hash: 8431F9B4680605ABEE6C5B149896EFC7B61AF14314F64406FF8072BB66D631ECC18683

Function 0003CB30 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0003CB30

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 102b4b6e35215b7a0264e930a2052e15b313b655493816ea31d8d69b56b8398b
Instruction ID: 6be4c31984990399ec8496592e1ee77c0e3bcfce6e49c6c8b221797311b98af1
Opcode Fuzzy Hash: 102b4b6e35215b7a0264e930a2052e15b313b655493816ea31d8d69b56b8398b
Instruction Fuzzy Hash: FCA001B86432458BB7808F76AB096097AA9BB466D1749C0A9A405C52A0EAAC98519F09

Function 00025610 Relevance: .6, Instructions: 552COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aced845aa5adda999267405ce7059c311851c7577f281b7d02bca9c81947b323
Instruction ID: dd87e331b5d2b9c869deadc235fb8f8050dd54cff1763f788eb885038651de5f
Opcode Fuzzy Hash: aced845aa5adda999267405ce7059c311851c7577f281b7d02bca9c81947b323
Instruction Fuzzy Hash: B0124079709A618B8E7C8E287DD413D72D2AB89322BB5452BE857D73A0DA30CC454B4F

Function 00034190 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16342efe87eb3399c4c381eac9eb63c60a933fd9329b54cfa28afc2ab5931e44
Instruction ID: d9ffd2f39b1400078d4860b9e3ef0d5e858613ba933cc32a369fc03242418751
Opcode Fuzzy Hash: 16342efe87eb3399c4c381eac9eb63c60a933fd9329b54cfa28afc2ab5931e44
Instruction Fuzzy Hash: 74E1423E615B404F5979CA389AC417D72DAB796330F348A13E922CF3E1D669ED85C242

Function 00036CF0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678797b5465a8cd683ff0a605ad593279106363f6c0deea2a4b70e58e6b9bd5e
Instruction ID: eeb92a88bc1a32a11e465dd2eb548b22d05095229682c07cf1391e1fc8a7579c
Opcode Fuzzy Hash: 678797b5465a8cd683ff0a605ad593279106363f6c0deea2a4b70e58e6b9bd5e
Instruction Fuzzy Hash: A7D12BBA7183049F6E799738E6D412D32CA5BC6330F24C711E629CB3F5E63ADD458642

Function 00015930 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c63db3759b14a206517918c888fd08221c1d7f8361e1d296e797557189c14e
Instruction ID: 3df0d85d60e6598824e9b71d8bc6033e4863a0a5d8316bda1ea915ad490fafc1
Opcode Fuzzy Hash: 20c63db3759b14a206517918c888fd08221c1d7f8361e1d296e797557189c14e
Instruction Fuzzy Hash: 5AC1093A305A00CB4A78CB285DC95AD73D3ABD97367745A17D422CF3E9DB24CD868683

Function 00036820 Relevance: .3, Instructions: 282COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7f8c273d390bd3f49d6f3d22882d1d0faf27b5c68c9e374f24c9c70b61f9a36
Instruction ID: f3d0688058cecdbfc4ba91bda3a03e90b97ffebd5c9253f3bac941d39887a838
Opcode Fuzzy Hash: f7f8c273d390bd3f49d6f3d22882d1d0faf27b5c68c9e374f24c9c70b61f9a36
Instruction Fuzzy Hash: 4BA15A362047449B963D8B6899F063E768AEBD6320F75C70FC8134BBE4CE7B5C458682

Function 00024930 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bac6a5f3b4f0fef0eb2539667a037a104833afdae47e4e44f2d1af891715c3
Instruction ID: 754e0cf274f6e5cc6952d18949090731d7ed2e586fb3c69dd11b2f09ea75da6f
Opcode Fuzzy Hash: 12bac6a5f3b4f0fef0eb2539667a037a104833afdae47e4e44f2d1af891715c3
Instruction Fuzzy Hash: C3715B7E7147248B4A68CB3C7AC417EB7D29FA5320B748A27E812CB2E5D725CC498742

Function 0001A2F2 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 163fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0001A96A

Strings

"!-, xrefs: 0001B872
"!-, xrefs: 0001B880
x", xrefs: 0001C4DC
A\, xrefs: 0001B85B
A\, xrefs: 0001B86D
U<_k, xrefs: 0001A30A
A\, xrefs: 0001ADC4
x", xrefs: 0001C4EA

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: CreateFile
String ID: A\$A\$A\$U<_k$x"$x"$"!-$"!-
API String ID: 823142352-2094675021
Opcode ID: 6f0de91af7ff29f7b5ed3ce1cea2528e686f21b2c1b14963f1332759590462e5
Instruction ID: bef68f88f1e4ceb675c5bd303522b65ad55f7ff3e4bc4f3c38fcc0949247035e
Opcode Fuzzy Hash: 6f0de91af7ff29f7b5ed3ce1cea2528e686f21b2c1b14963f1332759590462e5
Instruction Fuzzy Hash: 9C5179363462409BDE7C8A2859E96BC62C36BE7330F39811FE9134BAF4D7258CC5650B

Function 000425E3 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00042702
___TypeMatch.LIBVCRUNTIME ref: 00042810
CatchIt.LIBVCRUNTIME ref: 00042861
_UnwindNestedFrames.LIBCMT ref: 00042962
CallUnexpected.LIBVCRUNTIME ref: 0004297D

Strings

csm, xrefs: 00042620
csm, xrefs: 00042739
csm, xrefs: 0004268D

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: b5ca703c12701c79b3b6a581fdbe2b1dc889277c4dfb61ab382225157d80f909
Instruction ID: 497e32e6e8e3b34b73dd282039c485030f8b7ca1b5bec88ebce7cc0f6bc7c0dd
Opcode Fuzzy Hash: b5ca703c12701c79b3b6a581fdbe2b1dc889277c4dfb61ab382225157d80f909
Instruction Fuzzy Hash: C6B17BB1A00209EFCF19DFA4C8819AEBBB5FF55310F954169F814AB212D730DE51CBA9

Function 00043F66 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(028E0530,028E0530,00000000,7FFFFFFF,?,00043F51,028E0530,028E0530,00000000,028E0530,?,?,?,?,028E0530,00000000), ref: 0004400C
__alloca_probe_16.LIBCMT ref: 000440C7
__alloca_probe_16.LIBCMT ref: 00044156
__freea.LIBCMT ref: 000441A1
__freea.LIBCMT ref: 000441A7
__freea.LIBCMT ref: 000441DD
__freea.LIBCMT ref: 000441E3
__freea.LIBCMT ref: 000441F3

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 159684e24c3e040e312f6eb438c833482ea2c142d73c33aad56aa0802468c7da
Instruction ID: 82ee0ae0513847288c8668f34c99c0105cd5746b6c724a79588cb7f9d311f849
Opcode Fuzzy Hash: 159684e24c3e040e312f6eb438c833482ea2c142d73c33aad56aa0802468c7da
Instruction Fuzzy Hash: 247125F2900205ABEF319E64CC81BEE77FAAF55310F280139EA05A7292DA35DD458768

Function 00034910 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 243COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 000349B7

Strings

(^Hx, xrefs: 00034ACC
(^Hx, xrefs: 00034AAB
(^Hx, xrefs: 00034AD7

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: ___std_exception_copy
String ID: (^Hx$(^Hx$(^Hx
API String ID: 2659868963-1348055467
Opcode ID: 8524678fbe4f503437c35d3c0b866d236756d486a7d4000264754f96af713ac0
Instruction ID: 746d644989efdd179f8d4a35841dc4c90b98855a27b9e70aec68bd4b916b21e7
Opcode Fuzzy Hash: 8524678fbe4f503437c35d3c0b866d236756d486a7d4000264754f96af713ac0
Instruction Fuzzy Hash: AA813F392042004FDB658B29DAC432E77D9A799320F698B17E5A1CF7E1EB79EC448706

Function 00039E60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00039E97
___except_validate_context_record.LIBVCRUNTIME ref: 00039E9F
_ValidateLocalCookies.LIBCMT ref: 00039F28
__IsNonwritableInCurrentImage.LIBCMT ref: 00039F53
_ValidateLocalCookies.LIBCMT ref: 00039FA8

Strings

csm, xrefs: 00039F3D

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 7ba43dd97c8885b3a36d8b9adad4eb9f09744d6ac835e563bb5519437a1c33ec
Instruction ID: 16ae2cca193493031e6432846c5d519ea605c7316c48f4cc570dca720947cc28
Opcode Fuzzy Hash: 7ba43dd97c8885b3a36d8b9adad4eb9f09744d6ac835e563bb5519437a1c33ec
Instruction Fuzzy Hash: CE41C434A002099FCF11DF68C880A9E7BF9AF45314F148165F914AB392D7B5EA41CB91

Function 0003C8BA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,BED7BAA4,?,0003C9C9,?,0001782F,00000000,00000000), ref: 0003C97B

Strings

api-ms-, xrefs: 0003C911
ext-ms-, xrefs: 0003C925

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 881192dbdf054e9539f1026d81c1596b3f0a817f08e7234342360dcaccd1314a
Instruction ID: 92b10da4f3edde220a3c746eeaade1136c4c134cf541a2450d48f2882b460c19
Opcode Fuzzy Hash: 881192dbdf054e9539f1026d81c1596b3f0a817f08e7234342360dcaccd1314a
Instruction Fuzzy Hash: BE2123B6A01211A7F7639B25ED88F5A779DAB427A0F120122E905F7281DB70ED01C7D4

Function 0003C15E Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0003C155,00039C3D,00039834), ref: 0003C16C
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0003C17A
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0003C193
SetLastError.KERNEL32(00000000,0003C155,00039C3D,00039834), ref: 0003C1E5

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 63f5fff6b480ddac2319f68f0b5ee1ff8c3722a91543575e1ecb135c1acc2c81
Instruction ID: 0668699afe7656d93067b7fa48c0358fa79dde2dd0c1ad44729d3efb2f9497b7
Opcode Fuzzy Hash: 63f5fff6b480ddac2319f68f0b5ee1ff8c3722a91543575e1ecb135c1acc2c81
Instruction Fuzzy Hash: 9A01D8B61093115EF6662BB56E86D6A369CCB13779B20023AFE24E11E3EF655C0072DC

Function 0003FAD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\aqbjn3fl.exe, xrefs: 0003FAF0

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\aqbjn3fl.exe
API String ID: 0-1449481844
Opcode ID: f768b7d7513bbb21e66182b892a8a003b838e4db0293d614a076b1408191ad9c
Instruction ID: d47dc50c7d609df7bae957de1da7c8e01961eefcdb9f8a1d8b4169e1e0a15d24
Opcode Fuzzy Hash: f768b7d7513bbb21e66182b892a8a003b838e4db0293d614a076b1408191ad9c
Instruction Fuzzy Hash: A7219DB1A00607AFEB62AF65CC91CBBB7ACAF44364F108535FA1997152D770EC0087A0

Function 0003A945 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BED7BAA4,?,?,00000000,000463CE,000000FF,?,0003AA06,?,?,0003AAA2,788496A7), ref: 0003A97A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0003A98C
FreeLibrary.KERNEL32(00000000,?,00000000,000463CE,000000FF,?,0003AA06,?,?,0003AAA2,788496A7), ref: 0003A9AE

Strings

CorExitProcess, xrefs: 0003A984
mscoree.dll, xrefs: 0003A973

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 1bb7588888adbc1d135aded7fa97da213042125506913161ecb95dcb56d67ee7
Instruction ID: 4075fb32f2cd164ca74cda76de5189a79172b5872a1367709a00a14b4f375648
Opcode Fuzzy Hash: 1bb7588888adbc1d135aded7fa97da213042125506913161ecb95dcb56d67ee7
Instruction Fuzzy Hash: F301DBB5A40615EFEB128F50DD09FAE77B8FB06715F000536F811A2690DBB89900CB95

Function 00042A08 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,0004290E,?,?,00000000,00000000,00000000,?), ref: 00042A2D
CatchIt.LIBVCRUNTIME ref: 00042B13

Strings

RCC, xrefs: 00042A47
MOC, xrefs: 00042A3F

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: dfecf580f3fc355aaefaa1d58971daa7a5c015ebdfa5371651a83ed4ed82edd0
Instruction ID: 2dbbd3ca76b300d90ff91fb4454325b912f5686730eaf494c1e6de1bf4ad72df
Opcode Fuzzy Hash: dfecf580f3fc355aaefaa1d58971daa7a5c015ebdfa5371651a83ed4ed82edd0
Instruction Fuzzy Hash: BA418CB1A00209AFDF16CF94CD81AEEBBB5FF48304F588169F904B7212D7359960DB95

Function 00040C42 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(788496A7,00000000,00000800,?,00040CDE,?,?,?,?,?,?,00040B26,00000000,FlsAlloc,00048060,00048068), ref: 00040C4F
GetLastError.KERNEL32(?,00040CDE,?,?,?,?,?,?,00040B26,00000000,FlsAlloc,00048060,00048068,?,?,0003C10C), ref: 00040C59
LoadLibraryExW.KERNEL32(788496A7,00000000,00000000,?,788496A7,?,?,?,?,0003BDAC,?,?,00023066,?,00000000,788496A7), ref: 00040C81

Strings

api-ms-, xrefs: 00040C66

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 8b65fc0074f94937580cf74e98ff74f96fa2768d2b474061136d105600831984
Instruction ID: 37d8440ec5ec48007123d9cc8b0b28fadea9211e7f209f54f0f9b494d46a50ea
Opcode Fuzzy Hash: 8b65fc0074f94937580cf74e98ff74f96fa2768d2b474061136d105600831984
Instruction Fuzzy Hash: EAE012B5241204FAFB502BA1DE46F5A3F959B41B41F148130FA0CA80E1E7F6D811858C

Function 0004159F Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BED7BAA4,00000000,00000000,?), ref: 00041602

Part of subcall function 0004012E: WideCharToMultiByte.KERNEL32(?,00000000,00023066,00000000,00000000,00000000,000000FF,?,?,00000000,00023066,?,0003C091,?,00000000,?), ref: 0004018F

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00041854
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0004189A
GetLastError.KERNEL32 ref: 0004193D

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 8a10869bab9cdee99784ce7dca150b005ceac35ea55b3d89fe04bbc8251ebac6
Instruction ID: 5284181f414c9f7661c1e0970e450793436f983b001ab2f1212d966cb82c0ac8
Opcode Fuzzy Hash: 8a10869bab9cdee99784ce7dca150b005ceac35ea55b3d89fe04bbc8251ebac6
Instruction Fuzzy Hash: 73D18BB5D04258AFDB15CFA8C8909EDBBF5FF09310F28452AE465EB352D630A982CB54

Function 0004240C Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 000424D3
___AdjustPointer.LIBCMT ref: 000424F6
___AdjustPointer.LIBCMT ref: 00042592

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 00464963b5cbf557a17bad085d51a2ef46009ef20962768c7145daea9560e6dc
Instruction ID: 331c3400186e652cb0e9de0a5386e60e38b6da732f97db05215da785301e6acb
Opcode Fuzzy Hash: 00464963b5cbf557a17bad085d51a2ef46009ef20962768c7145daea9560e6dc
Instruction Fuzzy Hash: 8851A0F2B01A069FEB299F10D851BBAB7E4EF40314F544039F905962A2D771ED80DB98

Function 0003F52E Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0004012E: WideCharToMultiByte.KERNEL32(?,00000000,00023066,00000000,00000000,00000000,000000FF,?,?,00000000,00023066,?,0003C091,?,00000000,?), ref: 0004018F

GetLastError.KERNEL32(?,?,?,00000000,00000000,?,0003F8D4,?,?,?,00000000), ref: 0003F592
__dosmaperr.LIBCMT ref: 0003F599
GetLastError.KERNEL32(00000000,0003F8D4,?,?,00000000,?,?,?,00000000,00000000,?,0003F8D4,?,?,?,00000000), ref: 0003F5D3
__dosmaperr.LIBCMT ref: 0003F5DA

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: d49948e8cd499b185a1bd9e32b40143f594bbbd258bfc4d7e8a4c3e36c5abeb3
Instruction ID: be64fd41cc5d15993ee8a0d053e6d3f42642427bb5e9d25a75ba41fb97d95816
Opcode Fuzzy Hash: d49948e8cd499b185a1bd9e32b40143f594bbbd258bfc4d7e8a4c3e36c5abeb3
Instruction Fuzzy Hash: 2621F575A00A07AFDB62AF65C9808BBB7ECEF05360F108539FA1993252D730ED108750

Function 0004022A Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00040232

Part of subcall function 0004012E: WideCharToMultiByte.KERNEL32(?,00000000,00023066,00000000,00000000,00000000,000000FF,?,?,00000000,00023066,?,0003C091,?,00000000,?), ref: 0004018F

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0004026A
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0004028A

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: b443a63db447118311bd23c166526b72ea6f208b2085a98b23ff78eed8d82a43
Instruction ID: e14b4076f9a8bd4c74ab65685baecb9349717c1559494ce9aa88919fe9da8082
Opcode Fuzzy Hash: b443a63db447118311bd23c166526b72ea6f208b2085a98b23ff78eed8d82a43
Instruction Fuzzy Hash: D511C8F65166167EF62227719ECDCBF6AACDF473947100035FA02B2152EAB4DD018178

Function 00044420 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00043C02,00000000,00000001,00000000,?,?,00041991,?,00000000,00000000), ref: 00044437
GetLastError.KERNEL32(?,00043C02,00000000,00000001,00000000,?,?,00041991,?,00000000,00000000,?,?,?,000412D7,00000000), ref: 00044443

Part of subcall function 000444A0: CloseHandle.KERNEL32(FFFFFFFE,00044453,?,00043C02,00000000,00000001,00000000,?,?,00041991,?,00000000,00000000,?,?), ref: 000444B0

___initconout.LIBCMT ref: 00044453

Part of subcall function 00044475: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00044411,00043BEF,?,?,00041991,?,00000000,00000000,?), ref: 00044488

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00043C02,00000000,00000001,00000000,?,?,00041991,?,00000000,00000000,?), ref: 00044468

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: a5bf949e16af02a3bcf590f9dcd87c0365db38cc0fe8dcd45158d79a0ecb2a68
Instruction ID: f25d67a54dc756d4728ee2dae558eea8d876e512a057bed0857d9469a4071398
Opcode Fuzzy Hash: a5bf949e16af02a3bcf590f9dcd87c0365db38cc0fe8dcd45158d79a0ecb2a68
Instruction Fuzzy Hash: EEF0307A141114BBDF622FD1ED08F893F66FF497B5B014020FA5895131C7B28820DB98

Function 0004227C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00042285

Strings

csm, xrefs: 000422A7
csm, xrefs: 00042318

Memory Dump Source

Source File: 00000000.00000002.2416051920.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.2416037664.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416077668.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416092063.000000000004D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416105092.000000000004E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416118552.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2416133676.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_aqbjn3fl.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: c34c4d7c03a60f7275c78030901e27f292453e10badcb808c2f57f0125c9b2f5
Instruction ID: 2d2d0a68187603a91e514c71e8d8b91e89bbd8a101943439306279734d128fe9
Opcode Fuzzy Hash: c34c4d7c03a60f7275c78030901e27f292453e10badcb808c2f57f0125c9b2f5
Instruction Fuzzy Hash: 4031F5F1600215EFCF229F50CC049AE7BB5FF49316B58826AF81849111C336CEA1DF99

Analysis Process: aqbjn3fl.exePID: 6872, Parent PID: 6740COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	28.2%
Total number of Nodes:	103
Total number of Limit Nodes:	4

Executed Functions

Function 00439310 Relevance: 26.9, APIs: 11, Strings: 4, Instructions: 660
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(00443678,00000000,00000001,00443668,00000000), ref: 0043940C
SysAllocString.OLEAUT32(81578756), ref: 004394A4
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 004394E9
SysAllocString.OLEAUT32(7F0F7903), ref: 00439546
SysAllocString.OLEAUT32(F7ABF957), ref: 0043961A
VariantInit.OLEAUT32(?), ref: 0043968A

Strings

(), xrefs: 004395AE
0}bc, xrefs: 004394FF
C, xrefs: 004393BC
\, xrefs: 004393C7

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: ()$0}bc$C$\
API String ID: 65563702-1726517784
Opcode ID: 0f1222683775ae3621506ccc1600d945d457569e17fe956ef9e8c073e5d335ed
Instruction ID: 106669d51836f7a9ecf543ef8e50fb3cc3e0c611a8505fe8182dd2d3ee5b5c80
Opcode Fuzzy Hash: 0f1222683775ae3621506ccc1600d945d457569e17fe956ef9e8c073e5d335ed
Instruction Fuzzy Hash: 872260B2A083009BD714DF24C845B6BBBA6EFCA714F18492DF4859B3C1D7B8D905CB96

Function 0040CEF5 Relevance: 12.8, Strings: 10, Instructions: 293
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-0p#, xrefs: 0040CFD1
^GFA, xrefs: 0040D236
lev-tolstoi.com, xrefs: 0040D328
c^.z, xrefs: 0040D08A
6(S", xrefs: 0040CFBB
39my, xrefs: 0040CFDC
.$[", xrefs: 0040CFB0
~sx=, xrefs: 0040CFE7
+"#R, xrefs: 0040CFC6
5F8064358E6382DD63CFCF7E6C45F838, xrefs: 0040CF3E

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID: +"#R$-0p#$.$["$39my$5F8064358E6382DD63CFCF7E6C45F838$6(S"$^GFA$c^.z$lev-tolstoi.com$~sx=
API String ID: 0-1539420980
Opcode ID: a663be38480a963e4d2d2571437e5508161d23da234ca0242be0d579f13188ba
Instruction ID: a1ac22f4ca37b83a265b626796eb772592280569a4fa714ec55360a40b349c43
Opcode Fuzzy Hash: a663be38480a963e4d2d2571437e5508161d23da234ca0242be0d579f13188ba
Instruction Fuzzy Hash: 84A1E27058C3C28FD3358F6585917EBBBE1AF92314F18997DC4D99B281DB78040A8B97

Function 00408F20 Relevance: 7.7, APIs: 5, Instructions: 171
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408F42
GetCurrentThreadId.KERNEL32 ref: 00408F55
GetCurrentProcessId.KERNEL32 ref: 00408F5D
GetForegroundWindow.USER32 ref: 0040902C

Part of subcall function 0040CE90: CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CEA3

Part of subcall function 0040BD80: FreeLibrary.KERNEL32(00409141), ref: 0040BD86
Part of subcall function 0040BD80: FreeLibrary.KERNEL32 ref: 0040BDA7

ExitProcess.KERNEL32 ref: 00409148

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
String ID:
API String ID: 3072701918-0
Opcode ID: 64b5476fa3e9b2d508b38f129390cd5264c67d7df292d80a79dc2a0f4b5f57c9
Instruction ID: bdcd889f703e52059c7ab9e58482e3198cbf6fc767073c2214d38ecf418ed339
Opcode Fuzzy Hash: 64b5476fa3e9b2d508b38f129390cd5264c67d7df292d80a79dc2a0f4b5f57c9
Instruction Fuzzy Hash: 0A5167B7B443044BD318AEA6CC863AAF9979BC8315F0E903D5980DB391EEBD9C0541C8

Function 0040BDB0 Relevance: 7.6, Strings: 6, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

AK, xrefs: 0040BF2D
~+*-, xrefs: 0040BFE8
[:], xrefs: 0040BE19
m?i!, xrefs: 0040BFC7
J's), xrefs: 0040BFDD
u#{%, xrefs: 0040BFD2

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID: AK$J's)$m?i!$u#{%$~+*-$[:]
API String ID: 0-2167574748
Opcode ID: 8b7eb5dfa94aac8796ead674e4283efcaa36dc3fedf3aa51b2c943f31bb2597f
Instruction ID: 268bcdcb352750d0d86359c6fec1c620c05b0e096526288d619aa41b5e38ca3b
Opcode Fuzzy Hash: 8b7eb5dfa94aac8796ead674e4283efcaa36dc3fedf3aa51b2c943f31bb2597f
Instruction Fuzzy Hash: C251DDB45593848BE3748F118482B8FBBB1FB92300F548A1CE6D86B794DBB84446CF97

Function 0043E470 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0041173D), ref: 0043E49E

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0040A874 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a25596d5e3cfe4fe0e5db7da74b03c59e9ab60d04f24d3b65b32f0a3db3b2c
Instruction ID: 4930346e371a7fe24dc622efad621cb1fdb8e28414ae90ad1b2e80d729ef0247
Opcode Fuzzy Hash: e9a25596d5e3cfe4fe0e5db7da74b03c59e9ab60d04f24d3b65b32f0a3db3b2c
Instruction Fuzzy Hash: 033187B15483849FD308DF26D85126ABBA1FBD2344F145D1DE0D6AB324DB74C14ACF8A

Function 0043E3D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 0043E443

Strings

,X_P, xrefs: 0043E406
1X_P, xrefs: 0043E42E

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: ,X_P$1X_P
API String ID: 1279760036-2502780324
Opcode ID: eb1a6f67c4ada5412c08eb173e14373e3fe507c916b2bafd9d7fb15af6b3fd64
Instruction ID: 357ba96cad9f0123cdecf1eeb7454c10257a295415ee4a6f905f218ff180347d
Opcode Fuzzy Hash: eb1a6f67c4ada5412c08eb173e14373e3fe507c916b2bafd9d7fb15af6b3fd64
Instruction Fuzzy Hash: 5B0168B47052409BD3149B36FC9172BBBD6EFDD311F18853DE68047245D2399806D6D2

Function 0043BAB0 Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 0043BB5B

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c966522f7fb25d472709df3c33f9e9313601420be56a465234706629d4e90569
Instruction ID: 7fcc2dba597176613733501886a8d543011a47e717bc7f6c2f2548effa9cc5a4
Opcode Fuzzy Hash: c966522f7fb25d472709df3c33f9e9313601420be56a465234706629d4e90569
Instruction Fuzzy Hash: 8911AF722593099BC728AE99DCC67A377F2DF80348F14003ED6D24E351E178491EE784

Function 0040CEC3 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CED5

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 86e7cd1d8ba83fd48d159611fa58a999e323023a6822f24e550602bc64e96fbd
Instruction ID: 505051cfc9ca38289cd8c3bcaa8b4d1cf811018b2ecdf46f9719d823f91473ff
Opcode Fuzzy Hash: 86e7cd1d8ba83fd48d159611fa58a999e323023a6822f24e550602bc64e96fbd
Instruction Fuzzy Hash: F3D0C9383D8741BBF5648B18AC13F543215A702F95F740624B322FE2D2CAE07105860D

Function 0040CE90 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CEA3

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 95d69b3b1cead687a11d3aac29b76cceb317a11716f3da9f3279e12896be4b7b
Instruction ID: 22e434c7d5131673a28d60fedf45504e047772ae2bc3a5d8c25a21f98226e921
Opcode Fuzzy Hash: 95d69b3b1cead687a11d3aac29b76cceb317a11716f3da9f3279e12896be4b7b
Instruction Fuzzy Hash: 34D0A735590508ABE650672CEC0BF26362CD387725F004235B2A3C71E3EA506914C5AA

Non-executed Functions

Function 00424800 Relevance: 25.0, APIs: 1, Strings: 13, Instructions: 507COMMON

Download Yara Rule

Strings

C5+K, xrefs: 00424CE5
YW, xrefs: 00424DDD
C1D7, xrefs: 00424CDD
]!S', xrefs: 00424CBD
H=K3, xrefs: 00424CD5
;IJK, xrefs: 00424B77
8I>O, xrefs: 00424CED
@A, xrefs: 00424CFD
_-_#, xrefs: 00424CB5
_9_?, xrefs: 00424CCD
;M|C, xrefs: 00424CF5
V%C;, xrefs: 00424CC5
<=, xrefs: 00424E15

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID: 8I>O$;IJK$;M|C$<=$@A$C1D7$C5+K$H=K3$V%C;$]!S'$_-_#$_9_?$YW
API String ID: 0-1278073768
Opcode ID: 81468d8c49a3e02887b835b59ae40fbcc3ebd7ae00028ff60e4259767b61db7f
Instruction ID: 48240a3c797665121a6c8427249b37c171d795af1c4e3dc191a1b5d2d7455386
Opcode Fuzzy Hash: 81468d8c49a3e02887b835b59ae40fbcc3ebd7ae00028ff60e4259767b61db7f
Instruction Fuzzy Hash: FBF1DCB160C3508FD300DF25E89166BBBE0EFC6354F45892DE9D58B391E7788909CB8A

Function 004252A2 Relevance: 16.5, Strings: 13, Instructions: 212COMMON

Download Yara Rule

Strings

w3w1, xrefs: 0042573D
x+{), xrefs: 004256FB
^aB, xrefs: 00425835
(), xrefs: 004254C8
%c, xrefs: 0042564B
+c(a, xrefs: 004257C1
6aB, xrefs: 004252E5, 0042530C
j7l5, xrefs: 00425748
*g/e, xrefs: 004257CC
SQ, xrefs: 00425588
WU, xrefs: 00425590
M?w=, xrefs: 00425732
US, xrefs: 0042566C

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID: %c$()$*g/e$+c(a$6aB$M?w=$US$^aB$j7l5$w3w1$x+{)$SQ$WU
API String ID: 0-760778999
Opcode ID: 4a98a5ec70e057294fa733518eb136d5d9265efd785ada52663871b1dc11abda
Instruction ID: ba1722fd9f9df2ce26a2a668a0da62e27f47c5dd5b7501832dbec2575849f197
Opcode Fuzzy Hash: 4a98a5ec70e057294fa733518eb136d5d9265efd785ada52663871b1dc11abda
Instruction Fuzzy Hash: 99C11BB850D785CBE2708F11A98179EBBE1FB92344F108A1DE6E86B351DBB04446CF83

Function 00433CD0 Relevance: 9.1, APIs: 6, Instructions: 138clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00433CF4
GetWindowLongW.USER32 ref: 00433D1F
GetClipboardData.USER32 ref: 00433D2F
CloseClipboard.USER32 ref: 00433E6C

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID:
API String ID: 1647500905-0
Opcode ID: 483dc0f38cf7e2e744496e9c2be401a32722d8f1196c6b1196953ddb2bb81523
Instruction ID: fb864d9a02aa6f82b1cafb98512c37d7d787da1b5168524821baf26f89aa3bc6
Opcode Fuzzy Hash: 483dc0f38cf7e2e744496e9c2be401a32722d8f1196c6b1196953ddb2bb81523
Instruction Fuzzy Hash: DC51D3B1808B828BD710AF7C9949259FFA0AB16321F04873AE4E59B382D3389655C797

Function 004277BD Relevance: 7.8, Strings: 6, Instructions: 345COMMON

Download Yara Rule

Strings

\K, xrefs: 004279BA
AW, xrefs: 004279CA
KJML, xrefs: 00427AD9
_^, xrefs: 004279B2
KJML, xrefs: 004278BF
m0, xrefs: 00427A3B

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID: AW$KJML$KJML$\K$_^$m0
API String ID: 0-3031886387
Opcode ID: 78a00671d45979145a4560d365d97eb3af311ba189861d86e7565eda439995c2
Instruction ID: 8226b9801ad2d42dbe1351369da643cc8733ad833090b8abc78d166a71a0a298
Opcode Fuzzy Hash: 78a00671d45979145a4560d365d97eb3af311ba189861d86e7565eda439995c2
Instruction Fuzzy Hash: 0AA1377960C350DBE7148F24EC9172BB7A0FB96348F44183EF586872A1D738E906CB4A

Function 0040DCB7 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 319COMMON

Download Yara Rule

APIs

Part of subcall function 00433E90: GetSystemMetrics.USER32 ref: 00433ED9
Part of subcall function 00433E90: GetSystemMetrics.USER32 ref: 00433EE9

CoUninitialize.OLE32 ref: 0040DCCC

Strings

lev-tolstoi.com, xrefs: 0040E0FE
_Q, xrefs: 0040DF4D
@KFQ, xrefs: 0040DDA3
$#, xrefs: 0040E08D

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID: MetricsSystem$Uninitialize
String ID: $#$@KFQ$lev-tolstoi.com$_Q
API String ID: 1128523136-783552759
Opcode ID: d23d948b592791f3cfd090ade1304dc5fd674626a75ff97414607907e0f1a076
Instruction ID: 4defda7e57fa942cb74b608a607347f298506896ac3dbf0eddcd85f7108a5fce
Opcode Fuzzy Hash: d23d948b592791f3cfd090ade1304dc5fd674626a75ff97414607907e0f1a076
Instruction Fuzzy Hash: 5EB1BC7550D3C28BD3358F25C4907EBBBE1AFE6304F08996DD0C95B382D778490A8B9A

Function 004272A0 Relevance: 6.5, Strings: 5, Instructions: 235COMMON

Download Yara Rule

Strings

D1NO, xrefs: 00427456
_], xrefs: 0042748D
S#Q, xrefs: 00427495
I5G3, xrefs: 0042744E
z, xrefs: 00427356

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID: z$D1NO$I5G3$S#Q$_]
API String ID: 0-639438859
Opcode ID: 7afec72c48835cafd2746ae7dfd5b11f69980f76d8b70e9f71c580cd3b4767d1
Instruction ID: 66bd1e31735b113f7b95d9c68fe98471feebe8bfbb0225636bc89cdb316b93ea
Opcode Fuzzy Hash: 7afec72c48835cafd2746ae7dfd5b11f69980f76d8b70e9f71c580cd3b4767d1
Instruction Fuzzy Hash: B571F2B16083408BC7249F14D89276BBBF2EFD2318F188A5DE5958B391E778C905CB4B

Function 00425150 Relevance: 6.4, Strings: 5, Instructions: 105COMMON

Download Yara Rule

Strings

'O"A, xrefs: 0042518A
o7cI, xrefs: 00425174
X[, xrefs: 004251AB
P?l1, xrefs: 004251D0
w3k5, xrefs: 00425169

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID: 'O"A$P?l1$X[$o7cI$w3k5
API String ID: 0-455523353
Opcode ID: ff135a553d3141049ca5331447d5cb064331698c645f2c44e2c4e51c613b099f
Instruction ID: 51eb84a212206e2a87ad4a80187414da09e946e9a809fb256b0f7a2b673c91d2
Opcode Fuzzy Hash: ff135a553d3141049ca5331447d5cb064331698c645f2c44e2c4e51c613b099f
Instruction Fuzzy Hash: 1F31377120C3859BE7348F54EC01FEBB7E4EB85308F14093DF699CA281E77591068B5A

Function 0003F751 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0003F841

Memory Dump Source

Source File: 00000003.00000002.2497255275.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000003.00000002.2497220132.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497301429.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497381757.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497479098.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497550169.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000_aqbjn3fl.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 8da103c2af4e4762f22604f0469dd49f7096372ee5094c120257501c33175737
Instruction ID: 101152d662b1bf1a3636b1c3663431b5485a2a90d8cba954d4d164f716f3584b
Opcode Fuzzy Hash: 8da103c2af4e4762f22604f0469dd49f7096372ee5094c120257501c33175737
Instruction Fuzzy Hash: 4171E5B5D0511AAFDF62AF38DC89BFEB7BCAB05300F1441EAE00997112DA348E858F14

Function 000396CF Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 000396DB
IsDebuggerPresent.KERNEL32 ref: 000397A7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000397C7
UnhandledExceptionFilter.KERNEL32(?), ref: 000397D1

Memory Dump Source

Source File: 00000003.00000002.2497255275.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000003.00000002.2497220132.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497301429.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497381757.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497479098.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497550169.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000_aqbjn3fl.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: a00cd3dbd59feea906de11960c87259eb0c828789abf3e2ac7b0680c1514cd83
Instruction ID: 40db376edfceb01d373a535dbd2ad48907e01819a476f01aba93920589bf808a
Opcode Fuzzy Hash: a00cd3dbd59feea906de11960c87259eb0c828789abf3e2ac7b0680c1514cd83
Instruction Fuzzy Hash: 31312BB5D062189BEB51DFA4D989BCCBBF8AF08304F1041DAE44DA7250EBB55A84CF05

Function 0041DBDB Relevance: 4.0, Strings: 3, Instructions: 202COMMON

Download Yara Rule

Strings

U{>y, xrefs: 0041DD17
.sq, xrefs: 0041DC78
tk, xrefs: 0041DC88

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID: .sq$U{>y$tk
API String ID: 0-1908265287
Opcode ID: fe9d369215ae59bf8f0e652be0029dbe287517b77a01e18ec0a9d3604a881a57
Instruction ID: 26be6f975a003ac920f2b9828a51a9f7b0361b3b13e1d049af301d240ecb6a9b
Opcode Fuzzy Hash: fe9d369215ae59bf8f0e652be0029dbe287517b77a01e18ec0a9d3604a881a57
Instruction Fuzzy Hash: 355156B29083518BC314CF24D8916BBB7F2EFD2354F29491DE4D68B391E7789881CB96

Function 004195D1 Relevance: 3.8, Strings: 2, Instructions: 1325COMMON

Download Yara Rule

Strings

cfgdQOTL(, xrefs: 0041A0C7
QOTL, xrefs: 00419EAC

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID: QOTL$cfgdQOTL(
API String ID: 0-1041102262
Opcode ID: b5acb474f2e6318f94453df1d46600d9046b57f515fcecbb5936f7cd36da01a4
Instruction ID: baae48468f02253949789be9a9f93deb31354230cf9b03ea4ad6e7f0ba5e09aa
Opcode Fuzzy Hash: b5acb474f2e6318f94453df1d46600d9046b57f515fcecbb5936f7cd36da01a4
Instruction Fuzzy Hash: 86920FB55007018FD7248F24C8917A2BBF2FF96314F0986ADD4968F7A2E738E845CB95

Function 004237C0 Relevance: 2.9, Strings: 2, Instructions: 426COMMON

Download Yara Rule

Strings

,-./, xrefs: 004239F4
@A, xrefs: 004237EC

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID: ,-./$@A
API String ID: 0-1711629388
Opcode ID: 4e0d7943126a89f94e8b2c32deef5b19d661ae02a1ddcffc5b77e89c7d9c4155
Instruction ID: b427f95eee88e6e90d2e7c6e9f09885fe0d71f34555a972a5764628c52f2a79a
Opcode Fuzzy Hash: 4e0d7943126a89f94e8b2c32deef5b19d661ae02a1ddcffc5b77e89c7d9c4155
Instruction Fuzzy Hash: E7B1E372B042209BD7109F24D88276BB7F0EF91355F49892DE8C59B382E37CDA05C79A

Function 00425A75 Relevance: 2.9, Strings: 2, Instructions: 380COMMON

Download Yara Rule

Strings

"_B, xrefs: 00425F14
n[B, xrefs: 00425A93

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID: "_B$n[B
API String ID: 0-3055631520
Opcode ID: 04987499a22af4122d59eb180440eaaba37f8dd189f60d02e643de4799b8c78f
Instruction ID: 62cab86c4d36762c2083a5c2b7229ea5af287306fc378645cba71aeb96ee3af7
Opcode Fuzzy Hash: 04987499a22af4122d59eb180440eaaba37f8dd189f60d02e643de4799b8c78f
Instruction Fuzzy Hash: C4C11136218B22CBC324DF28D8905BBB7B2FF99740F96892DD4819B360E7789D05C785

Function 0043BFC0 Relevance: 2.7, Strings: 2, Instructions: 219COMMON

Download Yara Rule

Strings

5|iL, xrefs: 0043C140
KJML, xrefs: 0043BFF0

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: 5|iL$KJML
API String ID: 2994545307-536917200
Opcode ID: 636d95659e541816b923c3f4d570c3d48a846f27e8197f310ddef13876200725
Instruction ID: 021ef2e24474c152aafce047481dff9cba3e52c706cfde05c341d4b670c8cf24
Opcode Fuzzy Hash: 636d95659e541816b923c3f4d570c3d48a846f27e8197f310ddef13876200725
Instruction Fuzzy Hash: AF61F532A053109BD7109F68D9C076BBBE2ABCA714F1DE46AD888B7352D639DC0197C9

Function 00441160 Relevance: 2.6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

Strings

P?l1, xrefs: 00441161
@, xrefs: 004411C9

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @$P?l1
API String ID: 2994545307-4135037845
Opcode ID: 7b2b65917937c3de63858e8aa95c118a2f4085e070f529ae319bfc7e530804d0
Instruction ID: 048af27f90df81157f785fbe2478cdb9cc1881c609c9a8ec9846b5c2d3b7d9fc
Opcode Fuzzy Hash: 7b2b65917937c3de63858e8aa95c118a2f4085e070f529ae319bfc7e530804d0
Instruction Fuzzy Hash: 23310F712093049BD304DF58C4C162BBBF4FF99344F04882EEA949B3A0D37999488B9A

Function 00423560 Relevance: 1.7, APIs: 1, Instructions: 245comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00443598,00000000,00000001,00443588), ref: 00423589

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 016393feeb3aaf5266cd89428a409469914a8c32bd70aadd08ee5d85eb0fe30b
Instruction ID: 1c3a52efecc43846b604c9fc2bd1fb656c54c658cb3f3d421b38619bf31c0a25
Opcode Fuzzy Hash: 016393feeb3aaf5266cd89428a409469914a8c32bd70aadd08ee5d85eb0fe30b
Instruction Fuzzy Hash: DC51BEB1700224ABDB209F24DC86B6773B8EF81755F484519F9858B391F37DDA44C72A

Function 00427E50 Relevance: 1.7, Strings: 1, Instructions: 411COMMON

Download Yara Rule

Strings

KJML, xrefs: 00427EA1

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: KJML
API String ID: 2994545307-719402181
Opcode ID: 26d3d7412716a36292caa7e25be7bc75aa11939664aa4b81ff5062cee38173fc
Instruction ID: 4bf9e5fc8db60ad1477a33ee92378b1d27c7b974a179eba886eae4bae89287da
Opcode Fuzzy Hash: 26d3d7412716a36292caa7e25be7bc75aa11939664aa4b81ff5062cee38173fc
Instruction Fuzzy Hash: 34C15A71B093218BD714CB24E88177FB792EF95300F59856ED8868B391EA3DDC06C79A

Function 0040CA6A Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

tw, xrefs: 0040CAF4

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID: tw
API String ID: 0-3303754386
Opcode ID: 24ea2188b8e1636f3f8cd3459eaa518c333ba647ec784111f40071de7f37294e
Instruction ID: 53010c2ad1a460e616b227301a7f5352827963e4b1c26d3e7b98a7d2cb011674
Opcode Fuzzy Hash: 24ea2188b8e1636f3f8cd3459eaa518c333ba647ec784111f40071de7f37294e
Instruction Fuzzy Hash: 5821337660D3408FD714CF24C8E136BFBF2EBD6304F25992CE59253281CAB5D9018B4A

Function 0041B634 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

XTx, xrefs: 0041B6C0

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: XTx
API String ID: 2994545307-3664917863
Opcode ID: 5cbfee8c9465b57ece4ff6bae65366f1f3cdd930970ab3139cb2974971e583f5
Instruction ID: d8fd3d6754167ec8497d5f9b89789aaad9797a0d7febad699e574512ff3efd57
Opcode Fuzzy Hash: 5cbfee8c9465b57ece4ff6bae65366f1f3cdd930970ab3139cb2974971e583f5
Instruction Fuzzy Hash: 5411BE396047018FE321CF2AC880B63BBE3FB9A301F18C56AD59587265DB34E881CA55

Function 0041A6A3 Relevance: .9, Instructions: 922COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb4bc0ee2808d1bc3ff1f03965229a764dcd887592880a7708e31c9fc069e7d5
Instruction ID: f11bb0ccfb7fa6bd906f1d8d31d8357785026af4ffb5bb6096dbf78d761bbead
Opcode Fuzzy Hash: cb4bc0ee2808d1bc3ff1f03965229a764dcd887592880a7708e31c9fc069e7d5
Instruction Fuzzy Hash: 96721174601701CFD724CF29C890663B7F2FF8A310B188A6DD4868BBA5E739E856CB55

Function 00407BB0 Relevance: .8, Instructions: 783COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d0613cad7b07f43e7f17b605332ffb618e2260b6ba873c354ae63f412ccab4
Instruction ID: a30865cc17d97331694aacf62b7448b28511f1c5fcfeab318f17b077f90d62e8
Opcode Fuzzy Hash: c3d0613cad7b07f43e7f17b605332ffb618e2260b6ba873c354ae63f412ccab4
Instruction Fuzzy Hash: 0642D2319087118BC724DF18D98026BB3E2FFD4304F29893ED9C5A72C5EB39A955CB86

Function 00403060 Relevance: .7, Instructions: 658COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa0d18fdb5aa447a473b63ffc2b36f29cb12cc39c980f5c71297a03b3492509
Instruction ID: 08fd8c0c77a6a82891080e10c6793232bf344122716b21553b6421ffc9cc9e30
Opcode Fuzzy Hash: 9fa0d18fdb5aa447a473b63ffc2b36f29cb12cc39c980f5c71297a03b3492509
Instruction Fuzzy Hash: 8652D2315083459FCB14CF18C0906AABFE5BF89305F18897EF8996B381D779EA49CB85

Function 00418940 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f3b77dcf67a0b470b62be5e49b57d937dd2d0efc915e2e85ed18c434d3aa749
Instruction ID: f4061a431cbf5a55eb24c8f2188b8ae18711ccf053ba8be149a1551a71ae942b
Opcode Fuzzy Hash: 3f3b77dcf67a0b470b62be5e49b57d937dd2d0efc915e2e85ed18c434d3aa749
Instruction Fuzzy Hash: AF9124B5904210DBD7109F18DC826BB73B0FF96354F09492DE98587392EB39A944C79A

Function 004412A0 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 87f4b841ecc1c432a5eaed726db190d427c134bbcdca1ab902fc90f08b9cf1c1
Instruction ID: 20671464f8093c1c1c425e6ee518332859a822b815ddd87db81b861f0ec46407
Opcode Fuzzy Hash: 87f4b841ecc1c432a5eaed726db190d427c134bbcdca1ab902fc90f08b9cf1c1
Instruction Fuzzy Hash: EE8167356053115BE710DF28C881B6FB3A2EFD9390F19C53EE88587364EB3898818789

Function 00418D27 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32afe13cf32003b02a45e17a87e6737b69e99e9558ed0cfff2c1e00dfb9f29f
Instruction ID: 721f5ec9cae49a4bf89e2d6d3241f632eb14a7b80feb038f5f37aece50e8f818
Opcode Fuzzy Hash: e32afe13cf32003b02a45e17a87e6737b69e99e9558ed0cfff2c1e00dfb9f29f
Instruction Fuzzy Hash: DC9102B4D10B00AFD364EF39D947797BEF4AB45210F408A2DE8EA87684E73064598BD7

Function 00409150 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a43474baedd13b0d9d8ce7920c3662142fc8a9a34e14cd720fa28c50937b343
Instruction ID: 8c0f7e5476ace527f0ad24862e842b830586f80b34ab9c99fe485aa86d2504ff
Opcode Fuzzy Hash: 3a43474baedd13b0d9d8ce7920c3662142fc8a9a34e14cd720fa28c50937b343
Instruction Fuzzy Hash: 8731D533F215114BE714CA65CC0429632939BD9328F3E86B9C425DF296C93B9D0386C4

Function 00401F50 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a5d1427389668793eb2184808c6612ea255da26e82feb4f43e5749824597d3
Instruction ID: 43d6eacac5e66a2eccaefddc93f777b3f9bcb39f8badc6a339dfab7d62f9f687
Opcode Fuzzy Hash: d5a5d1427389668793eb2184808c6612ea255da26e82feb4f43e5749824597d3
Instruction Fuzzy Hash: 3F3187716082029BD7149E59C880937B7E1EF84358F18893EF899A73A1D739DC52CB4B

Function 0041DE73 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b55538dad94000122f010df21ddf5dbb82f2a9efe173eec9a549675bb36c8edc
Instruction ID: 1a94fae6aa4c1755432654251974b40da07cabae229cf75ca8a158187f2f73a1
Opcode Fuzzy Hash: b55538dad94000122f010df21ddf5dbb82f2a9efe173eec9a549675bb36c8edc
Instruction Fuzzy Hash: 1A212B73A083508FD724CF2AD48029BFBD29BD6304F19856EF4D59B382C534C9068796

Function 0041DBD4 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34bba6bb5d8484f013f34a3491fcda76e0bb1152ae3d79a328efdf63677fa893
Instruction ID: 260243d3f1f0345c84290ebcd99fddfdae7476931baad2af899af0836fb5fa84
Opcode Fuzzy Hash: 34bba6bb5d8484f013f34a3491fcda76e0bb1152ae3d79a328efdf63677fa893
Instruction Fuzzy Hash: 59212773A093508FD324CF2AD48029BFBE29BE6304F19856EF4D58B395C63489068B96

Function 0043BF10 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 00ba2b57a91ac047a4705b75b92ef8b22f69b3affa1c05689b710e5b9512dfb5
Instruction ID: bf8168a1869feb74f468f2fd825a5a20f2ae5d369cfd7629e8ff9ba76c4e48e0
Opcode Fuzzy Hash: 00ba2b57a91ac047a4705b75b92ef8b22f69b3affa1c05689b710e5b9512dfb5
Instruction Fuzzy Hash: 85114C71B162044BE3109A15DD8072BB763EBDE315F2DB06AD98497319D7388C014BD9

Function 0041ECF4 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777d66c022c8a6a6674b28da04df8bfe314bbffb0f66602573b32b5334db9946
Instruction ID: 30254e917762e5330fb28f5a41babc129ad49ecc1168e7e400b6ea640b9a73ec
Opcode Fuzzy Hash: 777d66c022c8a6a6674b28da04df8bfe314bbffb0f66602573b32b5334db9946
Instruction Fuzzy Hash: B6A002A9C49450C7EA005F217906075F138931730AF063479948A73153AA36E158954F

Function 00433E90 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 125COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00433ED9
GetSystemMetrics.USER32 ref: 00433EE9

Strings

xEC, xrefs: 00433FF1
^GC, xrefs: 004340CD
^LC, xrefs: 00433FD0
7GC, xrefs: 0043405F
TEC, xrefs: 004340A1
xIC, xrefs: 00434075
FC, xrefs: 00434033

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID: 7GC$TEC$^GC$^LC$xEC$xIC$FC
API String ID: 4116985748-908964047
Opcode ID: 6a2e011da6ada6983ea4d7eb0b4d23507b4e6b403bdf28e27d9a846a6a2923f9
Instruction ID: 3e08075581ce457eda26527f829893d569b84f6169f063b11f99ae05461175c0
Opcode Fuzzy Hash: 6a2e011da6ada6983ea4d7eb0b4d23507b4e6b403bdf28e27d9a846a6a2923f9
Instruction Fuzzy Hash: 6A912DB000E3D5CFE370AF51C94878FBBE0AB82308F50891ED19C5A650DBB95149DFAA

Function 000425E3 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00042702
___TypeMatch.LIBVCRUNTIME ref: 00042810
CatchIt.LIBVCRUNTIME ref: 00042861
_UnwindNestedFrames.LIBCMT ref: 00042962
CallUnexpected.LIBVCRUNTIME ref: 0004297D

Strings

csm, xrefs: 0004268D
csm, xrefs: 00042620
csm, xrefs: 00042739

Memory Dump Source

Source File: 00000003.00000002.2497255275.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000003.00000002.2497220132.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497301429.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497381757.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497479098.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497550169.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000_aqbjn3fl.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: ecc34ae62cab7d6cff2f364eca29f9c93342c8d5b5e709e4ba2a5edc7c4d7df8
Instruction ID: 497e32e6e8e3b34b73dd282039c485030f8b7ca1b5bec88ebce7cc0f6bc7c0dd
Opcode Fuzzy Hash: ecc34ae62cab7d6cff2f364eca29f9c93342c8d5b5e709e4ba2a5edc7c4d7df8
Instruction Fuzzy Hash: C6B17BB1A00209EFCF19DFA4C8819AEBBB5FF55310F954169F814AB212D730DE51CBA9

Function 00039E60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00039E97
___except_validate_context_record.LIBVCRUNTIME ref: 00039E9F
_ValidateLocalCookies.LIBCMT ref: 00039F28
__IsNonwritableInCurrentImage.LIBCMT ref: 00039F53
HeapAlloc.KERNEL32 ref: 00039F82
_ValidateLocalCookies.LIBCMT ref: 00039FA8

Strings

csm, xrefs: 00039F3D

Memory Dump Source

Source File: 00000003.00000002.2497255275.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000003.00000002.2497220132.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497301429.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497381757.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497479098.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497550169.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000_aqbjn3fl.jbxd

Similarity

API ID: CookiesLocalValidate$AllocCurrentHeapImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 4107480505-1018135373
Opcode ID: 7ba43dd97c8885b3a36d8b9adad4eb9f09744d6ac835e563bb5519437a1c33ec
Instruction ID: 16ae2cca193493031e6432846c5d519ea605c7316c48f4cc570dca720947cc28
Opcode Fuzzy Hash: 7ba43dd97c8885b3a36d8b9adad4eb9f09744d6ac835e563bb5519437a1c33ec
Instruction Fuzzy Hash: CE41C434A002099FCF11DF68C880A9E7BF9AF45314F148165F914AB392D7B5EA41CB91

Function 00043F66 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,00043F51,?,?,?,?,?,?,?,?,?,?), ref: 0004400C
__alloca_probe_16.LIBCMT ref: 000440C7
__alloca_probe_16.LIBCMT ref: 00044156
__freea.LIBCMT ref: 000441A1
__freea.LIBCMT ref: 000441A7
__freea.LIBCMT ref: 000441DD
__freea.LIBCMT ref: 000441E3
__freea.LIBCMT ref: 000441F3

Memory Dump Source

Source File: 00000003.00000002.2497255275.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000003.00000002.2497220132.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497301429.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497381757.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497479098.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497550169.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000_aqbjn3fl.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 159684e24c3e040e312f6eb438c833482ea2c142d73c33aad56aa0802468c7da
Instruction ID: 82ee0ae0513847288c8668f34c99c0105cd5746b6c724a79588cb7f9d311f849
Opcode Fuzzy Hash: 159684e24c3e040e312f6eb438c833482ea2c142d73c33aad56aa0802468c7da
Instruction Fuzzy Hash: 247125F2900205ABEF319E64CC81BEE77FAAF55310F280139EA05A7292DA35DD458768

Function 00034910 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 243COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 000349B7

Strings

(^Hx, xrefs: 00034AAB
(^Hx, xrefs: 00034ACC
(^Hx, xrefs: 00034AD7

Memory Dump Source

Source File: 00000003.00000002.2497255275.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000003.00000002.2497220132.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497301429.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497381757.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497479098.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497550169.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000_aqbjn3fl.jbxd

Similarity

API ID: ___std_exception_copy
String ID: (^Hx$(^Hx$(^Hx
API String ID: 2659868963-1348055467
Opcode ID: 8524678fbe4f503437c35d3c0b866d236756d486a7d4000264754f96af713ac0
Instruction ID: 746d644989efdd179f8d4a35841dc4c90b98855a27b9e70aec68bd4b916b21e7
Opcode Fuzzy Hash: 8524678fbe4f503437c35d3c0b866d236756d486a7d4000264754f96af713ac0
Instruction Fuzzy Hash: AA813F392042004FDB658B29DAC432E77D9A799320F698B17E5A1CF7E1EB79EC448706

Function 0003C8BA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,BB40E64E,?,0003C9C9,?,0001782F,00000000,00000000), ref: 0003C97B

Strings

ext-ms-, xrefs: 0003C925
api-ms-, xrefs: 0003C911

Memory Dump Source

Source File: 00000003.00000002.2497255275.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000003.00000002.2497220132.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497301429.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497381757.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497479098.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497550169.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000_aqbjn3fl.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 881192dbdf054e9539f1026d81c1596b3f0a817f08e7234342360dcaccd1314a
Instruction ID: 92b10da4f3edde220a3c746eeaade1136c4c134cf541a2450d48f2882b460c19
Opcode Fuzzy Hash: 881192dbdf054e9539f1026d81c1596b3f0a817f08e7234342360dcaccd1314a
Instruction Fuzzy Hash: BE2123B6A01211A7F7639B25ED88F5A779DAB427A0F120122E905F7281DB70ED01C7D4

Function 0003C15E Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0003C155,00039C3D,00039834), ref: 0003C16C
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0003C17A
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0003C193
SetLastError.KERNEL32(00000000,0003C155,00039C3D,00039834), ref: 0003C1E5

Memory Dump Source

Source File: 00000003.00000002.2497255275.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000003.00000002.2497220132.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497301429.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497381757.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497479098.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497550169.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000_aqbjn3fl.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: cd8b318527f0b9c40e270e4d4221bb3898902b659d6f82857673a56b36d0122e
Instruction ID: 0668699afe7656d93067b7fa48c0358fa79dde2dd0c1ad44729d3efb2f9497b7
Opcode Fuzzy Hash: cd8b318527f0b9c40e270e4d4221bb3898902b659d6f82857673a56b36d0122e
Instruction Fuzzy Hash: 9A01D8B61093115EF6662BB56E86D6A369CCB13779B20023AFE24E11E3EF655C0072DC

Function 0002DD20 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

Strings

eIY, xrefs: 0002DE18
eIY, xrefs: 0002DD95
eIY, xrefs: 0002DDB8
string too long, xrefs: 0002DE7A

Memory Dump Source

Source File: 00000003.00000002.2497255275.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000003.00000002.2497220132.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497301429.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497381757.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497479098.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497550169.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID: string too long$eIY$eIY$eIY
API String ID: 0-1759105153
Opcode ID: 81194e931d9acc54c97c9ace3dbfbb7f72a7b813c820eee641c5127bb687869b
Instruction ID: 63a787528768c0a7a3727061869db80e4892834b83c5741bfc4bc25ced530614
Opcode Fuzzy Hash: 81194e931d9acc54c97c9ace3dbfbb7f72a7b813c820eee641c5127bb687869b
Instruction Fuzzy Hash: D921993730463097BE681628EA851AE39D34BF2378F6F4587D44A6F357D636CCC58292

Function 0003A945 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,0003B778,?,00000000,000463CE,000000FF,?,0003AA06,17BE016A,?,0003AAA2,00000000), ref: 0003A97A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0003A98C
FreeLibrary.KERNEL32(00000000,?,00000000,000463CE,000000FF,?,0003AA06,17BE016A,?,0003AAA2,00000000), ref: 0003A9AE

Strings

mscoree.dll, xrefs: 0003A973
CorExitProcess, xrefs: 0003A984

Memory Dump Source

Source File: 00000003.00000002.2497255275.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000003.00000002.2497220132.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497301429.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497381757.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497479098.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497550169.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000_aqbjn3fl.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 1bb7588888adbc1d135aded7fa97da213042125506913161ecb95dcb56d67ee7
Instruction ID: 4075fb32f2cd164ca74cda76de5189a79172b5872a1367709a00a14b4f375648
Opcode Fuzzy Hash: 1bb7588888adbc1d135aded7fa97da213042125506913161ecb95dcb56d67ee7
Instruction Fuzzy Hash: F301DBB5A40615EFEB128F50DD09FAE77B8FB06715F000536F811A2690DBB89900CB95

Function 00040EA8 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00040F2D
__alloca_probe_16.LIBCMT ref: 00040FF6
__freea.LIBCMT ref: 0004105D

Part of subcall function 0003EBBB: HeapAlloc.KERNEL32(00000000,000176E8,?,?,000176E8,01E84800), ref: 0003EBED

__freea.LIBCMT ref: 00041070
__freea.LIBCMT ref: 0004107D

Memory Dump Source

Source File: 00000003.00000002.2497255275.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000003.00000002.2497220132.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497301429.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497381757.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497479098.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497550169.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000_aqbjn3fl.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 244b86777bd589027b1e15e01b043b5589b7c9d3ba622c7084170db9988f6418
Instruction ID: 9f3e4158fd1ba72fe69e14923248d9a11bf14619091674203dc805778263ecab
Opcode Fuzzy Hash: 244b86777bd589027b1e15e01b043b5589b7c9d3ba622c7084170db9988f6418
Instruction Fuzzy Hash: 8F51A1B2600246ABEB215E61CC81EEB7BEDEF44710F190539FD18E6192EB71DD908664

Function 00042A08 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,0004290E,?,?,00000000,00000000,00000000,?), ref: 00042A2D
CatchIt.LIBVCRUNTIME ref: 00042B13

Strings

RCC, xrefs: 00042A47
MOC, xrefs: 00042A3F

Memory Dump Source

Source File: 00000003.00000002.2497255275.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000003.00000002.2497220132.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497301429.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497381757.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497479098.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497550169.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000_aqbjn3fl.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: dfecf580f3fc355aaefaa1d58971daa7a5c015ebdfa5371651a83ed4ed82edd0
Instruction ID: 2dbbd3ca76b300d90ff91fb4454325b912f5686730eaf494c1e6de1bf4ad72df
Opcode Fuzzy Hash: dfecf580f3fc355aaefaa1d58971daa7a5c015ebdfa5371651a83ed4ed82edd0
Instruction Fuzzy Hash: BA418CB1A00209AFDF16CF94CD81AEEBBB5FF48304F588169F904B7212D7359960DB95

Function 00040C42 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00040CDE,0003B778,CEDEADC1,0003B778,?,?,?,00040B26,00000000,FlsAlloc,00048060,00048068), ref: 00040C4F
GetLastError.KERNEL32(?,00040CDE,0003B778,CEDEADC1,0003B778,?,?,?,00040B26,00000000,FlsAlloc,00048060,00048068,0003B778,?,0003C10C), ref: 00040C59
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00000000,0003BAC4,?,?,?,?,?,00000000,0003B778,00000000,00000000,00000000), ref: 00040C81

Strings

api-ms-, xrefs: 00040C66

Memory Dump Source

Source File: 00000003.00000002.2497255275.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000003.00000002.2497220132.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497301429.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497381757.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497479098.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497550169.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000_aqbjn3fl.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 8b65fc0074f94937580cf74e98ff74f96fa2768d2b474061136d105600831984
Instruction ID: 37d8440ec5ec48007123d9cc8b0b28fadea9211e7f209f54f0f9b494d46a50ea
Opcode Fuzzy Hash: 8b65fc0074f94937580cf74e98ff74f96fa2768d2b474061136d105600831984
Instruction Fuzzy Hash: EAE012B5241204FAFB502BA1DE46F5A3F959B41B41F148130FA0CA80E1E7F6D811858C

Function 0004159F Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 00041602

Part of subcall function 0004012E: WideCharToMultiByte.KERNEL32(?,00000000,00023066,00000000,00000000,00000000,000000FF,?,?,00000000,00023066,?,0003C091,?,00000000,?), ref: 0004018F

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00041854
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0004189A
GetLastError.KERNEL32 ref: 0004193D

Memory Dump Source

Source File: 00000003.00000002.2497255275.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000003.00000002.2497220132.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497301429.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497381757.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497479098.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497550169.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000_aqbjn3fl.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 8a10869bab9cdee99784ce7dca150b005ceac35ea55b3d89fe04bbc8251ebac6
Instruction ID: 5284181f414c9f7661c1e0970e450793436f983b001ab2f1212d966cb82c0ac8
Opcode Fuzzy Hash: 8a10869bab9cdee99784ce7dca150b005ceac35ea55b3d89fe04bbc8251ebac6
Instruction Fuzzy Hash: 73D18BB5D04258AFDB15CFA8C8909EDBBF5FF09310F28452AE465EB352D630A982CB54

Function 0004240C Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 000424D3
___AdjustPointer.LIBCMT ref: 000424F6
___AdjustPointer.LIBCMT ref: 00042592

Memory Dump Source

Source File: 00000003.00000002.2497255275.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000003.00000002.2497220132.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497301429.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497381757.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497479098.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497550169.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000_aqbjn3fl.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 00464963b5cbf557a17bad085d51a2ef46009ef20962768c7145daea9560e6dc
Instruction ID: 331c3400186e652cb0e9de0a5386e60e38b6da732f97db05215da785301e6acb
Opcode Fuzzy Hash: 00464963b5cbf557a17bad085d51a2ef46009ef20962768c7145daea9560e6dc
Instruction Fuzzy Hash: 8851A0F2B01A069FEB299F10D851BBAB7E4EF40314F544039F905962A2D771ED80DB98

Function 0003F52E Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0004012E: WideCharToMultiByte.KERNEL32(?,00000000,00023066,00000000,00000000,00000000,000000FF,?,?,00000000,00023066,?,0003C091,?,00000000,?), ref: 0004018F

GetLastError.KERNEL32(?,?,?,00000000,00000000,?,0003F8D4,?,?,?,00000000), ref: 0003F592
__dosmaperr.LIBCMT ref: 0003F599
GetLastError.KERNEL32(00000000,0003F8D4,?,?,00000000,?,?,?,00000000,00000000,?,0003F8D4,?,?,?,00000000), ref: 0003F5D3
__dosmaperr.LIBCMT ref: 0003F5DA

Memory Dump Source

Source File: 00000003.00000002.2497255275.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000003.00000002.2497220132.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497301429.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497381757.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497479098.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497550169.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000_aqbjn3fl.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: d49948e8cd499b185a1bd9e32b40143f594bbbd258bfc4d7e8a4c3e36c5abeb3
Instruction ID: be64fd41cc5d15993ee8a0d053e6d3f42642427bb5e9d25a75ba41fb97d95816
Opcode Fuzzy Hash: d49948e8cd499b185a1bd9e32b40143f594bbbd258bfc4d7e8a4c3e36c5abeb3
Instruction Fuzzy Hash: 2621F575A00A07AFDB62AF65C9808BBB7ECEF05360F108539FA1993252D730ED108750

Function 0003FAD4 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2497255275.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000003.00000002.2497220132.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497301429.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497381757.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497479098.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497550169.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000_aqbjn3fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f768b7d7513bbb21e66182b892a8a003b838e4db0293d614a076b1408191ad9c
Instruction ID: d47dc50c7d609df7bae957de1da7c8e01961eefcdb9f8a1d8b4169e1e0a15d24
Opcode Fuzzy Hash: f768b7d7513bbb21e66182b892a8a003b838e4db0293d614a076b1408191ad9c
Instruction Fuzzy Hash: A7219DB1A00607AFEB62AF65CC91CBBB7ACAF44364F108535FA1997152D770EC0087A0

Function 0004022A Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00040232

Part of subcall function 0004012E: WideCharToMultiByte.KERNEL32(?,00000000,00023066,00000000,00000000,00000000,000000FF,?,?,00000000,00023066,?,0003C091,?,00000000,?), ref: 0004018F

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0004026A
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0004028A

Memory Dump Source

Source File: 00000003.00000002.2497255275.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000003.00000002.2497220132.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497301429.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497381757.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497479098.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497550169.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000_aqbjn3fl.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: b443a63db447118311bd23c166526b72ea6f208b2085a98b23ff78eed8d82a43
Instruction ID: e14b4076f9a8bd4c74ab65685baecb9349717c1559494ce9aa88919fe9da8082
Opcode Fuzzy Hash: b443a63db447118311bd23c166526b72ea6f208b2085a98b23ff78eed8d82a43
Instruction Fuzzy Hash: D511C8F65166167EF62227719ECDCBF6AACDF473947100035FA02B2152EAB4DD018178

Function 00044420 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00043C02,00000000,00000001,00000000,?,?,00041991,?,00000000,00000000), ref: 00044437
GetLastError.KERNEL32(?,00043C02,00000000,00000001,00000000,?,?,00041991,?,00000000,00000000,?,?,?,000412D7,00000000), ref: 00044443

Part of subcall function 000444A0: CloseHandle.KERNEL32(FFFFFFFE,00044453,?,00043C02,00000000,00000001,00000000,?,?,00041991,?,00000000,00000000,?,?), ref: 000444B0

___initconout.LIBCMT ref: 00044453

Part of subcall function 00044475: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00044411,00043BEF,?,?,00041991,?,00000000,00000000,?), ref: 00044488

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00043C02,00000000,00000001,00000000,?,?,00041991,?,00000000,00000000,?), ref: 00044468

Memory Dump Source

Source File: 00000003.00000002.2497255275.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000003.00000002.2497220132.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497301429.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497381757.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497479098.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497550169.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000_aqbjn3fl.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: a5bf949e16af02a3bcf590f9dcd87c0365db38cc0fe8dcd45158d79a0ecb2a68
Instruction ID: f25d67a54dc756d4728ee2dae558eea8d876e512a057bed0857d9469a4071398
Opcode Fuzzy Hash: a5bf949e16af02a3bcf590f9dcd87c0365db38cc0fe8dcd45158d79a0ecb2a68
Instruction Fuzzy Hash: EEF0307A141114BBDF622FD1ED08F893F66FF497B5B014020FA5895131C7B28820DB98

Function 0004227C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00042285

Strings

csm, xrefs: 00042318
csm, xrefs: 000422A7

Memory Dump Source

Source File: 00000003.00000002.2497255275.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000003.00000002.2497220132.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497301429.0000000000047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497381757.000000000004D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497479098.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2497550169.0000000000053000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000_aqbjn3fl.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: c34c4d7c03a60f7275c78030901e27f292453e10badcb808c2f57f0125c9b2f5
Instruction ID: 2d2d0a68187603a91e514c71e8d8b91e89bbd8a101943439306279734d128fe9
Opcode Fuzzy Hash: c34c4d7c03a60f7275c78030901e27f292453e10badcb808c2f57f0125c9b2f5
Instruction Fuzzy Hash: 4031F5F1600215EFCF229F50CC049AE7BB5FF49316B58826AF81849111C336CEA1DF99

Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00409141), ref: 0040BD86
FreeLibrary.KERNEL32 ref: 0040BDA7

Strings

v, xrefs: 0040BD86, 0040BDA7

Memory Dump Source

Source File: 00000003.00000002.2497646575.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aqbjn3fl.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: v
API String ID: 3664257935-2904040280
Opcode ID: 258e1ba9c224423b1a1c49954e9d779e47fc35ca85bf672c57b92161d3a4c994
Instruction ID: 331fdb691759df2a5931b2739dcb7d62f7cb4d50402f2e14919dbf10c38f77d7
Opcode Fuzzy Hash: 258e1ba9c224423b1a1c49954e9d779e47fc35ca85bf672c57b92161d3a4c994
Instruction Fuzzy Hash: A9C002BD901445EFDE416F61FC49A283A62FB923257050130A66590435DB329AB1DE99

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report aqbjn3fl.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
aqbjn3fl.exe

Function 0004D18D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 0001D478 Relevance: 1.5, Strings: 1, Instructions: 206
COMMON

Function 00040EA8 Relevance: 7.7, APIs: 5, Instructions: 197
COMMON

Function 0003D4EA Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Function 0003D2D2 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 0001A0B0 Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Function 0003C7EC Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Function 0003DC6B Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Function 0003DA79 Relevance: 1.6, APIs: 1, Instructions: 142
COMMON

Function 0001B0E4 Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Function 0003EBBB Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE