Edit tour

Windows Analysis Report
oiF7u78bY2.exe

Overview

General Information

Sample name:	oiF7u78bY2.exe renamed because original name is a hash value
Original sample name:	99138122c12efbb499e6b76bd91e107f.exe
Analysis ID:	1580302
MD5:	99138122c12efbb499e6b76bd91e107f
SHA1:	286786b0708bf08e0d192374276f6b791170b5e8
SHA256:	a61525f9b5b24572111616ac596ccde037ec91fb8225c21acdfd8b96c3892554
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

oiF7u78bY2.exe (PID: 7004 cmdline: "C:\Users\user\Desktop\oiF7u78bY2.exe" MD5: 99138122C12EFBB499E6B76BD91E107F)

conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_regiis.exe (PID: 2700 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["aspecteirs.lat", "grannyejh.lat", "discokeyus.lat", "rapeflowwj.lat", "sustainskelet.lat", "energyaffai.lat", "spellshagey.biz", "crosshuaht.lat", "necklacebudi.lat"], "Build id": "HpOoIh--b8bb860e1ee2"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.binstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:03:30.237669+0100	2028371	3	Unknown Traffic	192.168.2.7	49699	23.55.153.106	443	TCP
2024-12-24T09:03:32.625318+0100	2028371	3	Unknown Traffic	192.168.2.7	49700	104.21.66.86	443	TCP
2024-12-24T09:03:33.874757+0100	2028371	3	Unknown Traffic	192.168.2.7	49701	104.21.66.86	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:03:33.637617+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49700	104.21.66.86	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:03:33.637617+0100	2049836	1	A Network Trojan was detected	192.168.2.7	49700	104.21.66.86	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:03:27.654609+0100	2058354	1	Domain Observed Used for C2 Detected	192.168.2.7	55036	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:03:28.130819+0100	2058358	1	Domain Observed Used for C2 Detected	192.168.2.7	56434	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:03:26.471884+0100	2058360	1	Domain Observed Used for C2 Detected	192.168.2.7	53082	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:03:27.337740+0100	2058362	1	Domain Observed Used for C2 Detected	192.168.2.7	51694	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:03:26.166251+0100	2058364	1	Domain Observed Used for C2 Detected	192.168.2.7	50937	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:03:26.953962+0100	2058370	1	Domain Observed Used for C2 Detected	192.168.2.7	52297	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:03:28.357562+0100	2058374	1	Domain Observed Used for C2 Detected	192.168.2.7	59807	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spellshagey .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:03:25.907149+0100	2058285	1	Domain Observed Used for C2 Detected	192.168.2.7	56878	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:03:27.901698+0100	2058376	1	Domain Observed Used for C2 Detected	192.168.2.7	59768	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T09:03:31.011817+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.7	49699	23.55.153.106	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://lev-tolstoi.com/jR	Avira URL Cloud: Label: malware
Source: https://spellshagey.biz:443/apiH	Avira URL Cloud: Label: malware
Source: spellshagey.biz	Avira URL Cloud: Label: malware
Source: https://necklacebudi.lat:443/apiW	Avira URL Cloud: Label: malware
Source: https://sustainskelet.lat:443/api	Avira URL Cloud: Label: malware
Source: https://rapeflowwj.lat:443/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: oiF7u78bY2.exe

Malware Configuration Extractor: LummaC {"C2 url": ["aspecteirs.lat", "grannyejh.lat", "discokeyus.lat", "rapeflowwj.lat", "sustainskelet.lat", "energyaffai.lat", "spellshagey.biz", "crosshuaht.lat", "necklacebudi.lat"], "Build id": "HpOoIh--b8bb860e1ee2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\gdi32.dll

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: oiF7u78bY2.exe	ReversingLabs: Detection: 76%
Source: oiF7u78bY2.exe	Virustotal: Detection: 68%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\gdi32.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: oiF7u78bY2.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: oiF7u78bY2.exe	String decryptor: rapeflowwj.lat
Source: oiF7u78bY2.exe	String decryptor: crosshuaht.lat
Source: oiF7u78bY2.exe	String decryptor: sustainskelet.lat
Source: oiF7u78bY2.exe	String decryptor: aspecteirs.lat
Source: oiF7u78bY2.exe	String decryptor: energyaffai.lat
Source: oiF7u78bY2.exe	String decryptor: necklacebudi.lat
Source: oiF7u78bY2.exe	String decryptor: discokeyus.lat
Source: oiF7u78bY2.exe	String decryptor: grannyejh.lat
Source: oiF7u78bY2.exe	String decryptor: spellshagey.biz
Source: oiF7u78bY2.exe	String decryptor: lid=%s&j=%s&ver=4.0
Source: oiF7u78bY2.exe	String decryptor: TeslaBrowser/5.5
Source: oiF7u78bY2.exe	String decryptor: - Screen Resoluton:
Source: oiF7u78bY2.exe	String decryptor: - Physical Installed Memory:
Source: oiF7u78bY2.exe	String decryptor: Workgroup: -
Source: oiF7u78bY2.exe	String decryptor: HpOoIh--b8bb860e1ee2

Source: oiF7u78bY2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49700 version: TLS 1.2

Source: oiF7u78bY2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\oiF7u78bY2.exe

Code function: 0_2_6EC22590 FindFirstFileExW,

0_2_6EC22590

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_004FCD9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, ecx	3_2_004FCD9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], E1A2961Bh	3_2_0052A6D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then push eax	3_2_004FB75E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0050C840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-7Dh]	3_2_0050C840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [edi], ax	3_2_00515079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov esi, edx	3_2_004F8860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [edi], cx	3_2_0050C0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_005198E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+4A96EB48h]	3_2_0052D0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 73004FCFh	3_2_00509890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-000000ABh]	3_2_00509890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], D6A985C1h	3_2_00509890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi+2845CDC9h]	3_2_00509890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 5E874B5Fh	3_2_00509890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 5E874B5Fh	3_2_00509890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 888A0AE0h	3_2_00509890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], D6A985C1h	3_2_00509890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then lea eax, dword ptr [eax+eax*4]	3_2_004F8090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	3_2_00512F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	3_2_00512F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	3_2_0051891E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, dword ptr [esp]	3_2_00518134
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_005231D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0051A9E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	3_2_0052B9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, cx	3_2_0051C9AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	3_2_0050EA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+4A96EB48h]	3_2_0052D270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3E34CFBAh]	3_2_0051C273
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0051C273
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	3_2_00512232
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, eax	3_2_0052AA2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx+02h]	3_2_00515B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+06h]	3_2_0051834D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0051834D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0051834D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, word ptr [esi+eax]	3_2_00511B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+05h]	3_2_00517B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], FAD59DE2h	3_2_00506B06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 29FCC5D8h	3_2_00506B06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 3FE33C50h	3_2_00506B06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then lea esi, dword ptr [esp+00000098h]	3_2_00506B06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00506B06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edi+2845CE35h]	3_2_00506B06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 73B6CFD8h	3_2_00506B06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-29138FE1h]	3_2_004FCB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0051BB35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0051BB35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esp], edx	3_2_0051BB35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_2_004F73D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	3_2_004F73D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_00519BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [eax+ecx+23h], 00000000h	3_2_004FA383
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-7994E9ADh]	3_2_0051A440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [edi], ax	3_2_0052A44A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	3_2_0052BC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+74h]	3_2_004F9470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [edi], ax	3_2_004F9470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+665537E3h]	3_2_00518CF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	3_2_00517CB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	3_2_00505CA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	3_2_00526550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then test eax, eax	3_2_00526550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp al, 5Ch	3_2_004F2540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1Ch]	3_2_00518D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-000000A8h]	3_2_00526D19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0051CD27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], dx	3_2_00504DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+06h]	3_2_0051834D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0051834D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0051834D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+02h]	3_2_004F8DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [eax], cl	3_2_004F8DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0051C690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-0CB4AF98h]	3_2_0051C690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movsx ecx, byte ptr [esi]	3_2_0052AEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	3_2_00528750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+1Ch]	3_2_00511770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edx+ebp*8], C72EB52Eh	3_2_00528F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+28h]	3_2_00515F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	3_2_00512F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	3_2_00512F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, ecx	3_2_00506797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp cl, 0000002Eh	3_2_00515FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [eax], cl	3_2_00515FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edx], bl	3_2_0051A7BB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058362 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat) : 192.168.2.7:51694 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.7:50937 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058376 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat) : 192.168.2.7:59768 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058354 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat) : 192.168.2.7:55036 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058370 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat) : 192.168.2.7:52297 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058285 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spellshagey .biz) : 192.168.2.7:56878 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058358 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat) : 192.168.2.7:56434 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058374 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat) : 192.168.2.7:59807 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.7:53082 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.7:49699 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49700 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49700 -> 104.21.66.86:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: aspecteirs.lat
Source: Malware configuration extractor	URLs: grannyejh.lat
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: energyaffai.lat
Source: Malware configuration extractor	URLs: spellshagey.biz
Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	URLs: necklacebudi.lat

Source: Joe Sandbox View	IP Address: 104.21.66.86 104.21.66.86
Source: Joe Sandbox View	IP Address: 23.55.153.106 23.55.153.106

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49701 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49699 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49700 -> 104.21.66.86:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: aspnet_regiis.exe, 00000003.00000003.1327705019.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1330058973.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1330098773.0000000002E0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: / https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: aspnet_regiis.exe, 00000003.00000003.1327705019.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1330058973.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1330098773.0000000002E0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: / https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: aspnet_regiis.exe, 00000003.00000003.1303806976.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=c3b2460d7c7f76387716e57e; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35121Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveTue, 24 Dec 2024 08:03:30 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Controlv equals www.youtube.com (Youtube)
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: spellshagey.biz
Source: global traffic	DNS traffic detected: DNS query: grannyejh.lat
Source: global traffic	DNS traffic detected: DNS query: discokeyus.lat
Source: global traffic	DNS traffic detected: DNS query: necklacebudi.lat
Source: global traffic	DNS traffic detected: DNS query: energyaffai.lat
Source: global traffic	DNS traffic detected: DNS query: aspecteirs.lat
Source: global traffic	DNS traffic detected: DNS query: sustainskelet.lat
Source: global traffic	DNS traffic detected: DNS query: crosshuaht.lat
Source: global traffic	DNS traffic detected: DNS query: rapeflowwj.lat
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: lev-tolstoi.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: aspnet_regiis.exe, 00000003.00000003.1330129582.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327734789.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330728604.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: aspnet_regiis.exe, 00000003.00000003.1330129582.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327734789.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330728604.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: aspnet_regiis.exe, 00000003.00000003.1330129582.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327734789.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330728604.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: aspnet_regiis.exe, 00000003.00000003.1330129582.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327734789.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330728604.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: aspnet_regiis.exe, 00000003.00000003.1327705019.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: aspnet_regiis.exe, 00000003.00000003.1330129582.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327734789.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330728604.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: aspnet_regiis.exe, 00000003.00000003.1330129582.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327734789.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330728604.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: aspnet_regiis.exe, 00000003.00000003.1330129582.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327734789.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330728604.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: aspnet_regiis.exe, 00000003.00000003.1330129582.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327734789.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330728604.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=hyEE
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=St3gSJx2HFUZ&l=e
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: aspnet_regiis.exe, 00000003.00000002.1330569499.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grannyejh.lat:443/api
Source: aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: aspnet_regiis.exe, 00000003.00000003.1327705019.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330569499.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/
Source: aspnet_regiis.exe, 00000003.00000003.1330129582.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327705019.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1330058973.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1330098773.0000000002E0C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327734789.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330728604.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api
Source: aspnet_regiis.exe, 00000003.00000003.1330058973.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1330098773.0000000002E0C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/jR
Source: aspnet_regiis.exe, 00000003.00000003.1327705019.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1330058973.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1330098773.0000000002E0C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/pi
Source: aspnet_regiis.exe, 00000003.00000002.1330569499.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/api
Source: aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: aspnet_regiis.exe, 00000003.00000002.1330569499.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacebudi.lat:443/apiW
Source: aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: aspnet_regiis.exe, 00000003.00000002.1330569499.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rapeflowwj.lat:443/api
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: aspnet_regiis.exe, 00000003.00000002.1330569499.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spellshagey.biz:443/apiH
Source: aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: aspnet_regiis.exe, 00000003.00000003.1330129582.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327734789.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330728604.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: aspnet_regiis.exe, 00000003.00000003.1327705019.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: aspnet_regiis.exe, 00000003.00000003.1330129582.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327734789.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330728604.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: aspnet_regiis.exe, 00000003.00000002.1330569499.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/765611997243319002
Source: aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: aspnet_regiis.exe, 00000003.00000003.1330129582.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327734789.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330728604.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: aspnet_regiis.exe, 00000003.00000002.1330569499.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sustainskelet.lat:443/api
Source: aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49700 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_00520F10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00520F10

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_00520F10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00520F10

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_00521A20 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_00521A20

System Summary

.NET source code contains very large array initializations

Source: oiF7u78bY2.exe, GetWin.cs

Large array initialization: GetWindowsOS: array initializer size 625664

Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EBF5D80 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,GetConsoleWindow,ShowWindow,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,		0_2_6EBF5D80
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EBF49F0 GetModuleHandleW,NtQueryInformationProcess,GetModuleHandleW,GetModuleHandleW,		0_2_6EBF49F0

Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EBEFFD0	0_2_6EBEFFD0
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EBF5D80	0_2_6EBF5D80
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EBF49F0	0_2_6EBF49F0
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC0F2C0	0_2_6EC0F2C0
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC08EC0	0_2_6EC08EC0
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC0E6D0	0_2_6EC0E6D0
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC15ED0	0_2_6EC15ED0
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC132F0	0_2_6EC132F0
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC0AA90	0_2_6EC0AA90
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC05EA0	0_2_6EC05EA0
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC106A0	0_2_6EC106A0
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC03650	0_2_6EC03650
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC18E00	0_2_6EC18E00
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC17A10	0_2_6EC17A10
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EBF2A60	0_2_6EBF2A60
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC01620	0_2_6EC01620
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC193C0	0_2_6EC193C0
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC17FD0	0_2_6EC17FD0
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC057E0	0_2_6EC057E0
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC1B7F0	0_2_6EC1B7F0
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC0E380	0_2_6EC0E380
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC13F80	0_2_6EC13F80
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC01B90	0_2_6EC01B90
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EBFFFD0	0_2_6EBFFFD0
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EBFE730	0_2_6EBFE730
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC0F750	0_2_6EC0F750
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC16770	0_2_6EC16770
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC15B10	0_2_6EC15B10
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EBFDF50	0_2_6EBFDF50
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC06B30	0_2_6EC06B30
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC0EB30	0_2_6EC0EB30
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC028C0	0_2_6EC028C0
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC1B0D0	0_2_6EC1B0D0
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EBEF890	0_2_6EBEF890
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC0BCF0	0_2_6EC0BCF0
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC078F0	0_2_6EC078F0
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC1C4F0	0_2_6EC1C4F0
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC0DC80	0_2_6EC0DC80
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC28481	0_2_6EC28481
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC16C90	0_2_6EC16C90
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC120A0	0_2_6EC120A0
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EBFE430	0_2_6EBFE430
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC1A850	0_2_6EC1A850
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EBEE810	0_2_6EBEE810
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC0C470	0_2_6EC0C470
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC07C70	0_2_6EC07C70
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC05010	0_2_6EC05010
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC02010	0_2_6EC02010
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC08420	0_2_6EC08420
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC11430	0_2_6EC11430
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC1D430	0_2_6EC1D430
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EBFC840	0_2_6EBFC840
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC0A5C0	0_2_6EC0A5C0
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EBF59A0	0_2_6EBF59A0
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC1FDE8	0_2_6EC1FDE8
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC1AD90	0_2_6EC1AD90
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC07140	0_2_6EC07140
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC01150	0_2_6EC01150
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC1A560	0_2_6EC1A560
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC00570	0_2_6EC00570
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC1BD70	0_2_6EC1BD70
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC0E110	0_2_6EC0E110
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC08110	0_2_6EC08110
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EBFED50	0_2_6EBFED50
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC00930	0_2_6EC00930
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC05530	0_2_6EC05530
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC19930	0_2_6EC19930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004FA850	3_2_004FA850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004FC1C0	3_2_004FC1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004FB300	3_2_004FB300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004F9BE9	3_2_004F9BE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004F8450	3_2_004F8450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004FADE2	3_2_004FADE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004FCD9C	3_2_004FCD9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00509058	3_2_00509058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004F9050	3_2_004F9050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00515079	3_2_00515079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004F38C0	3_2_004F38C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0050F0E0	3_2_0050F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0050C0E0	3_2_0050C0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00515684	3_2_00515684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00509890	3_2_00509890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004F8090	3_2_004F8090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0052C0B0	3_2_0052C0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004F6160	3_2_004F6160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004F5900	3_2_004F5900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00525130	3_2_00525130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0051712C	3_2_0051712C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_005239D5	3_2_005239D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_005089F4	3_2_005089F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0052B9B0	3_2_0052B9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004FE9A0	3_2_004FE9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_005019A0	3_2_005019A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0051C273	3_2_0051C273
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0050DA60	3_2_0050DA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00520A60	3_2_00520A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004F4270	3_2_004F4270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00512232	3_2_00512232
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00525AC0	3_2_00525AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0051EAF4	3_2_0051EAF4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004F2AF0	3_2_004F2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00515B50	3_2_00515B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0051834D	3_2_0051834D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00512B70	3_2_00512B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00517B00	3_2_00517B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00506B06	3_2_00506B06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0050D330	3_2_0050D330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0050AB30	3_2_0050AB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0051BB35	3_2_0051BB35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0052B33D	3_2_0052B33D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004F73D0	3_2_004F73D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_005043F3	3_2_005043F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_005003FA	3_2_005003FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00525390	3_2_00525390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004F4BB0	3_2_004F4BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0052B450	3_2_0052B450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0050CC5C	3_2_0050CC5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00524C47	3_2_00524C47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0050CC73	3_2_0050CC73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004F9470	3_2_004F9470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00528C10	3_2_00528C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0052C400	3_2_0052C400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0051F430	3_2_0051F430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00508498	3_2_00508498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00526550	3_2_00526550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00518D70	3_2_00518D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00504D1B	3_2_00504D1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00526D19	3_2_00526D19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00520D20	3_2_00520D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004F5DC0	3_2_004F5DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0052B5C0	3_2_0052B5C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00504DF0	3_2_00504DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0051834D	3_2_0051834D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004F65F0	3_2_004F65F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0052BD90	3_2_0052BD90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0050DDB0	3_2_0050DDB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0050D650	3_2_0050D650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00510E70	3_2_00510E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0052B670	3_2_0052B670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00513681	3_2_00513681
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00515684	3_2_00515684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_004F2E90	3_2_004F2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_005016B9	3_2_005016B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00528750	3_2_00528750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00503F70	3_2_00503F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00511770	3_2_00511770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0052C770	3_2_0052C770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0052B710	3_2_0052B710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0050571B	3_2_0050571B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00528F00	3_2_00528F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00516F3B	3_2_00516F3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00500F28	3_2_00500F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0050DFE0	3_2_0050DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00515F90	3_2_00515F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00525780	3_2_00525780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00515FB0	3_2_00515FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0051A7BB	3_2_0051A7BB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 004F7E90 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 00503F60 appears 53 times

Source: oiF7u78bY2.exe, 00000000.00000002.1250557631.000000000078E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs oiF7u78bY2.exe
Source: oiF7u78bY2.exe, 00000000.00000000.1243448382.00000000000AE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameQuinnLiamChloe.exeOjXT vs oiF7u78bY2.exe
Source: oiF7u78bY2.exe	Binary or memory string: OriginalFilenameQuinnLiamChloe.exeOjXT vs oiF7u78bY2.exe

Source: oiF7u78bY2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/2@11/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_00525AC0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

3_2_00525AC0

Source: C:\Users\user\Desktop\oiF7u78bY2.exe

File created: C:\Users\user\AppData\Roaming\gdi32.dll

Jump to behavior

Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_03

Source: oiF7u78bY2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: oiF7u78bY2.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\oiF7u78bY2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: oiF7u78bY2.exe	ReversingLabs: Detection: 76%
Source: oiF7u78bY2.exe	Virustotal: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\oiF7u78bY2.exe "C:\Users\user\Desktop\oiF7u78bY2.exe"
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: oiF7u78bY2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: oiF7u78bY2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0052B2E0 push eax; mov dword ptr [esp], 7C7B7A49h		3_2_0052B2E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00528B70 push eax; mov dword ptr [esp], DCDDDEDFh		3_2_00528B7E

Source: oiF7u78bY2.exe

Static PE information: section name: .text entropy: 7.101512618825224

Source: C:\Users\user\Desktop\oiF7u78bY2.exe

File created: C:\Users\user\AppData\Roaming\gdi32.dll

Jump to dropped file

Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Memory allocated: 740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Memory allocated: 24D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Memory allocated: 22F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\oiF7u78bY2.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\oiF7u78bY2.exe TID: 4668	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7056	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7056	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\oiF7u78bY2.exe

Code function: 0_2_6EC22590 FindFirstFileExW,

0_2_6EC22590

Source: C:\Users\user\Desktop\oiF7u78bY2.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: aspnet_regiis.exe, 00000003.00000003.1327705019.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1330058973.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1330225351.0000000002E01000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330569499.0000000002DAC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330821921.0000000002E02000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_00529E70 LdrInitializeThunk,

3_2_00529E70

Source: C:\Users\user\Desktop\oiF7u78bY2.exe

Code function: 0_2_6EC1E2C2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6EC1E2C2

Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC20E92 mov eax, dword ptr fs:[00000030h]		0_2_6EC20E92
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC220D1 mov eax, dword ptr fs:[00000030h]		0_2_6EC220D1

Source: C:\Users\user\Desktop\oiF7u78bY2.exe

Code function: 0_2_6EC23ABA GetProcessHeap,

0_2_6EC23ABA

Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC1E2C2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6EC1E2C2
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC207AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6EC207AC
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Code function: 0_2_6EC1DD97 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6EC1DD97

Source: C:\Users\user\Desktop\oiF7u78bY2.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\oiF7u78bY2.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 4F0000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\oiF7u78bY2.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 4F0000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: oiF7u78bY2.exe, 00000000.00000000.1243383440.0000000000012000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: rapeflowwj.lat
Source: oiF7u78bY2.exe, 00000000.00000000.1243383440.0000000000012000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: crosshuaht.lat
Source: oiF7u78bY2.exe, 00000000.00000000.1243383440.0000000000012000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: sustainskelet.lat
Source: oiF7u78bY2.exe, 00000000.00000000.1243383440.0000000000012000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: aspecteirs.lat
Source: oiF7u78bY2.exe, 00000000.00000000.1243383440.0000000000012000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: energyaffai.lat
Source: oiF7u78bY2.exe, 00000000.00000000.1243383440.0000000000012000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: necklacebudi.lat
Source: oiF7u78bY2.exe, 00000000.00000000.1243383440.0000000000012000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: discokeyus.lat
Source: oiF7u78bY2.exe, 00000000.00000000.1243383440.0000000000012000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: grannyejh.lat
Source: oiF7u78bY2.exe, 00000000.00000000.1243383440.0000000000012000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: spellshagey.biz

Writes to foreign memory regions

Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 4F0000	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 4F1000	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 52E000	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 531000	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 540000	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 4F1000	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 52E000	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 531000	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 540000	Jump to behavior
Source: C:\Users\user\Desktop\oiF7u78bY2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2B8E008	Jump to behavior

Source: C:\Users\user\Desktop\oiF7u78bY2.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Jump to behavior

Source: C:\Users\user\Desktop\oiF7u78bY2.exe

Code function: 0_2_6EC1E488 cpuid

0_2_6EC1E488

Source: C:\Users\user\Desktop\oiF7u78bY2.exe

Queries volume information: C:\Users\user\Desktop\oiF7u78bY2.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\oiF7u78bY2.exe

Code function: 0_2_6EC1DF0B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6EC1DF0B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.binstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.binstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	311 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
oiF7u78bY2.exe	76%	ReversingLabs	Win32.Exploit.LummaC
oiF7u78bY2.exe	68%	Virustotal		Browse
oiF7u78bY2.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\gdi32.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\gdi32.dll	65%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
https://lev-tolstoi.com/jR	100%	Avira URL Cloud	malware
https://spellshagey.biz:443/apiH	100%	Avira URL Cloud	malware
spellshagey.biz	100%	Avira URL Cloud	malware
https://necklacebudi.lat:443/apiW	100%	Avira URL Cloud	malware
https://sustainskelet.lat:443/api	100%	Avira URL Cloud	malware
https://rapeflowwj.lat:443/api	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	23.55.153.106	true	false	high
lev-tolstoi.com	104.21.66.86	true	false	high
sustainskelet.lat	unknown	unknown	false	high
spellshagey.biz	unknown	unknown	true	unknown
crosshuaht.lat	unknown	unknown	false	high
rapeflowwj.lat	unknown	unknown	false	high
grannyejh.lat	unknown	unknown	false	high
aspecteirs.lat	unknown	unknown	false	high
discokeyus.lat	unknown	unknown	false	high
energyaffai.lat	unknown	unknown	false	high
necklacebudi.lat	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
aspecteirs.lat	false		high
sustainskelet.lat	false		high
rapeflowwj.lat	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
energyaffai.lat	false		high
https://lev-tolstoi.com/api	false		high
spellshagey.biz	true	Avira URL Cloud: malware	unknown
grannyejh.lat	false		high
necklacebudi.lat	false		high
crosshuaht.lat	false		high
discokeyus.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://player.vimeo.com	aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/jR	aspnet_regiis.exe, 00000003.00000003.1330058973.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1330098773.0000000002E0C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com:443/profiles/765611997243319002	aspnet_regiis.exe, 00000003.00000002.1330569499.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=hyEE	aspnet_regiis.exe, 00000003.00000003.1330129582.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327734789.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330728604.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://grannyejh.lat:443/api	aspnet_regiis.exe, 00000003.00000002.1330569499.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	aspnet_regiis.exe, 00000003.00000003.1330129582.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327734789.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330728604.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	aspnet_regiis.exe, 00000003.00000003.1330129582.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327734789.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330728604.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/	aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.tv/	aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/	aspnet_regiis.exe, 00000003.00000003.1327705019.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330569499.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	aspnet_regiis.exe, 00000003.00000003.1330129582.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327734789.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330728604.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/inventory/	aspnet_regiis.exe, 00000003.00000003.1330129582.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327734789.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330728604.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://spellshagey.biz:443/apiH	aspnet_regiis.exe, 00000003.00000002.1330569499.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/;	aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=St3gSJx2HFUZ&l=e	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	aspnet_regiis.exe, 00000003.00000003.1330129582.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327734789.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330728604.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	aspnet_regiis.exe, 00000003.00000003.1330129582.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327734789.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330728604.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://necklacebudi.lat:443/apiW	aspnet_regiis.exe, 00000003.00000002.1330569499.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/stats/	aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://medal.tv	aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	aspnet_regiis.exe, 00000003.00000003.1330129582.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327734789.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330728604.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	aspnet_regiis.exe, 00000003.00000003.1330129582.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327734789.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330728604.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sustainskelet.lat:443/api	aspnet_regiis.exe, 00000003.00000002.1330569499.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/	aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:27060	aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	aspnet_regiis.exe, 00000003.00000003.1327705019.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com:443/api	aspnet_regiis.exe, 00000003.00000002.1330569499.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://rapeflowwj.lat:443/api	aspnet_regiis.exe, 00000003.00000002.1330569499.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/	aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.steampowered.com/	aspnet_regiis.exe, 00000003.00000002.1330840839.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/account/cookiepreferences/	aspnet_regiis.exe, 00000003.00000003.1330129582.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E42000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327734789.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1330728604.0000000002DF7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/mobile	aspnet_regiis.exe, 00000003.00000003.1327648038.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1303759327.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/	aspnet_regiis.exe, 00000003.00000003.1327686481.0000000002E4E000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.66.86	lev-tolstoi.com	United States		13335	CLOUDFLARENETUS	false
23.55.153.106	steamcommunity.com	United States		20940	AKAMAI-ASN1EU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580302
Start date and time:	2024-12-24 09:02:31 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	oiF7u78bY2.exe renamed because original name is a hash value
Original Sample Name:	99138122c12efbb499e6b76bd91e107f.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/2@11/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 22 Number of non-executed functions: 135
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:03:25	API Interceptor	8x Sleep call for process: aspnet_regiis.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.66.86	MV ROCKET_PDA.exe	Get hash	malicious	FormBook	Browse	www.ayushigangwar.com/nqn4/?CJBlp=0Brh6Vr8UbBX&T2MpwT=59bmqUDXor7TXV4b71NCQ0d0nCVif23i1yH5+9ZmJc5hgCU7y+ZN9z0btTsWzGv6OrGw
23.55.153.106	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse
	jSFUzuYPG9.exe	Get hash	malicious	LummaC	Browse
	HK8IIasL9i.exe	Get hash	malicious	LummaC	Browse
	OGBLsboKIF.exe	Get hash	malicious	LummaC	Browse
	NfwBtCx5PR.exe	Get hash	malicious	LummaC	Browse
	pJRiqnTih0.exe	Get hash	malicious	LummaC	Browse
	5XXofntDiN.exe	Get hash	malicious	LummaC	Browse
	xxLuwS60RS.exe	Get hash	malicious	LummaC	Browse
	5RjjCWZAVv.exe	Get hash	malicious	LummaC	Browse
	s31ydU1MpQ.exe	Get hash	malicious	LummaC, Stealc	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lev-tolstoi.com	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	172.67.157.254
	LNn56KMkEE.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	BVGvbpplT8.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.66.86
	mgEXk8ip26.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	Bire1g8ahY.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.157.254
	jSFUzuYPG9.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	HK8IIasL9i.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	NfwBtCx5PR.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	pJRiqnTih0.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
steamcommunity.com	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	104.121.10.34
	2ZsJ2iP8Q2.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	LopCYSStr3.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	LNn56KMkEE.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	VBHyEN96Pw.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	BVGvbpplT8.exe	Get hash	malicious	LummaC, Stealc	Browse	104.102.49.254
	613vKYuY2S.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	7uJ95NO82G.exe	Get hash	malicious	LodaRAT	Browse	172.232.216.250
	nabx86.elf	Get hash	malicious	Unknown	Browse	23.7.216.65
	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse	184.85.182.130
	[External] 120112 Manual Policies Overview Guide_ 8VM8-WZPT3L-LYH1.eml	Get hash	malicious	Unknown	Browse	23.195.39.65
	ChoForgot.exe	Get hash	malicious	Vidar	Browse	23.219.82.25
	nTyPEbq9wQ.lnk	Get hash	malicious	Unknown	Browse	104.126.116.105
	jSFUzuYPG9.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	HK8IIasL9i.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	OGBLsboKIF.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
CLOUDFLARENETUS	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	LVDdWBGnVE.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.63.229
	O5Vg1CJsxN.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.36.201
	2oM46LNCOo.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	J18uCKmoAw.exe	Get hash	malicious	LummaC	Browse	172.67.209.202
	y001L6lEK4.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.199.72
	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	4W3cB5WEYH.exe	Get hash	malicious	LummaC	Browse	104.21.36.201
	ElmEHL9kP9.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.67.199.72

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	LVDdWBGnVE.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.66.86 23.55.153.106
	O5Vg1CJsxN.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.66.86 23.55.153.106
	2oM46LNCOo.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	J18uCKmoAw.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	y001L6lEK4.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.66.86 23.55.153.106
	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	4W3cB5WEYH.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	ElmEHL9kP9.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.66.86 23.55.153.106

Process:	C:\Users\user\Desktop\oiF7u78bY2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Roaming\gdi32.dll

Download File

Process:	C:\Users\user\Desktop\oiF7u78bY2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	625664
Entropy (8bit):	7.1018267687671
Encrypted:	false
SSDEEP:	12288:ln/4xmUOmgkVLorO+j+4f4cIRHqLRwjyVHt0r:NUmURnLmOh9RHqLRwjyJm
MD5:	E0B85A36C167BCEC54BAE0B1E8D33543
SHA1:	A49D6F9621040CBCF9317D1451557F9AEABBED7B
SHA-256:	5F4E094656C97C97F1019A2D5E3B40B90C6F4E45F7BA34811AF5A321E354231B
SHA-512:	B79A4E04325FB5B6F4C81169EA8F334C5B1BA3265C19DA4B27AD3D0CFD901A74779B4339B6DDB1E15B84E3ADDC545FE8E1C0ED0F8B131DAE68CBEAEC26729458
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 65%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........b.....................A..................{w....................................................Rich...........................PE..L....&cg...........!.....~..........t.....................................................@.............................\|...\|...P................................)..l...................................@...............T............................text...x\|.......~.................. ..`.rdata..Re.......f..................@..@.data............z..................@....reloc...).......*...b..............@..B................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.094865338240859
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	oiF7u78bY2.exe
File size:	637'440 bytes
MD5:	99138122c12efbb499e6b76bd91e107f
SHA1:	286786b0708bf08e0d192374276f6b791170b5e8
SHA256:	a61525f9b5b24572111616ac596ccde037ec91fb8225c21acdfd8b96c3892554
SHA512:	b63be66197a5c7cf18fba6c1a81c2d7410c22fdcd4e503a3c203d2e2244b9086a314df8336a484bd3c7585d9cf073f5ab07c35c33e225f8d28af45f7ce02e066
SSDEEP:	12288:Vs/7SqtP88AQB2Uy9t+T6eHfvpEXZmSbWJFrjRCe:VSP88k3+WeHfvpEaRCe
TLSH:	8ED43C5F537BE605E08E00709AE6323B5DB5DE66E203CCF26BC4E5676066821DBECD12
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&cg..............0.............f@... ........@.. ....................... ............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x404066
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x676326A7 [Wed Dec 18 19:46:47 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
jnl 00007F2F14FCA072h
cmp cl, dl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4014	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9e000	0x64c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9ac70	0x9ae00	204477185103f87a582064e84aed6b38	False	0.4644622679580307	data	7.101512618825224	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x9e000	0x64c	0x800	dfb9f80f6f7e3322890ed0da6fd27e00	False	0.35302734375	data	3.5977826770882215	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa0000	0xc	0x200	3b0c7d9b7c966cb5c1c91b6ef2956224	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x9e090	0x3bc	data			0.42782426778242677
RT_MANIFEST	0x9e45c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-24T09:03:25.907149+0100	2058285	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spellshagey .biz)	1	192.168.2.7	56878	1.1.1.1	53	UDP
2024-12-24T09:03:26.166251+0100	2058364	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)	1	192.168.2.7	50937	1.1.1.1	53	UDP
2024-12-24T09:03:26.471884+0100	2058360	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)	1	192.168.2.7	53082	1.1.1.1	53	UDP
2024-12-24T09:03:26.953962+0100	2058370	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat)	1	192.168.2.7	52297	1.1.1.1	53	UDP
2024-12-24T09:03:27.337740+0100	2058362	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat)	1	192.168.2.7	51694	1.1.1.1	53	UDP
2024-12-24T09:03:27.654609+0100	2058354	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat)	1	192.168.2.7	55036	1.1.1.1	53	UDP
2024-12-24T09:03:27.901698+0100	2058376	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat)	1	192.168.2.7	59768	1.1.1.1	53	UDP
2024-12-24T09:03:28.130819+0100	2058358	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat)	1	192.168.2.7	56434	1.1.1.1	53	UDP
2024-12-24T09:03:28.357562+0100	2058374	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat)	1	192.168.2.7	59807	1.1.1.1	53	UDP
2024-12-24T09:03:30.237669+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49699	23.55.153.106	443	TCP
2024-12-24T09:03:31.011817+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.7	49699	23.55.153.106	443	TCP
2024-12-24T09:03:32.625318+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49700	104.21.66.86	443	TCP
2024-12-24T09:03:33.637617+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49700	104.21.66.86	443	TCP
2024-12-24T09:03:33.637617+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49700	104.21.66.86	443	TCP
2024-12-24T09:03:33.874757+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49701	104.21.66.86	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 09:03:28.814502001 CET	49699	443	192.168.2.7	23.55.153.106
Dec 24, 2024 09:03:28.814548969 CET	443	49699	23.55.153.106	192.168.2.7
Dec 24, 2024 09:03:28.814721107 CET	49699	443	192.168.2.7	23.55.153.106
Dec 24, 2024 09:03:28.839852095 CET	49699	443	192.168.2.7	23.55.153.106
Dec 24, 2024 09:03:28.839900970 CET	443	49699	23.55.153.106	192.168.2.7
Dec 24, 2024 09:03:30.237562895 CET	443	49699	23.55.153.106	192.168.2.7
Dec 24, 2024 09:03:30.237668991 CET	49699	443	192.168.2.7	23.55.153.106
Dec 24, 2024 09:03:30.241705894 CET	49699	443	192.168.2.7	23.55.153.106
Dec 24, 2024 09:03:30.241722107 CET	443	49699	23.55.153.106	192.168.2.7
Dec 24, 2024 09:03:30.242031097 CET	443	49699	23.55.153.106	192.168.2.7
Dec 24, 2024 09:03:30.296333075 CET	49699	443	192.168.2.7	23.55.153.106
Dec 24, 2024 09:03:30.350846052 CET	49699	443	192.168.2.7	23.55.153.106
Dec 24, 2024 09:03:30.395351887 CET	443	49699	23.55.153.106	192.168.2.7
Dec 24, 2024 09:03:31.011398077 CET	443	49699	23.55.153.106	192.168.2.7
Dec 24, 2024 09:03:31.011421919 CET	443	49699	23.55.153.106	192.168.2.7
Dec 24, 2024 09:03:31.011430979 CET	443	49699	23.55.153.106	192.168.2.7
Dec 24, 2024 09:03:31.011447906 CET	443	49699	23.55.153.106	192.168.2.7
Dec 24, 2024 09:03:31.011455059 CET	443	49699	23.55.153.106	192.168.2.7
Dec 24, 2024 09:03:31.011475086 CET	49699	443	192.168.2.7	23.55.153.106
Dec 24, 2024 09:03:31.011490107 CET	443	49699	23.55.153.106	192.168.2.7
Dec 24, 2024 09:03:31.011568069 CET	49699	443	192.168.2.7	23.55.153.106
Dec 24, 2024 09:03:31.011568069 CET	49699	443	192.168.2.7	23.55.153.106
Dec 24, 2024 09:03:31.191773891 CET	443	49699	23.55.153.106	192.168.2.7
Dec 24, 2024 09:03:31.191819906 CET	443	49699	23.55.153.106	192.168.2.7
Dec 24, 2024 09:03:31.191869020 CET	49699	443	192.168.2.7	23.55.153.106
Dec 24, 2024 09:03:31.191895962 CET	443	49699	23.55.153.106	192.168.2.7
Dec 24, 2024 09:03:31.192034960 CET	49699	443	192.168.2.7	23.55.153.106
Dec 24, 2024 09:03:31.222413063 CET	443	49699	23.55.153.106	192.168.2.7
Dec 24, 2024 09:03:31.222456932 CET	443	49699	23.55.153.106	192.168.2.7
Dec 24, 2024 09:03:31.222506046 CET	443	49699	23.55.153.106	192.168.2.7
Dec 24, 2024 09:03:31.222543001 CET	49699	443	192.168.2.7	23.55.153.106
Dec 24, 2024 09:03:31.222563028 CET	49699	443	192.168.2.7	23.55.153.106
Dec 24, 2024 09:03:31.244015932 CET	49699	443	192.168.2.7	23.55.153.106
Dec 24, 2024 09:03:31.244051933 CET	443	49699	23.55.153.106	192.168.2.7
Dec 24, 2024 09:03:31.244162083 CET	49699	443	192.168.2.7	23.55.153.106
Dec 24, 2024 09:03:31.244170904 CET	443	49699	23.55.153.106	192.168.2.7
Dec 24, 2024 09:03:31.409154892 CET	49700	443	192.168.2.7	104.21.66.86
Dec 24, 2024 09:03:31.409190893 CET	443	49700	104.21.66.86	192.168.2.7
Dec 24, 2024 09:03:31.409305096 CET	49700	443	192.168.2.7	104.21.66.86
Dec 24, 2024 09:03:31.409868956 CET	49700	443	192.168.2.7	104.21.66.86
Dec 24, 2024 09:03:31.409883022 CET	443	49700	104.21.66.86	192.168.2.7
Dec 24, 2024 09:03:32.625221968 CET	443	49700	104.21.66.86	192.168.2.7
Dec 24, 2024 09:03:32.625318050 CET	49700	443	192.168.2.7	104.21.66.86
Dec 24, 2024 09:03:32.628878117 CET	49700	443	192.168.2.7	104.21.66.86
Dec 24, 2024 09:03:32.628894091 CET	443	49700	104.21.66.86	192.168.2.7
Dec 24, 2024 09:03:32.629203081 CET	443	49700	104.21.66.86	192.168.2.7
Dec 24, 2024 09:03:32.630604029 CET	49700	443	192.168.2.7	104.21.66.86
Dec 24, 2024 09:03:32.630667925 CET	49700	443	192.168.2.7	104.21.66.86
Dec 24, 2024 09:03:32.630686045 CET	443	49700	104.21.66.86	192.168.2.7
Dec 24, 2024 09:03:33.637595892 CET	443	49700	104.21.66.86	192.168.2.7
Dec 24, 2024 09:03:33.637696981 CET	443	49700	104.21.66.86	192.168.2.7
Dec 24, 2024 09:03:33.637747049 CET	49700	443	192.168.2.7	104.21.66.86
Dec 24, 2024 09:03:33.638034105 CET	49700	443	192.168.2.7	104.21.66.86
Dec 24, 2024 09:03:33.638057947 CET	443	49700	104.21.66.86	192.168.2.7
Dec 24, 2024 09:03:33.638081074 CET	49700	443	192.168.2.7	104.21.66.86
Dec 24, 2024 09:03:33.638088942 CET	443	49700	104.21.66.86	192.168.2.7
Dec 24, 2024 09:03:33.660063028 CET	49701	443	192.168.2.7	104.21.66.86
Dec 24, 2024 09:03:33.660103083 CET	443	49701	104.21.66.86	192.168.2.7
Dec 24, 2024 09:03:33.660228014 CET	49701	443	192.168.2.7	104.21.66.86
Dec 24, 2024 09:03:33.660600901 CET	49701	443	192.168.2.7	104.21.66.86
Dec 24, 2024 09:03:33.660619020 CET	443	49701	104.21.66.86	192.168.2.7
Dec 24, 2024 09:03:33.874757051 CET	49701	443	192.168.2.7	104.21.66.86

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 09:03:25.907149076 CET	56878	53	192.168.2.7	1.1.1.1
Dec 24, 2024 09:03:26.140736103 CET	53	56878	1.1.1.1	192.168.2.7
Dec 24, 2024 09:03:26.166250944 CET	50937	53	192.168.2.7	1.1.1.1
Dec 24, 2024 09:03:26.468178034 CET	53	50937	1.1.1.1	192.168.2.7
Dec 24, 2024 09:03:26.471884012 CET	53082	53	192.168.2.7	1.1.1.1
Dec 24, 2024 09:03:26.935914993 CET	53	53082	1.1.1.1	192.168.2.7
Dec 24, 2024 09:03:26.953962088 CET	52297	53	192.168.2.7	1.1.1.1
Dec 24, 2024 09:03:27.259618998 CET	53	52297	1.1.1.1	192.168.2.7
Dec 24, 2024 09:03:27.337739944 CET	51694	53	192.168.2.7	1.1.1.1
Dec 24, 2024 09:03:27.652394056 CET	53	51694	1.1.1.1	192.168.2.7
Dec 24, 2024 09:03:27.654608965 CET	55036	53	192.168.2.7	1.1.1.1
Dec 24, 2024 09:03:27.873621941 CET	53	55036	1.1.1.1	192.168.2.7
Dec 24, 2024 09:03:27.901698112 CET	59768	53	192.168.2.7	1.1.1.1
Dec 24, 2024 09:03:28.128849030 CET	53	59768	1.1.1.1	192.168.2.7
Dec 24, 2024 09:03:28.130819082 CET	56434	53	192.168.2.7	1.1.1.1
Dec 24, 2024 09:03:28.353481054 CET	53	56434	1.1.1.1	192.168.2.7
Dec 24, 2024 09:03:28.357562065 CET	59807	53	192.168.2.7	1.1.1.1
Dec 24, 2024 09:03:28.660341024 CET	53	59807	1.1.1.1	192.168.2.7
Dec 24, 2024 09:03:28.663497925 CET	61116	53	192.168.2.7	1.1.1.1
Dec 24, 2024 09:03:28.803145885 CET	53	61116	1.1.1.1	192.168.2.7
Dec 24, 2024 09:03:31.262330055 CET	54114	53	192.168.2.7	1.1.1.1
Dec 24, 2024 09:03:31.408071995 CET	53	54114	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 24, 2024 09:03:25.907149076 CET	192.168.2.7	1.1.1.1	0x2187	Standard query (0)	spellshagey.biz	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:03:26.166250944 CET	192.168.2.7	1.1.1.1	0xf775	Standard query (0)	grannyejh.lat	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:03:26.471884012 CET	192.168.2.7	1.1.1.1	0xde3c	Standard query (0)	discokeyus.lat	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:03:26.953962088 CET	192.168.2.7	1.1.1.1	0xc40a	Standard query (0)	necklacebudi.lat	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:03:27.337739944 CET	192.168.2.7	1.1.1.1	0xd21b	Standard query (0)	energyaffai.lat	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:03:27.654608965 CET	192.168.2.7	1.1.1.1	0x1a3	Standard query (0)	aspecteirs.lat	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:03:27.901698112 CET	192.168.2.7	1.1.1.1	0xcb54	Standard query (0)	sustainskelet.lat	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:03:28.130819082 CET	192.168.2.7	1.1.1.1	0x7e9a	Standard query (0)	crosshuaht.lat	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:03:28.357562065 CET	192.168.2.7	1.1.1.1	0xf9bc	Standard query (0)	rapeflowwj.lat	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:03:28.663497925 CET	192.168.2.7	1.1.1.1	0x6d3d	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:03:31.262330055 CET	192.168.2.7	1.1.1.1	0x6473	Standard query (0)	lev-tolstoi.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 09:03:26.140736103 CET	1.1.1.1	192.168.2.7	0x2187	Name error (3)	spellshagey.biz	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:03:26.468178034 CET	1.1.1.1	192.168.2.7	0xf775	Name error (3)	grannyejh.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:03:26.935914993 CET	1.1.1.1	192.168.2.7	0xde3c	Name error (3)	discokeyus.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:03:27.259618998 CET	1.1.1.1	192.168.2.7	0xc40a	Name error (3)	necklacebudi.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:03:27.652394056 CET	1.1.1.1	192.168.2.7	0xd21b	Name error (3)	energyaffai.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:03:27.873621941 CET	1.1.1.1	192.168.2.7	0x1a3	Name error (3)	aspecteirs.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:03:28.128849030 CET	1.1.1.1	192.168.2.7	0xcb54	Name error (3)	sustainskelet.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:03:28.353481054 CET	1.1.1.1	192.168.2.7	0x7e9a	Name error (3)	crosshuaht.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:03:28.660341024 CET	1.1.1.1	192.168.2.7	0xf9bc	Name error (3)	rapeflowwj.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:03:28.803145885 CET	1.1.1.1	192.168.2.7	0x6d3d	No error (0)	steamcommunity.com		23.55.153.106	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:03:31.408071995 CET	1.1.1.1	192.168.2.7	0x6473	No error (0)	lev-tolstoi.com		104.21.66.86	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:03:31.408071995 CET	1.1.1.1	192.168.2.7	0x6473	No error (0)	lev-tolstoi.com		172.67.157.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

lev-tolstoi.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	23.55.153.106	443	2700	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 08:03:30 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-24 08:03:31 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 24 Dec 2024 08:03:30 GMT Content-Length: 35121 Connection: close Set-Cookie: sessionid=c3b2460d7c7f76387716e57e; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-24 08:03:31 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-24 08:03:31 UTC	10097	IN	Data Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09 Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
2024-12-24 08:03:31 UTC	10545	IN	Data Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 Data Ascii: NIVERSE":"public","LANGUAGE":"english","COUNTRY":"US","MEDIA_CDN_COMMUNITY_URL":"https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/","MEDIA_CDN_URL":"htt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49700	104.21.66.86	443	2700	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 08:03:32 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: lev-tolstoi.com
2024-12-24 08:03:32 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-24 08:03:33 UTC	1128	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 08:03:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=s5dbv07n2kju1v2a8r844j6jsc; expires=Sat, 19 Apr 2025 01:50:12 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XBs3HQf3maQ%2FRjG%2BH2bOpwOSqVoJq1NHYueYEjvElRVU3QtCxb3hyyrKzEhDolIB9kZHz%2FTuMr%2BzD3pqanKmS7SYurhngTIRJg0bjqcQw%2Bimkp8uYbld45f0dHfPdk3QSgQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6f13529a824288-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1606&min_rtt=1603&rtt_var=608&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=906&delivery_rate=1789215&cwnd=245&unsent_bytes=0&cid=19c4d546890a5254&ts=1022&x=0"
2024-12-24 08:03:33 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-24 08:03:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	03:03:24
Start date:	24/12/2024
Path:	C:\Users\user\Desktop\oiF7u78bY2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\oiF7u78bY2.exe"
Imagebase:	0x10000
File size:	637'440 bytes
MD5 hash:	99138122C12EFBB499E6B76BD91E107F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:03:24
Start date:	24/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:03:25
Start date:	24/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0x7a0000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.4%
Total number of Nodes:	1494
Total number of Limit Nodes:	33

Executed Functions

Function 6EBF5D80 Relevance: 108.3, APIs: 32, Strings: 26, Instructions: 6826nativethreadmemoryCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE(?), ref: 6EBF79C9
ShowWindow.USER32 ref: 6EBF79DF
VirtualAlloc.KERNELBASE ref: 6EBF809B
CreateProcessW.KERNELBASE ref: 6EBF883B
NtGetContextThread.NTDLL ref: 6EBF895F
NtAllocateVirtualMemory.NTDLL ref: 6EBF8B77
NtAllocateVirtualMemory.NTDLL ref: 6EBF8D87
NtWriteVirtualMemory.NTDLL ref: 6EBF8E8F
NtWriteVirtualMemory.NTDLL ref: 6EBF90F2
NtReadVirtualMemory.NTDLL ref: 6EBFA6AD
NtWriteVirtualMemory.NTDLL ref: 6EBFA797
NtWriteVirtualMemory.NTDLL ref: 6EBFAA06
NtSetContextThread.NTDLL ref: 6EBFB1D2
NtResumeThread.NTDLL ref: 6EBFB1F0
CloseHandle.KERNEL32 ref: 6EBFB515
CloseHandle.KERNEL32 ref: 6EBFB529
GetConsoleWindow.KERNEL32 ref: 6EBFB6CF
ShowWindow.USER32 ref: 6EBFB6E5
NtWriteVirtualMemory.NTDLL ref: 6EBFBC32
NtCreateThreadEx.NTDLL ref: 6EBFBF6F
NtSetContextThread.NTDLL ref: 6EBFC054
NtResumeThread.NTDLL ref: 6EBFC072
NtAllocateVirtualMemory.NTDLL ref: 6EBFC2AE
NtAllocateVirtualMemory.NTDLL ref: 6EBFC30C
NtWriteVirtualMemory.NTDLL ref: 6EBFC35D
NtWriteVirtualMemory.NTDLL ref: 6EBFC514
NtWriteVirtualMemory.NTDLL ref: 6EBFC57C
NtCreateThreadEx.NTDLL ref: 6EBFC660
NtSetContextThread.NTDLL ref: 6EBFC7FC
NtResumeThread.NTDLL ref: 6EBFC81A

Strings

A2I, xrefs: 6EBF927E
@, xrefs: 6EBFC304
D, xrefs: 6EBFB7B0
8ex, xrefs: 6EBFA33E
ntdll.dll, xrefs: 6EBF79F9, 6EBFB6FF
QeiX, xrefs: 6EBF9EC2
(b, xrefs: 6EBFA880
q:z, xrefs: 6EBFAC5C
K@E5, xrefs: 6EBFB31D
8ex, xrefs: 6EBFA2D7
N;Z, xrefs: 6EBF5DA0
J'r, xrefs: 6EBF831E
ud&5, xrefs: 6EBF88B6
l:_, xrefs: 6EBF978D
'H*, xrefs: 6EBFBB23
i~V, xrefs: 6EBFBAAB
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe, xrefs: 6EBF84DB, 6EBFB935, 6EBFC6E6
N;Z, xrefs: 6EBFAA74
K@E5, xrefs: 6EBFB393
'H*, xrefs: 6EBFBB86
q:z, xrefs: 6EBFACD2
3K$, xrefs: 6EBFA837
kernel32.dll, xrefs: 6EBF79E5, 6EBFB6EB
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 6EBF833A, 6EBFB851, 6EBFC6C9
(I)I, xrefs: 6EBF9AAC
MZx, xrefs: 6EBF7A0D, 6EBF7A29, 6EBFB713, 6EBFB72F

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: Virtual$Memory$Thread$Write$AllocateContextWindow$CreateResume$CloseConsoleHandleShow$AllocProcessRead
String ID: 'H*$'H*$(I)I$3K$$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$J'r$K@E5$K@E5$MZx$N;Z$N;Z$QeiX$i~V$kernel32.dll$l:_$ntdll.dll$ud&5$(b$8ex$8ex$A2I$q:z$q:z
API String ID: 3280339733-1054194412
Opcode ID: 459c2780d33f23152d663376ca029a9a94c0ccd6ceaf96ebcfdb7650c41688c4
Instruction ID: b628bf8e9d1ef4f0351094bfda359e73167928232732340c5d6dd59cf56a4eda
Opcode Fuzzy Hash: 459c2780d33f23152d663376ca029a9a94c0ccd6ceaf96ebcfdb7650c41688c4
Instruction Fuzzy Hash: C4C3E136A54265CFCB48CE6CCA947DA7BF2EB46350F005599D919EB394C6368E8ECF00

Function 6EBEFFD0 Relevance: 39.6, APIs: 18, Strings: 3, Instructions: 2808filememoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6EBF0DB2
K32GetModuleInformation.KERNEL32 ref: 6EBF11F6
GetModuleFileNameA.KERNEL32 ref: 6EBF12D1
CreateFileA.KERNELBASE ref: 6EBF1315
CreateFileMappingA.KERNEL32 ref: 6EBF14BE
CloseHandle.KERNEL32 ref: 6EBF173F
MapViewOfFile.KERNELBASE ref: 6EBF185F
VirtualProtect.KERNELBASE ref: 6EBF2090
CloseHandle.KERNELBASE ref: 6EBF24A0
GetCurrentProcess.KERNEL32(?,?), ref: 6EBF2571
VirtualProtect.KERNEL32 ref: 6EBF2750
K32GetModuleInformation.KERNEL32 ref: 6EBF2883
CreateFileMappingA.KERNEL32 ref: 6EBF28E4
GetCurrentProcess.KERNEL32(?,?), ref: 6EBF2A09

Strings

+YWU, xrefs: 6EBF23F7
@, xrefs: 6EBF2744
+YWU, xrefs: 6EBF29E6

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: File$Module$CreateHandle$CloseCurrentInformationMappingProcessProtectVirtual$NameView
String ID: +YWU$+YWU$@
API String ID: 1987916226-1489894230
Opcode ID: 53eceab25eaeaf1ce558b8454013aaceaba2477a35e6bf705ee35d3e347b3960
Instruction ID: 95938fa7dfb4bcee58bc2759a58521d3e718832e597d786a3346abf6822fc58b
Opcode Fuzzy Hash: 53eceab25eaeaf1ce558b8454013aaceaba2477a35e6bf705ee35d3e347b3960
Instruction Fuzzy Hash: CA230176A006A1CFDF14CEBCC9947DA7BF2EB46320F108559D829DB3A1D635898E8F41

Function 6EBF49F0 Relevance: 22.1, APIs: 4, Strings: 8, Instructions: 1125
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?), ref: 6EBF505B
NtQueryInformationProcess.NTDLL ref: 6EBF52A5
GetModuleHandleW.KERNEL32 ref: 6EBF578B

Strings

@uj, xrefs: 6EBF5843
W#|T, xrefs: 6EBF4FA1
NtQueryInformationProcess, xrefs: 6EBF51D0, 6EBF58D7
W#|T, xrefs: 6EBF4F30
@uj, xrefs: 6EBF598F
c9P, xrefs: 6EBF5764
ntdll.dll, xrefs: 6EBF504F, 6EBF577F, 6EBF596E
vZ}O, xrefs: 6EBF5367

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: HandleModule$InformationProcessQuery
String ID: @uj$@uj$NtQueryInformationProcess$W#|T$W#|T$ntdll.dll$vZ}O$c9P
API String ID: 188072037-89153609
Opcode ID: 61c34317f9de0a20e1ebcb95118f8933611c5dac9ddff552c32efabf6812acf0
Instruction ID: 2ca3ebfa4a2634d0e24d945c6b5afae84c5ce758048367eaa5d1597bd784111b
Opcode Fuzzy Hash: 61c34317f9de0a20e1ebcb95118f8933611c5dac9ddff552c32efabf6812acf0
Instruction Fuzzy Hash: 2182EE36A55651CFDF088EBCC6A47CD7FF2AB86321F109619D425EB394D63A880F8B05

Function 6EC1DB8E Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6EC1DBD5
___scrt_uninitialize_crt.LIBCMT ref: 6EC1DBEF

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: b2446dace58cb0d69ee96ed78b4ebf8184e4391da9cbc105f08d64712c9a8d22
Instruction ID: 000cac3a3ae2b2f0d11c6abad5da8345cad5afc3fdde8a77e146b52712fab281
Opcode Fuzzy Hash: b2446dace58cb0d69ee96ed78b4ebf8184e4391da9cbc105f08d64712c9a8d22
Instruction Fuzzy Hash: C341D372D08629AEDB119FD9CC40BEE7FB8EB85666F004819E814AB244E7704D41BFA0

Function 6EC1DC3E Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6EC1DC7B
dllmain_crt_dispatch.LIBCMT ref: 6EC1DC92
dllmain_raw.LIBCMT ref: 6EC1DCDA
dllmain_crt_dispatch.LIBCMT ref: 6EC1DCED
dllmain_raw.LIBCMT ref: 6EC1DD00

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 4b4b2dcab4c413d26ec2e03839b2f6f8849bfe6db502635c735347fec5aa2398
Instruction ID: a3db7fa9a1d4c3243a6b4dd10d8f0cb5362ff9c209076b65958b1fdb147297a4
Opcode Fuzzy Hash: 4b4b2dcab4c413d26ec2e03839b2f6f8849bfe6db502635c735347fec5aa2398
Instruction Fuzzy Hash: 5B2183B2D09669BEDB519FD6CC40AEF3F7DEB80696B014915F8146B214E3708D41AFA0

Function 6EC1DA87 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6EC1DAD4

Part of subcall function 6EC1DFA3: InitializeSListHead.KERNEL32(6EC77C50,6EC1DADE,6EC2E8C0,00000010,6EC1DA6F,?,?,?,6EC1DC97,?,00000001,?,?,00000001,?,6EC2E908), ref: 6EC1DFA8

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6EC1DB3E

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: cfc3d01c6ddad48fbfd05bbb9458679603e69983a1962ebec1919def4e720835
Instruction ID: 2450f18abed7677bbe6767b4ebbc60d9bef85c3572d3fd58a3fdb9c601eb3206
Opcode Fuzzy Hash: cfc3d01c6ddad48fbfd05bbb9458679603e69983a1962ebec1919def4e720835
Instruction Fuzzy Hash: 09210A3254C7069EDF006BF499257DD3BB59F0636EF100829E452AB2C1FF321144FA66

Function 6EC23B8B Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6EC23BD7
GetFileType.KERNELBASE(00000000), ref: 6EC23BE9

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d470b3a494ca2cba80450dbd8b5d84c14ebe2313d15d754ecc737635c0e36405
Instruction ID: d44faa28b57c651be2eb492dc07a19f488ab1b9bb28205c7c33947e6c9e5722e
Opcode Fuzzy Hash: d470b3a494ca2cba80450dbd8b5d84c14ebe2313d15d754ecc737635c0e36405
Instruction Fuzzy Hash: CC11D631604B934ECB714EBF8C9CA16BAA5B747230B240B7AE4B6C66E5E731D4869640

Function 6EC255F1 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6EC2218E: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6EC21EF9,00000001,00000364,FFFFFFFF,000000FF,?,00000001,6EC22180,6EC220BD,?,?,6EC215A9), ref: 6EC221CF

_free.LIBCMT ref: 6EC25660

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: e35226b1ee240dd862010b5ec96318939b74ec5eb636afc736fc7f44bed8b016
Instruction ID: ca335f0d730b44303f7dedf9b027844ae180d913a77b24237833716271d0a077
Opcode Fuzzy Hash: e35226b1ee240dd862010b5ec96318939b74ec5eb636afc736fc7f44bed8b016
Instruction Fuzzy Hash: 1101D6B26143566FD321CFA9C8849CEFB98EB057B0F144639E555A76C4F3706810C7A5

Function 6EC2218E Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6EC21EF9,00000001,00000364,FFFFFFFF,000000FF,?,00000001,6EC22180,6EC220BD,?,?,6EC215A9), ref: 6EC221CF

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4499cbd58fca4eb4335dcdc14fe2abb3a49c4a58120a6d703f0d774c6ff09386
Instruction ID: 0766089cc108b11621b0a8eb1a81263c3e934ecdbd8d72935b4643ab8d66ce65
Opcode Fuzzy Hash: 4499cbd58fca4eb4335dcdc14fe2abb3a49c4a58120a6d703f0d774c6ff09386
Instruction Fuzzy Hash: C2F0BB365606259EEF495EE68C30E8B3758BF81760B054531FE15A7094FB20DD4192A1

Non-executed Functions

Function 6EBEE810 Relevance: 13.6, Strings: 10, Instructions: 1110COMMON

Download Yara Rule

Strings

`v@, xrefs: 6EBEF56D
gswg, xrefs: 6EBEEFEC
laqxkqcpfyvpakmoyctaiwbatatssaylldhvrbchranhq, xrefs: 6EBEF0AB, 6EBEF45A
argpgaiejngngggrjecearrbcrarkev, xrefs: 6EBEEFD5
iblaixcqzyyfwfwsdkbrquxethcjibvfcosihbjyemckfoeqatmfsktjmjaiznspbxg, xrefs: 6EBEEB3B, 6EBEF3BB, 6EBEF869
ocdxlonrhtobxzbmmppsktncfvbqheqvmuejpgo, xrefs: 6EBEF0C2, 6EBEF474
ppzlpxpapvbtobg, xrefs: 6EBEEB27, 6EBEF3A7, 6EBEF852
qejqyjepcouskwewghglymcuckfthzk, xrefs: 6EBEEB10, 6EBEF390, 6EBEF838
uyepcskxzkmblyhryyxanwlmrjrrk, xrefs: 6EBEEF1E, 6EBEF6FE
br, xrefs: 6EBEF143

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: `v@$argpgaiejngngggrjecearrbcrarkev$br$gswg$iblaixcqzyyfwfwsdkbrquxethcjibvfcosihbjyemckfoeqatmfsktjmjaiznspbxg$laqxkqcpfyvpakmoyctaiwbatatssaylldhvrbchranhq$ocdxlonrhtobxzbmmppsktncfvbqheqvmuejpgo$ppzlpxpapvbtobg$qejqyjepcouskwewghglymcuckfthzk$uyepcskxzkmblyhryyxanwlmrjrrk
API String ID: 0-113637475
Opcode ID: d58764179063d42854f4ac2c02986dd738cbb7b68b7753e23cd5846cf2821ebc
Instruction ID: 24d196973220812f7c3ac9fd31f91e2348300e252871e813f4442ef034093d8d
Opcode Fuzzy Hash: d58764179063d42854f4ac2c02986dd738cbb7b68b7753e23cd5846cf2821ebc
Instruction Fuzzy Hash: F5A2DBB1A206848FDB04CFBCCA95BDE7BF1AF4A318F118568D8159B3A5D7359809CF81

Function 6EC0F750 Relevance: 9.8, Strings: 7, Instructions: 1094COMMON

Download Yara Rule

Strings

?.A, xrefs: 6EC0FE58
l&z^, xrefs: 6EC1065B
l&z^, xrefs: 6EC100C0
?.A, xrefs: 6EC0FEA6
[8/, xrefs: 6EC102FB
Y7,, xrefs: 6EC0FE5D
[8/, xrefs: 6EC1036E

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: ?.A$?.A$l&z^$l&z^$Y7,$[8/$[8/
API String ID: 0-3391317340
Opcode ID: 1b60360bae5738d7be9233e54b81ff0d1a9052fd1150c8eb5ca5fec0d40453f3
Instruction ID: a5c7ee22fbc5c7b2ddf81df78c177f7130bab92f701a2d1b086894fa6ed108fb
Opcode Fuzzy Hash: 1b60360bae5738d7be9233e54b81ff0d1a9052fd1150c8eb5ca5fec0d40453f3
Instruction Fuzzy Hash: 52728937A485118FCF08CDBDC5E67CD3BF3AB873A0F249519D811E7794E12A8889AB15

Function 6EC03650 Relevance: 9.4, Strings: 6, Instructions: 1879COMMON

Download Yara Rule

Strings

*YEw, xrefs: 6EC04294
gGUq, xrefs: 6EC0403A
Hk, xrefs: 6EC0436F
gGUq, xrefs: 6EC040B5
*YEw, xrefs: 6EC04F7B
X, xrefs: 6EC04F87

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: *YEw$*YEw$X$gGUq$gGUq$Hk
API String ID: 0-1439959433
Opcode ID: 824b770a03ad2406ea95ae2ce9beea26b4076cd5b22ef7b4180e54b143b13093
Instruction ID: b9c62e42adbb8ec102a07a4f86515767b978b1a1ff17c5b27e08cec710d1d402
Opcode Fuzzy Hash: 824b770a03ad2406ea95ae2ce9beea26b4076cd5b22ef7b4180e54b143b13093
Instruction Fuzzy Hash: 54D24836A445118FCF18CEFDCAE97DE37F6BB46354F10911AD911CB398D62B9A0A8B00

Function 6EC08EC0 Relevance: 9.2, Strings: 6, Instructions: 1683COMMON

Download Yara Rule

Strings

VV_, xrefs: 6EC09591
--)l, xrefs: 6EC09AB1
1ath, xrefs: 6EC09998
1ath, xrefs: 6EC09AAC
d4k, xrefs: 6EC09BB6
d4k, xrefs: 6EC0A512

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: --)l$1ath$1ath$VV_$d4k$d4k
API String ID: 0-861949424
Opcode ID: 25802631ae2ca4df7805d073db3ce62a70c68c1a25aefc86fc7e478c05ff2b83
Instruction ID: 726a46fe6fba51435bf6dd933a7c6b9c18bb92b05723d57302b26c88e75f2d1d
Opcode Fuzzy Hash: 25802631ae2ca4df7805d073db3ce62a70c68c1a25aefc86fc7e478c05ff2b83
Instruction Fuzzy Hash: 90C2EF36A446518FCF08CEFEC5E57CE7BF2BB86321F109519D911DB798E63A89498B00

Function 6EC120A0 Relevance: 8.8, Strings: 6, Instructions: 1319COMMON

Download Yara Rule

Strings

6H[, xrefs: 6EC12DC8
6H[, xrefs: 6EC1329D
2>|o, xrefs: 6EC12671
Ap`}, xrefs: 6EC1311D
Qfyj, xrefs: 6EC127FC
Ap`}, xrefs: 6EC130CF

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: 2>|o$6H[$6H[$Ap`}$Ap`}$Qfyj
API String ID: 0-2042664381
Opcode ID: a88cdf85c31cc106a6ff575bde980dc74684e8bfd6da9a243c23ca27f591fb7f
Instruction ID: a99961fa0a11823682566e65b8780569a21fb4defdaf007400719dbb60c5871e
Opcode Fuzzy Hash: a88cdf85c31cc106a6ff575bde980dc74684e8bfd6da9a243c23ca27f591fb7f
Instruction Fuzzy Hash: 5B921436B481168FCF08CEFED6E47CD77F2AB43314F118115E815DB399E62A990AAB41

Function 6EC13F80 Relevance: 8.3, Strings: 5, Instructions: 2030COMMON

Download Yara Rule

Strings

xqTo, xrefs: 6EC15016
H;"v, xrefs: 6EC15904
H;"v, xrefs: 6EC15B03
8/%Q, xrefs: 6EC1540D
NB&|, xrefs: 6EC14807

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: 8/%Q$H;"v$H;"v$NB&|$xqTo
API String ID: 0-3661306283
Opcode ID: d72350a52bca8553adc1b7f2c97b1f394275db2ee53b3084249280160f2cfdff
Instruction ID: 29ce4a3a2e801e600a64719d78fc85ee74b4601cafa79b9694fbd1fa57f6243b
Opcode Fuzzy Hash: d72350a52bca8553adc1b7f2c97b1f394275db2ee53b3084249280160f2cfdff
Instruction Fuzzy Hash: FFE24736A485118FCF08CEBDC6F57CE3BF2BB46364F109619D925DB394D22A990B9B04

Function 6EC0E110 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6EC0E21F

Strings

uq4, xrefs: 6EC0E150
string too long, xrefs: 6EC0E216, 6EC0E354

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: string too long$uq4
API String ID: 909987262-2369144251
Opcode ID: c73459c8beb3b32799de6495695aa9f03704d7c222e6d5f2f40aae1207b027b4
Instruction ID: b2f28d9b0cf35f8d2ebeb4c9d511311104a1f68801749aa30035e70e018e3cdf
Opcode Fuzzy Hash: c73459c8beb3b32799de6495695aa9f03704d7c222e6d5f2f40aae1207b027b4
Instruction Fuzzy Hash: C8513B326845259FCF08CEBDC9E43EE7BF1AB43320F204609D861DB395D63746098742

Function 6EC11430 Relevance: 7.1, Strings: 5, Instructions: 897COMMON

Download Yara Rule

Strings

D<@, xrefs: 6EC11970
), xrefs: 6EC11EEE
D<@, xrefs: 6EC119C6
%Aa~, xrefs: 6EC11B28
%Aa~, xrefs: 6EC11ADA

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: %Aa~$%Aa~$)$D<@$D<@
API String ID: 0-2410475458
Opcode ID: c0c2653441f487e99a78d9af58aafe46d88fe389e96e8211c4e1de8504d08c70
Instruction ID: 550a0f4e1e435089ab53b81f1f39718bdb8d60a732ac68b001c1411017834caa
Opcode Fuzzy Hash: c0c2653441f487e99a78d9af58aafe46d88fe389e96e8211c4e1de8504d08c70
Instruction Fuzzy Hash: 3A62CE76A486568FCF08CEEDC5A47CD7BF2FB56310F114619D826EB354E23A9849EB00

Function 6EBFC840 Relevance: 6.7, Strings: 4, Instructions: 1681COMMONLIBRARYCODE

Download Yara Rule

Strings

KK., xrefs: 6EBFDD2B
KK., xrefs: 6EBFDD84
eO, xrefs: 6EBFDF11
2=E, xrefs: 6EBFD533

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: 2=E$eO$KK.$KK.
API String ID: 0-1205350468
Opcode ID: ca1dfbf3a80be69e6828be3b8d50b19437dbc9690f2a74a82eb25724c2024b2e
Instruction ID: 13a39c4c8c7afd5aa8e565518579085787af59164af2798cb8c53a364de1a7c7
Opcode Fuzzy Hash: ca1dfbf3a80be69e6828be3b8d50b19437dbc9690f2a74a82eb25724c2024b2e
Instruction Fuzzy Hash: 41C25636A51655CFDF088EBCE5E47CE3BF2AB46354F119215E521EB798C62A480F8F08

Function 6EC1E2C2 Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6EC1E2CE
IsDebuggerPresent.KERNEL32 ref: 6EC1E39A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6EC1E3BA
UnhandledExceptionFilter.KERNEL32(?), ref: 6EC1E3C4

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 540831fa743f9a7c7d5866a18b4d64f92e66c6d90f83ac52c0ff56ccfff01830
Instruction ID: 3d13f74aa097a4a280fd2d75e9f8331e5c72dd527df57fbe059f0b62982e4ac8
Opcode Fuzzy Hash: 540831fa743f9a7c7d5866a18b4d64f92e66c6d90f83ac52c0ff56ccfff01830
Instruction Fuzzy Hash: EC312575D1521C9FDB10DFA0DA89BCCBBB8BF08304F5041AAE409AB240EB709A859F44

Function 6EBF2A60 Relevance: 5.9, Strings: 3, Instructions: 2145COMMON

Download Yara Rule

Strings

`5UZ, xrefs: 6EBF3936
`5UZ, xrefs: 6EBF4788
-$J6, xrefs: 6EBF3791

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: -$J6$`5UZ$`5UZ
API String ID: 0-2833011768
Opcode ID: ef1dbf0328974224cb8de22c5e662baf112b7542895917472261b0999b047a9c
Instruction ID: 2b009af90cd14b8ce9994cabe8cdc77f9765247315d3d91e6dc053597462da80
Opcode Fuzzy Hash: ef1dbf0328974224cb8de22c5e662baf112b7542895917472261b0999b047a9c
Instruction Fuzzy Hash: 90F20136A44262CFDF14CEBCCAA57D97BF2EB46310F108659D519DB3A5C63A894F8B00

Function 6EC08420 Relevance: 5.8, Strings: 4, Instructions: 752COMMON

Download Yara Rule

Strings

cUA0, xrefs: 6EC08770
he*, xrefs: 6EC08C6A
T|.v, xrefs: 6EC088DE
cUA0, xrefs: 6EC08724

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: T|.v$cUA0$cUA0$he*
API String ID: 0-1513220463
Opcode ID: b9cbc5d7a6c95450adf1dc902d7e56f1557ef1007d3525e5569d1409f80f38a3
Instruction ID: a533db6d21d7729804def7fe6de7a1a0043ec49b7936a37da64033019cf18131
Opcode Fuzzy Hash: b9cbc5d7a6c95450adf1dc902d7e56f1557ef1007d3525e5569d1409f80f38a3
Instruction Fuzzy Hash: C0420337A441128FDF08CEBDCAA5BDE7BF2AB87359F10D515D921D7784E12B8A098B04

Function 6EBFED50 Relevance: 5.1, Strings: 3, Instructions: 1321COMMON

Download Yara Rule

Strings

jE-!, xrefs: 6EBFFF5E
jE-!, xrefs: 6EBFFA50
h(p, xrefs: 6EBFF4E7

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: h(p$jE-!$jE-!
API String ID: 0-2655571292
Opcode ID: c9b0c2ba7410185a6b5a8bcfd9cd11f64013ff0a932d4fc0975aa41044813a0b
Instruction ID: 5cee2513b2ddf2eea85d560e804bd588a3619c8b198acfc70bc2a617787fae25
Opcode Fuzzy Hash: c9b0c2ba7410185a6b5a8bcfd9cd11f64013ff0a932d4fc0975aa41044813a0b
Instruction Fuzzy Hash: 06A21076A54252CFDF08CEBCD6A47DD7FE2AB46320F20951AD415DB794D62A8A0FCB00

Function 6EC1C4F0 Relevance: 4.8, Strings: 3, Instructions: 1100COMMON

Download Yara Rule

Strings

miF, xrefs: 6EC1CE9D
D%(V, xrefs: 6EC1CFC2
D%(V, xrefs: 6EC1CF66

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: D%(V$D%(V$miF
API String ID: 0-1436589814
Opcode ID: 8799eda055bcdb9433f096537d2cd4440721a4963a1e7053c11e0d055d168e9b
Instruction ID: f4a434229d3745d89a5c9df744532c89f5de259e7786c50d3a1cf1f3d3e57ffb
Opcode Fuzzy Hash: 8799eda055bcdb9433f096537d2cd4440721a4963a1e7053c11e0d055d168e9b
Instruction Fuzzy Hash: 70724A37A486118FCF08CEBDE6D5BDD7BF3AB42321F105615ED21DB394E22A99099B01

Function 6EC106A0 Relevance: 4.6, Strings: 3, Instructions: 900COMMON

Download Yara Rule

Strings

~$Z, xrefs: 6EC112AA
j-KY, xrefs: 6EC10BFC
~$Z, xrefs: 6EC111CF

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: j-KY$~$Z$~$Z
API String ID: 0-1925356432
Opcode ID: 9dd7da2f4b30e1ce88777fc0bf6cd903dff40f1be3ad099453115ec413ad6215
Instruction ID: 6c57bb0b10a238767d9dae87cf5c66fc7d1fb814bcccbe9146ca6a0c03eb8cad
Opcode Fuzzy Hash: 9dd7da2f4b30e1ce88777fc0bf6cd903dff40f1be3ad099453115ec413ad6215
Instruction Fuzzy Hash: 3D525B36A486118FDF04CEFDD5E57CE7BF2EB56320F205219D911EB394E23A894A9B40

Function 6EC19930 Relevance: 4.6, Strings: 3, Instructions: 886COMMON

Download Yara Rule

Strings

zz44, xrefs: 6EC1A40C
zz44, xrefs: 6EC19DFA
x@e3, xrefs: 6EC1A4D2

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: x@e3$zz44$zz44
API String ID: 0-2586768289
Opcode ID: df0152a9f2a5723bf808eadf0f9ff57ae850a08addbb24e0e18ee13ef4f99dbd
Instruction ID: 8737f9e90835d797f91ef42a13a2ba9cdd41ff49a03f84a481b93633bec102a2
Opcode Fuzzy Hash: df0152a9f2a5723bf808eadf0f9ff57ae850a08addbb24e0e18ee13ef4f99dbd
Instruction Fuzzy Hash: 3A521636A486118FCF04CEBED5E57CD7BF2AB86311F149119D921EB394E22AC90DAF10

Function 6EC207AC Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6EC208A4
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6EC208AE
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6EC208BB

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1e3da2fc64cace2ae83a81f7cf849f7d0e7da2437491033e0594834cd48c7e2f
Instruction ID: f59493ab6826d53b9a4be5e857cfd019aa9e2bf14b87547054649a83acb5eda3
Opcode Fuzzy Hash: 1e3da2fc64cace2ae83a81f7cf849f7d0e7da2437491033e0594834cd48c7e2f
Instruction Fuzzy Hash: 4A31B37491132C9BCB61DF64D988BCDBBB8BF08710F5046EAE41CA6250E7709B81CF44

Function 6EC20E92 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,6EC20E91,?,00000001,?,?), ref: 6EC20EB4
TerminateProcess.KERNEL32(00000000,?,6EC20E91,?,00000001,?,?), ref: 6EC20EBB
ExitProcess.KERNEL32 ref: 6EC20ECD

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 11a39090b85903bb2f7b42462344a04f1252e1f7fa8256206b9c4e1f0a33f97b
Instruction ID: 8d3d5d61995fc8aee7f9787b83a8e030428b44b6f1011a8837c19e3cece0e0ee
Opcode Fuzzy Hash: 11a39090b85903bb2f7b42462344a04f1252e1f7fa8256206b9c4e1f0a33f97b
Instruction Fuzzy Hash: 8AE0EC3102164CEFCF116F98CA69A897F79FB4A341F004825F9298A121FB76DDC2DB90

Function 6EC1BD70 Relevance: 4.3, Strings: 3, Instructions: 551COMMON

Download Yara Rule

Strings

H6R7, xrefs: 6EC1C073
v), xrefs: 6EC1C13A
H6R7, xrefs: 6EC1C4C6

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: H6R7$H6R7$v)
API String ID: 0-3266407226
Opcode ID: dbb597f01388a76a9d8b1833256ee228f1d7bf5dc2527b9899606b99beacb82f
Instruction ID: 0d91fe21b3b382f62c783e49599a09e318800e35a02743ae0c1bff1b510ada45
Opcode Fuzzy Hash: dbb597f01388a76a9d8b1833256ee228f1d7bf5dc2527b9899606b99beacb82f
Instruction Fuzzy Hash: B712E676A485158FCF08CEFDC5D4BED7BF2BB46320F108529E811EF798D22998099B51

Function 6EC17A10 Relevance: 4.2, Strings: 3, Instructions: 401COMMON

Download Yara Rule

Strings

Ve0, xrefs: 6EC17E49
Ve0, xrefs: 6EC17EA2
}*v, xrefs: 6EC17D9F

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: Ve0$Ve0$}*v
API String ID: 0-3677685588
Opcode ID: bda2f602f5948e44139a70edd8587616886d2657586df2474ecd6aa1d28f0e1b
Instruction ID: 6a97b2289cbdae7447c5e08f59d6efaa226886551659a17e1d0578bd5ac1a1ae
Opcode Fuzzy Hash: bda2f602f5948e44139a70edd8587616886d2657586df2474ecd6aa1d28f0e1b
Instruction Fuzzy Hash: 41E10032A482168FCF08CEBDC991ADD7BF2BB4B350F108505E815E7394E73A9909EB15

Function 6EC0C470 Relevance: 4.1, Strings: 2, Instructions: 1599COMMON

Download Yara Rule

Strings

sUA, xrefs: 6EC0CC14
hOqS, xrefs: 6EC0D5DB

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: hOqS$sUA
API String ID: 0-2148556921
Opcode ID: f1c4e34c9a8cb751f7de4b6bbebc9057f54d87e6395d7732708e92945eac1d62
Instruction ID: d4635a8ee2544573083255dfad4fd6003ca5c6bad83a8ca7e12333c763144568
Opcode Fuzzy Hash: f1c4e34c9a8cb751f7de4b6bbebc9057f54d87e6395d7732708e92945eac1d62
Instruction Fuzzy Hash: D9C20176A446558FCF08CEBDC5A4BDE7BF2BB4A354F108519D811DB398E63A980ACF01

Function 6EC1AD90 Relevance: 4.0, Strings: 3, Instructions: 241COMMON

Download Yara Rule

Strings

\Z,, xrefs: 6EC1AFC1
\Z,, xrefs: 6EC1B036
%I7, xrefs: 6EC1B04E

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: %I7$\Z,$\Z,
API String ID: 0-3677234046
Opcode ID: 4ba51d9bc7bcdd5aa31f374ced9c305bb2335bf033afe2dd009bf4ff244351ac
Instruction ID: 79562ee38708b7b1002d8b68e5e502ba110f1204cb5f790c8945245404c5c583
Opcode Fuzzy Hash: 4ba51d9bc7bcdd5aa31f374ced9c305bb2335bf033afe2dd009bf4ff244351ac
Instruction Fuzzy Hash: 96919BB5A08609CFCF04CEADD5906CDBBF2FB4A320F10411AE824E7394E239A909DF54

Function 6EC1A560 Relevance: 3.2, APIs: 2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e910790895f91ed2eca10385c4d6ca81834ce734b9fda837dfb324c38eb650
Instruction ID: 6f84acf5cd75a858b20b2df26c9a5f1eb67ebdf4f7ebecd7288d2e03f128ae35
Opcode Fuzzy Hash: 84e910790895f91ed2eca10385c4d6ca81834ce734b9fda837dfb324c38eb650
Instruction Fuzzy Hash: 4B610972A486168FDF05CEBDC5D43EE7BF1EB82360F109215D8359B394E236890E9B45

Function 6EC00930 Relevance: 3.1, Strings: 2, Instructions: 596COMMON

Download Yara Rule

Strings

6!@, xrefs: 6EC01141
6!@, xrefs: 6EC01043

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: 6!@$6!@
API String ID: 0-3066580886
Opcode ID: a73f6d49f51ef6d2a9aead9f77d08ef38aca7100d0c74c8f243dcc13d8ef7496
Instruction ID: 948e2b8a331abdb3549e5bd1cff8a6ef4f9190b51bf2f287af742186a26bd7ac
Opcode Fuzzy Hash: a73f6d49f51ef6d2a9aead9f77d08ef38aca7100d0c74c8f243dcc13d8ef7496
Instruction Fuzzy Hash: 0D123736A405128FDF08CEFDC6A67CE77F2AB47355F119515D422EB394E22B4E098B24

Function 6EC07140 Relevance: 3.1, Strings: 2, Instructions: 568COMMON

Download Yara Rule

Strings

Z=~, xrefs: 6EC07383
Z=~, xrefs: 6EC073CF

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: Z=~$Z=~
API String ID: 0-343420198
Opcode ID: b5c30a9350a232ee243eadb25a09bfd74512c5bbe8320360beaf85f1fd4ae73e
Instruction ID: 71ff4023b8b67deec9925cf3c3ee211247111bd2501972d34cc1472f234186f4
Opcode Fuzzy Hash: b5c30a9350a232ee243eadb25a09bfd74512c5bbe8320360beaf85f1fd4ae73e
Instruction Fuzzy Hash: 8C120272E446158FDF0CDEBDD5A57DE7BF2AB46310F008519E811EB394E22A8809EF11

Function 6EC1B7F0 Relevance: 2.9, Strings: 2, Instructions: 414COMMON

Download Yara Rule

Strings

O4|, xrefs: 6EC1BA5A
O4|, xrefs: 6EC1BD22

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: O4|$O4|
API String ID: 0-3537474934
Opcode ID: 8340fadbd85ef06f138881bc440d976ffe1eb30f96320f29addda0418971ff8b
Instruction ID: 158a553d7e60241ea7f16963355e85bc9a6676f78fec91509d06e26eb3f40511
Opcode Fuzzy Hash: 8340fadbd85ef06f138881bc440d976ffe1eb30f96320f29addda0418971ff8b
Instruction Fuzzy Hash: 40E1D372A48215CFCF08CEBDD5D17EEBBF1AB46320F10541AE815DB398E639990A9F40

Function 6EC1A850 Relevance: 2.9, Strings: 2, Instructions: 383COMMON

Download Yara Rule

Strings

}8I, xrefs: 6EC1AD6F
}8I, xrefs: 6EC1AC95

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: }8I$}8I
API String ID: 0-1781519103
Opcode ID: 8fafeeec0a3bf80782ead78de89ff92e6fdfda276830188f8ff8b2af2c8285aa
Instruction ID: c512f5f6e552ed6ec0da428770c4d23b4c1a48c59a95185b3cacbe5835241353
Opcode Fuzzy Hash: 8fafeeec0a3bf80782ead78de89ff92e6fdfda276830188f8ff8b2af2c8285aa
Instruction Fuzzy Hash: 56C13932A489128FDF08CDFDC6E53DE37F2AB87355F119219D8119B355E22A890EAB50

Function 6EC05010 Relevance: 2.9, Strings: 2, Instructions: 379COMMON

Download Yara Rule

Strings

p, xrefs: 6EC05461
p, xrefs: 6EC0551C

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: p$p
API String ID: 0-2168888969
Opcode ID: 443138c9d8388962be664dbdb92a318a01b43c5c69ab7040809265c99a262e8e
Instruction ID: 33f4a0b43e081da52adeb97c2e6d0c3487fa2bd381698755ff8e5bacc9751ebd
Opcode Fuzzy Hash: 443138c9d8388962be664dbdb92a318a01b43c5c69ab7040809265c99a262e8e
Instruction Fuzzy Hash: 9DC15832E445124FCF18CEBEC5A53DF77F3AB47364F209515D9219B394E52B8A0A8BA0

Function 6EC0A5C0 Relevance: 2.8, Strings: 2, Instructions: 345COMMON

Download Yara Rule

Strings

Z}+{, xrefs: 6EC0AA5F
Z}+{, xrefs: 6EC0A763

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: Z}+{$Z}+{
API String ID: 0-3875537855
Opcode ID: 7e09788da38f65259bf53128d676e30a6e705f7b2b2c8b4d55aafbd6ac8b4fc9
Instruction ID: aee8b3fb81d0e8d40c2e6be3aff54448cf7198feabcec88b6bc21cbbf14726b2
Opcode Fuzzy Hash: 7e09788da38f65259bf53128d676e30a6e705f7b2b2c8b4d55aafbd6ac8b4fc9
Instruction Fuzzy Hash: 49C10576A445168FCF08CEBEC6E47DE7BF2AB86354F149205D811D7395E22B8E0A8F50

Function 6EC0DC80 Relevance: 2.8, Strings: 2, Instructions: 332COMMON

Download Yara Rule

Strings

h1Ni, xrefs: 6EC0DF6C
h1Ni, xrefs: 6EC0DFC7

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: h1Ni$h1Ni
API String ID: 0-3337901759
Opcode ID: 1bea99e4f5bb7f40ca0f8fb6cdf45dd32b05da233a60b35eb217102ab636a8b0
Instruction ID: 95d26deb040af2bcb98b9a75fa4cbd92c7b39a56ac8ef8b963c7f9fd7624d8c8
Opcode Fuzzy Hash: 1bea99e4f5bb7f40ca0f8fb6cdf45dd32b05da233a60b35eb217102ab636a8b0
Instruction Fuzzy Hash: 97C1CE76A442059FCF04CFBDD9E4ADDBBF2BB4A300F104619E801EB394E63A99498F11

Function 6EC07C70 Relevance: 2.8, Strings: 2, Instructions: 330COMMON

Download Yara Rule

Strings

ki|\, xrefs: 6EC07EA9
ki|\, xrefs: 6EC07EFF

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: ki|\$ki|\
API String ID: 0-3643334872
Opcode ID: 51005f265145289aab984e05ea412d7f79a93b7a7f191a725ab004bd8ae699aa
Instruction ID: 3be7aaae71e82874c89b4a0e1967698fca182a7e6f0ff6f03114d31a7e748fab
Opcode Fuzzy Hash: 51005f265145289aab984e05ea412d7f79a93b7a7f191a725ab004bd8ae699aa
Instruction Fuzzy Hash: 86B1F233A041568FCF08CEFDC6947EE7BF2BB46358F108115D821EB399D62B8A099B51

Function 6EC0F2C0 Relevance: 2.7, Strings: 2, Instructions: 201COMMON

Download Yara Rule

Strings

J+_?, xrefs: 6EC0F52B
W]n, xrefs: 6EC0F53E

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: J+_?$W]n
API String ID: 0-1951935999
Opcode ID: 747cca428c7f4f68f4120e07082f77e0a4e7d9cbdce272afff707056b0a12fcc
Instruction ID: b6d457252566bf1dedf1307cef70f0d1818b994105106f90bb83c3f663840dcb
Opcode Fuzzy Hash: 747cca428c7f4f68f4120e07082f77e0a4e7d9cbdce272afff707056b0a12fcc
Instruction Fuzzy Hash: CE612972A4514A8FCF04CEBDC6A17DE7BF1F74A320F208115D811EB384E52B96898B59

Function 6EC05EA0 Relevance: 2.2, Strings: 1, Instructions: 935COMMON

Download Yara Rule

Strings

Mhb, xrefs: 6EC064DD

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: Mhb
API String ID: 0-428850271
Opcode ID: 1757629c7200d06c3c702d59be0d203a96601a9a753b470a1a3350ca36bdef64
Instruction ID: 65128b039bd57a3ff123a0deb727c47f53efa8576566478216509094c44be83e
Opcode Fuzzy Hash: 1757629c7200d06c3c702d59be0d203a96601a9a753b470a1a3350ca36bdef64
Instruction Fuzzy Hash: EA623377B519118FCF08CEBDC6A53CE37F2AB46320F245115D911DBB99E22B8E4A8B14

Function 6EC16C90 Relevance: 2.1, APIs: 1, Instructions: 603COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13cf742f68898a2dbb9bf7d72995849a7abeb8f9f316592c00fc983f7469717a
Instruction ID: 45c9a2dffac67d66df74eb18ae032e062fe8cff195aa1305a7e3846add6c1aa0
Opcode Fuzzy Hash: 13cf742f68898a2dbb9bf7d72995849a7abeb8f9f316592c00fc983f7469717a
Instruction Fuzzy Hash: 41123876E486118FCF08CEBDD5957DE7BF2AB4B360F109219D811EB394D23A9809AF44

Function 6EC28481 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6EC2847C,?,?,00000008,?,?,6EC28114,00000000), ref: 6EC286AE

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 2b17a1d5a5955c81a64efdbc3589e4534206dd531ed039d67c3050d2fd18be0a
Instruction ID: c410bf9e2d3958ece4c4678dc7aa3033167590a6bd1980d4ee08ae529d1890d7
Opcode Fuzzy Hash: 2b17a1d5a5955c81a64efdbc3589e4534206dd531ed039d67c3050d2fd18be0a
Instruction Fuzzy Hash: 96B16932610609CFDB44CF68C496F997BE0FF05364F258668E8A9CF2A5D335E992CB40

Function 6EC0AA90 Relevance: 1.7, APIs: 1, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86906a5f385cdd43e90db2ca3cdd048d35130dc5a14c12e593ae9a3d30c4e79a
Instruction ID: da11e07e40b7e2a7305ff6864ff5727afaee54b45f687e7359d0e8eb972c3f3a
Opcode Fuzzy Hash: 86906a5f385cdd43e90db2ca3cdd048d35130dc5a14c12e593ae9a3d30c4e79a
Instruction Fuzzy Hash: EC716B72A406118FCF08CEFEC5F53EF7BE2AB86361F10521AC9509B394E52B45098B84

Function 6EC01620 Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

W=2=, xrefs: 6EC019D8

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: W=2=
API String ID: 0-3996485284
Opcode ID: 47a65e9d4c7513292a2e618a7dcee1bb2bfc64e4d421c96070cd143de8d0ae46
Instruction ID: 045610a864788ed4e7d2b2dc7dd576574ed59663a08d8243b18d1f90504e8f7e
Opcode Fuzzy Hash: 47a65e9d4c7513292a2e618a7dcee1bb2bfc64e4d421c96070cd143de8d0ae46
Instruction Fuzzy Hash: D6D1F176A446118FDF04CEBDD6E57DEB7F2AB46328F205519D411EB394E22B8A0DCB10

Function 6EC1E488 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6EC1E49E

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 6e8b32719c63a84ea56e568ac309fd73fda5548ff7057544c9cdc3d614266808
Instruction ID: 7eab1a3abf1d074d8e15b49790beafed0171145901b475912134bbf5975f8114
Opcode Fuzzy Hash: 6e8b32719c63a84ea56e568ac309fd73fda5548ff7057544c9cdc3d614266808
Instruction Fuzzy Hash: 1E519AB1A0461ACFEF44CFA5C69179EBBF0FB48351F10846AD42AEB684E7749940EF50

Function 6EC22590 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b6b9642d1ed84fcc41db8c20769f56d69d12601b510ede976b28daa7e5a85a3
Instruction ID: 1a9f57be03973564e9bc79bf37f8ad6e060f6fc257175febafc9859dc83e9479
Opcode Fuzzy Hash: 8b6b9642d1ed84fcc41db8c20769f56d69d12601b510ede976b28daa7e5a85a3
Instruction Fuzzy Hash: 7241C575814219AFDB14DFB9CCA8AEABBBDEF45304F1442E9E41DD3204EA359E848F50

Function 6EBFFFD0 Relevance: 1.6, Strings: 1, Instructions: 378COMMON

Download Yara Rule

Strings

P(.&, xrefs: 6EC002DF

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: P(.&
API String ID: 0-85805879
Opcode ID: 2d607dfe0f2683760a61146f7f7a43ef14c1f3b32dc72501710b70cd06be66d6
Instruction ID: 6c203949109170759d43ec4626f32a38260c1806fa8df9b71894217cd9baad8a
Opcode Fuzzy Hash: 2d607dfe0f2683760a61146f7f7a43ef14c1f3b32dc72501710b70cd06be66d6
Instruction Fuzzy Hash: 0CC16972A405128FDF048EBDC9E67EF3BE2B746320F219919C921D7395F22B4A098B40

Function 6EC16770 Relevance: 1.6, Strings: 1, Instructions: 373COMMON

Download Yara Rule

Strings

Xj), xrefs: 6EC16B50

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: Xj)
API String ID: 0-4253866143
Opcode ID: a2ee76bedc6f606ceba0288558933c00568c70ad7bc1eccbfa54786b07b2f0ac
Instruction ID: 446e6cac8428af75aab5a3698853f82118b6e2a499fc842476c4d8cd76bfd4f8
Opcode Fuzzy Hash: a2ee76bedc6f606ceba0288558933c00568c70ad7bc1eccbfa54786b07b2f0ac
Instruction Fuzzy Hash: 0BD13172A58A168FCF04CEFDC5A17DE7BF2FB4A314F009118D811EB384E62A9909DB55

Function 6EC0E6D0 Relevance: 1.6, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

vXfq, xrefs: 6EC0E9EF

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: vXfq
API String ID: 0-421188319
Opcode ID: 295c92779f2643daa2456fe429b4f83c0159fa2cf3dca3280b848b25f78a7da2
Instruction ID: f70a7f1994247aa6d3e10204f36d79860129b0ab3ecde2c31e80beeed724520d
Opcode Fuzzy Hash: 295c92779f2643daa2456fe429b4f83c0159fa2cf3dca3280b848b25f78a7da2
Instruction Fuzzy Hash: 24B12376E842158FDF04CEBDD5E17DE7BF2BB0A310F00961ADA11E7344E63A99098B25

Function 6EC15B10 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

rV$, xrefs: 6EC15D0F

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: rV$
API String ID: 0-98136299
Opcode ID: 975fd5323a0eb4fb9292b5113c6faecf2144e73d1071e502eef561d620de1265
Instruction ID: 88e9ebf5cee2806cf1531929e3f34b0129ca2579fc824fdd12cead1d5efc840a
Opcode Fuzzy Hash: 975fd5323a0eb4fb9292b5113c6faecf2144e73d1071e502eef561d620de1265
Instruction Fuzzy Hash: 1D912776A4C2128FCF088EBDC5D57EE7BF2BB46360F105619C920DB394E63E85499B50

Function 6EC05530 Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

WFZo, xrefs: 6EC05799

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: WFZo
API String ID: 0-2664484962
Opcode ID: 2efc97a81b5b2bea29a2768098ce068def762733eb3cddb47ce0ba2d28ea5e17
Instruction ID: abb1db6dbd605bece88ee2254827e4567e4aae68f5c0dc8289b7f417abd3754d
Opcode Fuzzy Hash: 2efc97a81b5b2bea29a2768098ce068def762733eb3cddb47ce0ba2d28ea5e17
Instruction Fuzzy Hash: 5151027AA54216CFCF158EEDCAA67EE7BF2BB46300F101419D515E7344E63B8A098B90

Function 6EC23ABA Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6EC23ABA

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 270fe0acf46cd2d24e1967f698e3ef1db2621c36776cdb057cc9abc037c1e3f3
Instruction ID: a82ba264fbc137873203003c1fedef69638ed1e3a34fd698650ca5e9b1e4aad7
Opcode Fuzzy Hash: 270fe0acf46cd2d24e1967f698e3ef1db2621c36776cdb057cc9abc037c1e3f3
Instruction Fuzzy Hash: 5AA02232200A20CF8F00CF32830CB0E3BFCBA032C030880A8B802C0000EF328080BB00

Function 6EC028C0 Relevance: 1.0, Instructions: 1000COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18bcb63fbeda6f9787639ac5f59b6c2c2f79e65da5bfc5269b1e7f753b7b0c62
Instruction ID: 8e6e47e7682f754010799ffa9cb901b179d598a181df4195f36277e881f64440
Opcode Fuzzy Hash: 18bcb63fbeda6f9787639ac5f59b6c2c2f79e65da5bfc5269b1e7f753b7b0c62
Instruction Fuzzy Hash: 62622636A805118FCF088EBDC5F97DE77E6FB46321F10D61AC921EB395D62B450A8B24

Function 6EC132F0 Relevance: .9, Instructions: 936COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4898fd51105ac3aaabd69165dad0f15f9582df541ba345aa5768c30391bae0d
Instruction ID: b02dbcd7573cf399ad37fedbdadd6deb4780a2f9143bc7ef2b0d278965b6385c
Opcode Fuzzy Hash: b4898fd51105ac3aaabd69165dad0f15f9582df541ba345aa5768c30391bae0d
Instruction Fuzzy Hash: DC529933A586518FCF08CDBDC6E97DE3BF2AB47368F119116C911DB394D12A890AAB14

Function 6EC02010 Relevance: .6, Instructions: 644COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a64e19ca5c78dfb276939c0d7daa9701b3066e1de86f6815350b3eb21eba87
Instruction ID: f972133d5eb41cf95f0ed507ecef2bf7c8b2f0ab1e770322e715c6d5a98ea613
Opcode Fuzzy Hash: e1a64e19ca5c78dfb276939c0d7daa9701b3066e1de86f6815350b3eb21eba87
Instruction Fuzzy Hash: 2E221037A442128FDF0DCAFEC6B57DE37E2AB86314F145119D911DB396D62B8A098F40

Function 6EBEF890 Relevance: .6, Instructions: 561COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ffca62dd8a4dbb7d609da6faa1cf9014d7b206cdcc5145041d8b07d68957493
Instruction ID: 3da5c1ee3e6add51bf78473f81261dd6fd0a774152703ab2f6167ded2d732d83
Opcode Fuzzy Hash: 7ffca62dd8a4dbb7d609da6faa1cf9014d7b206cdcc5145041d8b07d68957493
Instruction Fuzzy Hash: DB021032B442668FDF08CEBCE9917DD7FF2AB4B390F209115D451EBA84D32A9905CB58

Function 6EC0BCF0 Relevance: .5, Instructions: 543COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5170af4110007ad62ae509a24e1aec5e583fe90b79756607f65931805c52e3d
Instruction ID: d6342b8cabb0e2d64eb3dd50037186e1ac71aa2a8c4ccc5e90a65d4461447d74
Opcode Fuzzy Hash: c5170af4110007ad62ae509a24e1aec5e583fe90b79756607f65931805c52e3d
Instruction Fuzzy Hash: 3F02E376A402158FCF08CEBDD5A57ED77F2BB4A360F108115E925EB358E63A8909CF24

Function 6EC1B0D0 Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0ca81ea523ebb2cc6d9ae2fa5e1d964b0eb98a374213675933b2a1229af23c
Instruction ID: 1bf4d5ad393b6b1fac99b2eabad0dfa1297054200548489eaf6f6a20cd400f7e
Opcode Fuzzy Hash: 3d0ca81ea523ebb2cc6d9ae2fa5e1d964b0eb98a374213675933b2a1229af23c
Instruction Fuzzy Hash: 3FF12636A48606CFCF04CDBDC6A57DE37F2BB47364F209219D921DB798D12A490A9F50

Function 6EC17FD0 Relevance: .5, Instructions: 495COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d457997edb0f0db4b308db435380a7749a86b89035908d00d7aa8a954dac54
Instruction ID: eb2c909b8f48aed873d48025386558fd5359bd29d1f8f83ea52fb8e704783604
Opcode Fuzzy Hash: 13d457997edb0f0db4b308db435380a7749a86b89035908d00d7aa8a954dac54
Instruction Fuzzy Hash: 63F1E077A4C2158FCF04CEBDDAD0BCD7BF2BB46350F205519E911EB394E62A89099B11

Function 6EC057E0 Relevance: .5, Instructions: 483COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1efde61454f1334637977e7fa3e465bfca46e7398173035d1c2c3304387595
Instruction ID: a0872c3df62e58536fe327a3ada6c0eb7879400192965d55c11315a131dd8cf4
Opcode Fuzzy Hash: 5e1efde61454f1334637977e7fa3e465bfca46e7398173035d1c2c3304387595
Instruction Fuzzy Hash: 42F13977A445128FCF18CEBDC9E53EE77F2AB46320F10561AD921D7394E22F89498B50

Function 6EBFE730 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ca369492cd408507d70454f4d69fdb164d11a9522088f91284f042e57302119
Instruction ID: 1d4119a794220f54fc6569936d906a3a4fd93994c27185f9a5b3ddcb17e940b8
Opcode Fuzzy Hash: 1ca369492cd408507d70454f4d69fdb164d11a9522088f91284f042e57302119
Instruction Fuzzy Hash: E7E1D13AA04245CFDF04CEBCDAD56EDBFF2AB4A330F245629D811E7344D639990A8B11

Function 6EC06B30 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c4770fa5b905acdc4014b73175b17a6cc1fac761080383ae2f6b6533876d7c0
Instruction ID: 93e098abc72e4980b391bc13ca953f10229961147813c5934ba049ab34b15baa
Opcode Fuzzy Hash: 6c4770fa5b905acdc4014b73175b17a6cc1fac761080383ae2f6b6533876d7c0
Instruction Fuzzy Hash: B2E12672A146158FCF08CEBDD9D07DEBBF2BB4A350F049119E811EB794E23B89498B51

Function 6EC18E00 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1f6a4500e2582b40c58a67595e2a98b8c87ad1a6ade991e383943156ca0915c
Instruction ID: 43a23da6a807ee5da0beda7edf47c94003851147669c1dda68621354dcfc2a54
Opcode Fuzzy Hash: a1f6a4500e2582b40c58a67595e2a98b8c87ad1a6ade991e383943156ca0915c
Instruction Fuzzy Hash: 71E1FF36A182258FDF04CFBDD994BDEBBF2BB46314F104219E915EB394E73688099B41

Function 6EC1D430 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a0f5fbd980a8e480d51d4738098e771e1b41375e93f4b2adc5505cceed66cc0
Instruction ID: e351b21665b186ace59a35986466cfa840e17fc42f40783e5da4339a50c53346
Opcode Fuzzy Hash: 4a0f5fbd980a8e480d51d4738098e771e1b41375e93f4b2adc5505cceed66cc0
Instruction Fuzzy Hash: E1E12672E046158FCF04CEBDC5957DE7BF2BB8A321F109119E825EB394E62A9809DF44

Function 6EC193C0 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e681e01d2f07373254dde0b1f5a85b25e7e4b3aa46f0626c50b50f38ab59ca
Instruction ID: 1248fa89de73219ae35e7056dddd0abb5bf4486cc1b14e54ecccc9dda8d51041
Opcode Fuzzy Hash: 23e681e01d2f07373254dde0b1f5a85b25e7e4b3aa46f0626c50b50f38ab59ca
Instruction Fuzzy Hash: 94D10372A4C2558FCF04CFEEC5917CD7BF2BB4A320F145229D815EB398E23A99099B14

Function 6EC0EB30 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 122bb8c00888c78c4d6973a994cb1e5feb2290afee3b94cb16afce181c3e5909
Instruction ID: 594e35332b55c1671d500d446d1213fc103aea8e631f477e7f5e6b17b707971a
Opcode Fuzzy Hash: 122bb8c00888c78c4d6973a994cb1e5feb2290afee3b94cb16afce181c3e5909
Instruction Fuzzy Hash: 08D1D376A946258FCF04CEBDC9A57DE7BF6BB4A310F108219E921EB394D23798058F14

Function 6EBFDF50 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0476054aaa57e6b5df4c142690c8b3b5ddcd153b417ef05b56809a00e36df7
Instruction ID: fcbdbdda132add263b0a3da706f521d0f70737c2e4e8d7b0e2500bcf48c278ca
Opcode Fuzzy Hash: fd0476054aaa57e6b5df4c142690c8b3b5ddcd153b417ef05b56809a00e36df7
Instruction Fuzzy Hash: A0D1C272A10655CFDF08CEBCE5D5BEE7FF1AB46320F105628E911EB390DA26580ACB51

Function 6EC01150 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 190750b0abd9442c6b49a7acad3e7d398ea860993237a1d28e13042ed422bd41
Instruction ID: 91a724fbbf2540b17b286fc15f6dc050bc92f3b04a1fb14d4f7767a107350d52
Opcode Fuzzy Hash: 190750b0abd9442c6b49a7acad3e7d398ea860993237a1d28e13042ed422bd41
Instruction Fuzzy Hash: 73C12336A545228FDF088EBDC9D17EEBBF2EB46328F144519D912DB395D12A890D8B40

Function 6EC01B90 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8576ea4fdda3626aff1841188ca94dd898563f6cc9be353528a5ce449bfb04fa
Instruction ID: f26a4df7c4312aac17cd073abc819fb6684cdac45928aab5defe16c16f3beae6
Opcode Fuzzy Hash: 8576ea4fdda3626aff1841188ca94dd898563f6cc9be353528a5ce449bfb04fa
Instruction Fuzzy Hash: E3B15672A546668FCF05CEBEC5A43DEBBF2AB47324F145609D920AB794D23B850D8B10

Function 6EBF59A0 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6e20ea4305766ddec80c367b0d11facaeb8648f89137aa7a556a6c655e854e
Instruction ID: e5a601b3aad3167856709f8002e96b69c33a1f3f443856df00b8c56d36d62351
Opcode Fuzzy Hash: 5e6e20ea4305766ddec80c367b0d11facaeb8648f89137aa7a556a6c655e854e
Instruction Fuzzy Hash: A7B18D76E521598FCF04CEBCD994ADEBBF1EB4A310F108219E825F7384C2399D0A8B55

Function 6EC00570 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2da443e453ae2cde5a2ea3496e4fdac72bcdc01fe5aeba6af3ef873b7c1ef1c
Instruction ID: 8b0c86d39dd0e30d6a030a18fdd9f49af052bb340fca8807913d2c1c69d1b726
Opcode Fuzzy Hash: b2da443e453ae2cde5a2ea3496e4fdac72bcdc01fe5aeba6af3ef873b7c1ef1c
Instruction Fuzzy Hash: 3D811372A442168FDF048EBDC5D37EE7BB2BB82350F114A19D911E7345F22B8A498B91

Function 6EC078F0 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24e75fce7c9ece18f85cb1832a277608fdd86e27209673e8b87ed9da4cf762e
Instruction ID: 93d159275d7d4040ddfc3a07636c237b0bf15b922c81e9476ecff0b3adb63e0a
Opcode Fuzzy Hash: a24e75fce7c9ece18f85cb1832a277608fdd86e27209673e8b87ed9da4cf762e
Instruction Fuzzy Hash: 658125366441138FDF089EBDC9E57DE3BE6BB42321F10561AD921AB3D4E22B4548EB41

Function 6EC0E380 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 303c5c0dc87db75d94f7492f5196654edaadb625be7ec9aabc7b8c241a7233f4
Instruction ID: 133660309cb8a7a22439e19f03beeec2092f44f25db61e445047a29c8c8ff37a
Opcode Fuzzy Hash: 303c5c0dc87db75d94f7492f5196654edaadb625be7ec9aabc7b8c241a7233f4
Instruction Fuzzy Hash: B081DF76E842199FCF04CEFED6A46DE7BF2BB4A314F108519D820E7354E23689498F16

Function 6EBFE430 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d70bc9249e432706fad48ce5f5b6868ef2f7cfa0417833f8ec7a6e0baef67b6
Instruction ID: 27e11325521f6861ebc42378ed1a7267ecdd93cdcc9560ffa1f7914ea972502f
Opcode Fuzzy Hash: 3d70bc9249e432706fad48ce5f5b6868ef2f7cfa0417833f8ec7a6e0baef67b6
Instruction Fuzzy Hash: D7710272E44196CFCF04CEFCC5A07EE7BF2AB06324F10901AD921A7790C52A990B8F51

Function 6EC08110 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 339a25576a178266f7ae83b375dc8894cc671c8a2e2302e1cdbb4ebed47e42e4
Instruction ID: 75be25262e03f017814e46bae7a19d761a940c7984d1edb1afe3fd9cda65383b
Opcode Fuzzy Hash: 339a25576a178266f7ae83b375dc8894cc671c8a2e2302e1cdbb4ebed47e42e4
Instruction Fuzzy Hash: B371CF73A442568FCF04CEEDC9A1BDDBBF2BB4A364F008519D904F7345E23A99448B69

Function 6EC15ED0 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c75c227441b5b099369a0395711d24f340099bbedbf49778e160f56df3d48527
Instruction ID: fff048586e7eb27909d7b360c67b892a0ba3db9e59a3d8ee3166116380c6137d
Opcode Fuzzy Hash: c75c227441b5b099369a0395711d24f340099bbedbf49778e160f56df3d48527
Instruction Fuzzy Hash: 4D513836A585218FCF04CEFECA953DF7BF6BB47350F105519E421D7394E6298509AB80

Function 6EC1FDE8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b886d7792f6b495a9557e8ef2c64e513572b2c839328607d2d82b980379080
Instruction ID: 24701d9c29265764c23433c685491a40e6e608e1f2222df48eac020da950df19
Opcode Fuzzy Hash: 36b886d7792f6b495a9557e8ef2c64e513572b2c839328607d2d82b980379080
Instruction Fuzzy Hash: 1C21FC36140F5FCBD23A8E69994A40AF3B1FA26A347604B0C81F1D7BFCD3A19156CA04

Function 6EC220D1 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1244d2490e722d8e2d4b08a687ba54e345a4788b81df14d6debf1e67a5b6da9d
Instruction ID: 01061e7e505300a1d4e3b9ecce1f6038de91558b22ade83c992d7eae527e9767
Opcode Fuzzy Hash: 1244d2490e722d8e2d4b08a687ba54e345a4788b81df14d6debf1e67a5b6da9d
Instruction Fuzzy Hash: DAE08C32921228EFCB24CBCCCA54A8AB3ECEB44B40B1144A6B521D7110E674DE00D7D0

Function 6EC247B0 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 6EC247F4

Part of subcall function 6EC266E7: _free.LIBCMT ref: 6EC26704
Part of subcall function 6EC266E7: _free.LIBCMT ref: 6EC26716
Part of subcall function 6EC266E7: _free.LIBCMT ref: 6EC26728
Part of subcall function 6EC266E7: _free.LIBCMT ref: 6EC2673A
Part of subcall function 6EC266E7: _free.LIBCMT ref: 6EC2674C
Part of subcall function 6EC266E7: _free.LIBCMT ref: 6EC2675E
Part of subcall function 6EC266E7: _free.LIBCMT ref: 6EC26770
Part of subcall function 6EC266E7: _free.LIBCMT ref: 6EC26782
Part of subcall function 6EC266E7: _free.LIBCMT ref: 6EC26794
Part of subcall function 6EC266E7: _free.LIBCMT ref: 6EC267A6
Part of subcall function 6EC266E7: _free.LIBCMT ref: 6EC267B8
Part of subcall function 6EC266E7: _free.LIBCMT ref: 6EC267CA
Part of subcall function 6EC266E7: _free.LIBCMT ref: 6EC267DC

_free.LIBCMT ref: 6EC247E9

Part of subcall function 6EC22097: HeapFree.KERNEL32(00000000,00000000,?,6EC215A9), ref: 6EC220AD
Part of subcall function 6EC22097: GetLastError.KERNEL32(?,?,6EC215A9), ref: 6EC220BF

_free.LIBCMT ref: 6EC2480B
_free.LIBCMT ref: 6EC24820
_free.LIBCMT ref: 6EC2482B
_free.LIBCMT ref: 6EC2484D
_free.LIBCMT ref: 6EC24860
_free.LIBCMT ref: 6EC2486E
_free.LIBCMT ref: 6EC24879
_free.LIBCMT ref: 6EC248B1
_free.LIBCMT ref: 6EC248B8
_free.LIBCMT ref: 6EC248D5
_free.LIBCMT ref: 6EC248ED

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 55b2f2c3cd0d8f85f400d82d857c9043fc74ca491d86bad24650fce8a2ca84eb
Instruction ID: 45b5face00ce0335946b25efdc140e83e413610f9eb640045daa366876717274
Opcode Fuzzy Hash: 55b2f2c3cd0d8f85f400d82d857c9043fc74ca491d86bad24650fce8a2ca84eb
Instruction Fuzzy Hash: B5317E726243419FEB659AB8D850B9A7BE8BF00714F104C39E4AADB164FF31F841DB20

Function 6EC21C13 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6EC21C29

Part of subcall function 6EC22097: HeapFree.KERNEL32(00000000,00000000,?,6EC215A9), ref: 6EC220AD
Part of subcall function 6EC22097: GetLastError.KERNEL32(?,?,6EC215A9), ref: 6EC220BF

_free.LIBCMT ref: 6EC21C35
_free.LIBCMT ref: 6EC21C40
_free.LIBCMT ref: 6EC21C4B
_free.LIBCMT ref: 6EC21C56
_free.LIBCMT ref: 6EC21C61
_free.LIBCMT ref: 6EC21C6C
_free.LIBCMT ref: 6EC21C77
_free.LIBCMT ref: 6EC21C82
_free.LIBCMT ref: 6EC21C90

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 47320a94b9179a42a2fcc4bcca2db47531fd64bc30f774c055beed1269e9bb28
Instruction ID: 303dd14984fd05c0fd2f76c47cba61e6d2d4c9bac078f8458e179ea9be9e2722
Opcode Fuzzy Hash: 47320a94b9179a42a2fcc4bcca2db47531fd64bc30f774c055beed1269e9bb28
Instruction Fuzzy Hash: D32197B6910148AFCB45DFE4C890DDE7FB9BF08644F0089A6E5169F520EB32EA54DB80

Function 6EC236D8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 6EC2372F
ext-ms-, xrefs: 6EC23743

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 21089acff88a5a667c118e5f0b94450937cd033b4fe1758b40377bf68f114b0e
Instruction ID: 4fa41ce094797583bf77d0e47a6cf6399e37a5af669e6187d2867903091f6357
Opcode Fuzzy Hash: 21089acff88a5a667c118e5f0b94450937cd033b4fe1758b40377bf68f114b0e
Instruction Fuzzy Hash: 3321A5B1A55626AFDF519AAD8F98A4A3678AF46F60F110234EC25AB294F730ED00C5D0

Function 6EC26886 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6EC2684E: _free.LIBCMT ref: 6EC26873

_free.LIBCMT ref: 6EC268D4

Part of subcall function 6EC22097: HeapFree.KERNEL32(00000000,00000000,?,6EC215A9), ref: 6EC220AD
Part of subcall function 6EC22097: GetLastError.KERNEL32(?,?,6EC215A9), ref: 6EC220BF

_free.LIBCMT ref: 6EC268DF
_free.LIBCMT ref: 6EC268EA
_free.LIBCMT ref: 6EC2693E
_free.LIBCMT ref: 6EC26949
_free.LIBCMT ref: 6EC26954
_free.LIBCMT ref: 6EC2695F

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7df7bc2e45ad0bb9c7f8bc702183ee147632bc2a3689b57671c2733396f6c7e8
Instruction ID: e76d444819499a1349bc4eb96a6b7ab04f4ad44cb4ed6273b5697bac9f808ccd
Opcode Fuzzy Hash: 7df7bc2e45ad0bb9c7f8bc702183ee147632bc2a3689b57671c2733396f6c7e8
Instruction Fuzzy Hash: D3111F72560F44AEE530EBF0CC09FDBBB9C5F05704F404C35A2AE6A060EBA5B51497A0

Function 6EC2599F Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6EC259E7
__fassign.LIBCMT ref: 6EC25BCC
__fassign.LIBCMT ref: 6EC25BE9
WriteFile.KERNEL32(?,6EC241C9,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6EC25C31
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6EC25C71
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6EC25D19

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: e0a0811610c180b2423295752a712cba4cb9f7eb068dfdb86f09f6a867e615d6
Instruction ID: 2e25a34710d4d778ab51e6a3cd7205855c44d95e8c27bd7779e6b85e7a8afcb7
Opcode Fuzzy Hash: e0a0811610c180b2423295752a712cba4cb9f7eb068dfdb86f09f6a867e615d6
Instruction Fuzzy Hash: B0C19E75D002599FDF00CFE8C980AEEBBB9BF09314F28416AE865F7245E6319946CF61

Function 6EC20387 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6EC20055,6EC1E098,6EC1DA5F,?,6EC1DC97,?,00000001,?,?,00000001,?,6EC2E908,0000000C,6EC1DD90), ref: 6EC20395
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6EC203A3
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6EC203BC
SetLastError.KERNEL32(00000000,6EC1DC97,?,00000001,?,?,00000001,?,6EC2E908,0000000C,6EC1DD90,?,00000001,?), ref: 6EC2040E

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: bc7e9f5aebf84eb61a23ed1f59c139bfd5e5550349599f46be064c6c5d33b5c8
Instruction ID: 651595d751aa589a78c4203f1e2a0988b63ef6244ad6eac78aa14ff2277ce5e3
Opcode Fuzzy Hash: bc7e9f5aebf84eb61a23ed1f59c139bfd5e5550349599f46be064c6c5d33b5c8
Instruction Fuzzy Hash: 2A01473222DB269FEF4416F5ADA6A8A2F79FB4237A720433BF834951D4FF1248016580

Function 6EC22A1D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\oiF7u78bY2.exe, xrefs: 6EC22A22

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\oiF7u78bY2.exe
API String ID: 0-838080875
Opcode ID: 3e1efe688cea6789c9c264ed67c8441b21a668f0a0e85b92a5c30a201afd5911
Instruction ID: f3b023abab4b5902db381b277b6c1db0dda670394dad1e51d82f3d47f48159ef
Opcode Fuzzy Hash: 3e1efe688cea6789c9c264ed67c8441b21a668f0a0e85b92a5c30a201afd5911
Instruction Fuzzy Hash: 3021AF71624106EF9B688EE68CA0D9B77ACEF453687004934F92597954FB30EC618760

Function 6EC20503 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,6EC205C4,00000000,?,00000001,00000000,?,6EC2063B,00000001,FlsFree,6EC2A354,FlsFree,00000000), ref: 6EC20593

Strings

api-ms-, xrefs: 6EC20553

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: dcfce73357d13171465a6ce3a6a699eb33be3bb7ee8ec43fdffc7007b283387c
Instruction ID: adca94df1adee0f191193cd543d3b8968b3fad2f0439955141381773dbcd85fe
Opcode Fuzzy Hash: dcfce73357d13171465a6ce3a6a699eb33be3bb7ee8ec43fdffc7007b283387c
Instruction Fuzzy Hash: DD11A731E55A259FDB528BF98D6174A33B4AF06770F140132FD14EB288F770E90086D9

Function 6EC20F17 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6EC20EC9,?,?,6EC20E91,?,00000001,?), ref: 6EC20F2C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6EC20F3F
FreeLibrary.KERNEL32(00000000,?,?,6EC20EC9,?,?,6EC20E91,?,00000001,?), ref: 6EC20F62

Strings

CorExitProcess, xrefs: 6EC20F37
mscoree.dll, xrefs: 6EC20F25

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b8e025b57942f718d75f61352a91d76260b30a2c816db891508c6d93203984bc
Instruction ID: e5e53562040a4b877a05b78f6676d36592921b9b48ee3ef81f565f5905edf06f
Opcode Fuzzy Hash: b8e025b57942f718d75f61352a91d76260b30a2c816db891508c6d93203984bc
Instruction Fuzzy Hash: DDF08530950A19FFDF019B90CE2EB9E7F78EB45756F000060F814A6294EB34CA04EB90

Function 6EC25297 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6EC2531B
__alloca_probe_16.LIBCMT ref: 6EC253E1
__freea.LIBCMT ref: 6EC2544D

Part of subcall function 6EC22049: HeapAlloc.KERNEL32(00000000,6EC241C9,6EC241C9,?,6EC22F61,00000220,?,6EC241C9,?,?,?,?,6EC262A1,00000001,?,?), ref: 6EC2207B

__freea.LIBCMT ref: 6EC25456
__freea.LIBCMT ref: 6EC25479

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: db16f12ec7ea00838732bfd806241ac76513ac4e985ccbb208cc1dfefc928ceb
Instruction ID: 09f44a945d560a3281fc82a9cf7eb7bd58b75d842803eafd2eb806e51bc4cfc2
Opcode Fuzzy Hash: db16f12ec7ea00838732bfd806241ac76513ac4e985ccbb208cc1dfefc928ceb
Instruction Fuzzy Hash: 5251D072910207AFEB118EE58C40EEB7AADEB85765F114538FC14AB24CFB74DC1186A2

Function 6EC267E5 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 6EC267FD

Part of subcall function 6EC22097: HeapFree.KERNEL32(00000000,00000000,?,6EC215A9), ref: 6EC220AD
Part of subcall function 6EC22097: GetLastError.KERNEL32(?,?,6EC215A9), ref: 6EC220BF

_free.LIBCMT ref: 6EC2680F
_free.LIBCMT ref: 6EC26821
_free.LIBCMT ref: 6EC26833
_free.LIBCMT ref: 6EC26845

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 80c838e770dc8ba2586c45cb460169e88b388faba88ead7efd360dd9a9ff8f31
Instruction ID: 242a8acbff3ad81982246821804962a5111b23dc48158fc47e85e49885c599ae
Opcode Fuzzy Hash: 80c838e770dc8ba2586c45cb460169e88b388faba88ead7efd360dd9a9ff8f31
Instruction Fuzzy Hash: 10F062B2424B599F8E54CAF8E590C963BEDEA01B117600C35F079DB544EB30F880DBA0

Function 6EC223A1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EC2253B

Strings

*?, xrefs: 6EC223E4

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: efaba169b8992d2e26a785112f36f40523865fa27bba120f56925424b36ce35c
Instruction ID: c86138c9b963b939b27878059e049e1adc10334e3acd0f33041dca82c4f52504
Opcode Fuzzy Hash: efaba169b8992d2e26a785112f36f40523865fa27bba120f56925424b36ce35c
Instruction Fuzzy Hash: CD616CB6D102199FDB18CFA9C8909EEFBF9EF48314B14857AD815E7304E774AE418B90

Function 6EC20FA5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

8$x, xrefs: 6EC20FF6
C:\Users\user\Desktop\oiF7u78bY2.exe, xrefs: 6EC20FE8, 6EC20FEF, 6EC21025

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID:
String ID: 8$x$C:\Users\user\Desktop\oiF7u78bY2.exe
API String ID: 0-1476614307
Opcode ID: bd4e6096dcbf8d97d825706adf4815f09ebe7a4818499b6683380f857dd5c6de
Instruction ID: 153ac357d82f1e671e789808fdff55caa2332bacbadf0307a4a3b1b664adb909
Opcode Fuzzy Hash: bd4e6096dcbf8d97d825706adf4815f09ebe7a4818499b6683380f857dd5c6de
Instruction Fuzzy Hash: 2741AF71A10259AFCB11DFDE8890EDEBBBCEB86710F100476E420AB244F7729A44DB90

Function 6EC222B5 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6EC228D7: _free.LIBCMT ref: 6EC228E5

Part of subcall function 6EC234AB: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,6EC25443,?,00000000,00000000), ref: 6EC23557

GetLastError.KERNEL32 ref: 6EC2231D
__dosmaperr.LIBCMT ref: 6EC22324
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6EC22363
__dosmaperr.LIBCMT ref: 6EC2236A

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: fef3039d02f1909eab2203c434b9db6858a64d0b38b72c810ee4cca816a57d6f
Instruction ID: 1b713b138f9da649db7929c309d052452326dd466962d912f44ef1faeee6891d
Opcode Fuzzy Hash: fef3039d02f1909eab2203c434b9db6858a64d0b38b72c810ee4cca816a57d6f
Instruction Fuzzy Hash: 9021D671624605AF9B188FE68CA0C9BB7ACFF443783008934F969D7254FB30EC4087A0

Function 6EC21D57 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6EC25DE7,?,00000001,6EC2423A,?,6EC262A1,00000001,?,?,?,6EC241C9,?,00000000), ref: 6EC21D5C
_free.LIBCMT ref: 6EC21DB9
_free.LIBCMT ref: 6EC21DEF
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6EC262A1,00000001,?,?,?,6EC241C9,?,00000000,00000000,6EC2EBB8,0000002C,6EC2423A), ref: 6EC21DFA

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: be964449536334e6cda4bc6e873c17498cda00d21552953edec0b949ade0e7c0
Instruction ID: d59485f79ec9daba4987d87a25c24756ad9e239a2084f2516e964bd63b3bb731
Opcode Fuzzy Hash: be964449536334e6cda4bc6e873c17498cda00d21552953edec0b949ade0e7c0
Instruction Fuzzy Hash: 31110A72610656AFDB0256FD4D84EDA256EFBC2679B250A34F5309B1C4FF228C099220

Function 6EC21EAE Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000001,6EC22180,6EC220BD,?,?,6EC215A9), ref: 6EC21EB3
_free.LIBCMT ref: 6EC21F10
_free.LIBCMT ref: 6EC21F46
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,00000001,6EC22180,6EC220BD,?,?,6EC215A9), ref: 6EC21F51

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 7999018bc79f29677a3fff9b75a254227ac3d1c6279136a821ab8f1525efe457
Instruction ID: 9252b551976dd38725a9adb65024580a06f052d601ac01106e9167e45c607811
Opcode Fuzzy Hash: 7999018bc79f29677a3fff9b75a254227ac3d1c6279136a821ab8f1525efe457
Instruction Fuzzy Hash: 2B11E573614A556EDB001AFE4D88E9B216EFBC2A797240634F5349B1C4FF228C089224

Function 6EC27036 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6EC26A90,?,00000001,?,00000001,?,6EC25D76,?,?,00000001), ref: 6EC2704D
GetLastError.KERNEL32(?,6EC26A90,?,00000001,?,00000001,?,6EC25D76,?,?,00000001,?,00000001,?,6EC262C2,6EC241C9), ref: 6EC27059

Part of subcall function 6EC2701F: CloseHandle.KERNEL32(FFFFFFFE,6EC27069,?,6EC26A90,?,00000001,?,00000001,?,6EC25D76,?,?,00000001,?,00000001), ref: 6EC2702F

___initconout.LIBCMT ref: 6EC27069

Part of subcall function 6EC26FE1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6EC27010,6EC26A7D,00000001,?,6EC25D76,?,?,00000001,?), ref: 6EC26FF4

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6EC26A90,?,00000001,?,00000001,?,6EC25D76,?,?,00000001,?), ref: 6EC2707E

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ea5ee71fe75c1e70196cb835f3c66d6e0f689af56ac4328060410881d8d5a261
Instruction ID: 7e3889e54a3798bb5d60108617429e3132a1d3269ba604e936cc3baac13ab872
Opcode Fuzzy Hash: ea5ee71fe75c1e70196cb835f3c66d6e0f689af56ac4328060410881d8d5a261
Instruction Fuzzy Hash: 03F0C036510528BFCF522FD5CE48EC93F76FB4A3A1B054460FB3999160EB328820EB94

Function 6EC216A1 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EC216AA

Part of subcall function 6EC22097: HeapFree.KERNEL32(00000000,00000000,?,6EC215A9), ref: 6EC220AD
Part of subcall function 6EC22097: GetLastError.KERNEL32(?,?,6EC215A9), ref: 6EC220BF

_free.LIBCMT ref: 6EC216BD
_free.LIBCMT ref: 6EC216CE
_free.LIBCMT ref: 6EC216DF

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d47f7f7cff0b2342d723d0e66063c75a3b925ba2b41da8674908c847066511f7
Instruction ID: 64ac6528a2d7cc126eb7bc9d6ee6f1ed624aec447cb9992b60f30cb939ad6d4b
Opcode Fuzzy Hash: d47f7f7cff0b2342d723d0e66063c75a3b925ba2b41da8674908c847066511f7
Instruction Fuzzy Hash: B1E012B2820E309A8F129F689A108893E7AEB06A143114C26E8381A260EB321112FF80

Function 6EC1FEB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 6EC1FEEF
__IsNonwritableInCurrentImage.LIBCMT ref: 6EC1FFA3

Strings

csm, xrefs: 6EC1FF8D

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 53a757888a1673ad37e6c7d2c13a31dd39438fe8b328171382f742c1760b681a
Instruction ID: 3d16716d4b636d0916a4792a428b1a78e606d8db3d20bfb73c29908a2c2dd39e
Opcode Fuzzy Hash: 53a757888a1673ad37e6c7d2c13a31dd39438fe8b328171382f742c1760b681a
Instruction Fuzzy Hash: 0041B434904289DFCF00CFE8C894ADE7BF5BF06318F248566E8289B395E7719955DB90

Function 6EC23416 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 6EC23416
GetCommandLineW.KERNEL32 ref: 6EC23421

Strings

8$x, xrefs: 6EC2341C

Memory Dump Source

Source File: 00000000.00000002.1251072160.000000006EBE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6EBE0000, based on PE: true

Associated: 00000000.00000002.1251057033.000000006EBE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251126213.000000006EC29000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251145527.000000006EC30000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1251188504.000000006EC79000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ebe0000_oiF7u78bY2.jbxd

Similarity

API ID: CommandLine
String ID: 8$x
API String ID: 3253501508-2047833490
Opcode ID: 316ece50fbe613a406427a70ecb6906cdb840748c97bc62e6ead7467a3329be2
Instruction ID: de92ee5e31057a5227049dd83c7e1df2a709255cc356e26d606893783e53f791
Opcode Fuzzy Hash: 316ece50fbe613a406427a70ecb6906cdb840748c97bc62e6ead7467a3329be2
Instruction Fuzzy Hash: E6B0927A810E34CFCF408F30830CA043BB0B31E2023808056DA32C7300EB350000CF10

Analysis Process: aspnet_regiis.exePID: 2700, Parent PID: 7004COMMON

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	16.4%
Total number of Nodes:	73
Total number of Limit Nodes:	5

Executed Functions

Function 004FB75E Relevance: 13.9, Strings: 11, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|+~, xrefs: 004FBA19
sT+V, xrefs: 004FB9EF
0xz, xrefs: 004FBA12
V(v*, xrefs: 004FB9BE
{$R&, xrefs: 004FB9D3
#HiJ, xrefs: 004FB9F6
ep, xrefs: 004FBB47
2lMn, xrefs: 004FBA35
!h=j, xrefs: 004FBA2E
+p:r, xrefs: 004FBA20
~,s., xrefs: 004FB9C5

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: !h=j$#HiJ$+p:r$0xz$2lMn$V(v*$ep$sT+V${$R&$~,s.$|+~
API String ID: 0-1833152483
Opcode ID: 3109897caae52bdf734259d903aa86217d5c86d37dacb4bd63b91719a2208153
Instruction ID: d1f6604e38b8e195b0c5feb8535f81d43489cdcd3987287c57c2bd8177ed8cb7
Opcode Fuzzy Hash: 3109897caae52bdf734259d903aa86217d5c86d37dacb4bd63b91719a2208153
Instruction Fuzzy Hash: 24B1FCB0815344CFE3549F168A89FA67FB1FB41610F1A82E8D6892F376C7359046CF99

Function 004F8450 Relevance: 7.8, APIs: 5, Instructions: 257
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004F84DE
GetCurrentThreadId.KERNEL32 ref: 004F84E8
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004F8670
GetForegroundWindow.USER32 ref: 004F8685
ExitProcess.KERNEL32 ref: 004F8791

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: e079659b3cb63390cd8663b62688b238b7c88553a32625cce244135bdcd5e3c2
Instruction ID: 25b63a67fcf30814c0c06520227b1d5843788ebc9bde92ab108ab089b36a752e
Opcode Fuzzy Hash: e079659b3cb63390cd8663b62688b238b7c88553a32625cce244135bdcd5e3c2
Instruction Fuzzy Hash: E4815973B04B184BC318AE7DCC81366F6D6ABD4720F1F863DAA95DB391EDB89C054684

Function 004FCD9C Relevance: 4.0, Strings: 3, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

F^, xrefs: 004FCF72
I@, xrefs: 004FCF79
lev-tolstoi.com, xrefs: 004FD0B5

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: F^$I@$lev-tolstoi.com
API String ID: 0-1601892661
Opcode ID: d1d32ea51c41a5680f27b82e3043ab2cec7e19cc5d00941d1ca44e32d035819a
Instruction ID: 74e7cb2e77f821e2994ea00345ce13bf2637872db5516384e1da41df1418aeac
Opcode Fuzzy Hash: d1d32ea51c41a5680f27b82e3043ab2cec7e19cc5d00941d1ca44e32d035819a
Instruction Fuzzy Hash: 2A91E3B1504B418FD725CF26C4D0222BBA2FF96304B28969DC9D64F75AC739E847CB94

Function 00529E70 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0052CC7B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00529E9E

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0052A6D4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0fac4b3838f7019bfe214d20c7b1fd2f0a634f58315d1803a23759841827d8
Instruction ID: 53219f43d4092f2d851ebd43034965c2993fcda0135ade861be4744476be7393
Opcode Fuzzy Hash: 1e0fac4b3838f7019bfe214d20c7b1fd2f0a634f58315d1803a23759841827d8
Instruction Fuzzy Hash: E14135757893406FD324DE50EC89B3ABBA6FBD2310F28952CE1A05B3D1DBB09C069716

Function 004FE57F Relevance: 3.1, APIs: 2, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 004FE583
CoInitializeEx.COMBASE(00000000,00000002), ref: 004FE6D0

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 9d3a19a0805dc56a26d2218793d0b449938d5d0a87a48e00d0314977cd491006
Instruction ID: 9a3dd7510e2e4dada52a984e1a45f1ba2285b2bbe399ac461c38fa53f944938a
Opcode Fuzzy Hash: 9d3a19a0805dc56a26d2218793d0b449938d5d0a87a48e00d0314977cd491006
Instruction Fuzzy Hash: 9441F8B4D10B40AFD370AF39DA0B7127EB4AB05210F504B1DF9EA866D4E631A4198BD7

Function 004FE2BB Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004FE2CD
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004FE2E5

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 1f94a50125063d873b6a60be00a82476b30a2047b254272bccd87b6f12593139
Instruction ID: 5f4a97c7be25bf17f434633e93d6511a30777ba765a271d2c5dbe9dda52ec5de
Opcode Fuzzy Hash: 1f94a50125063d873b6a60be00a82476b30a2047b254272bccd87b6f12593139
Instruction Fuzzy Hash: C8E067303C83517AF6784754AC2BF1436256B55F26F744324B3267D2E895E03106962D

Function 0052A09A Relevance: 3.0, APIs: 2, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0052A09A
GetForegroundWindow.USER32 ref: 0052A0B0

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 007b2759751d12038690eafe820d5d0d8f0d0b6996a49f1aba1f509db30028df
Instruction ID: 320b5ce392fe4ef8a4eb7a24582784fcaac4ac2c3a0c47aea8ee3c109909b778
Opcode Fuzzy Hash: 007b2759751d12038690eafe820d5d0d8f0d0b6996a49f1aba1f509db30028df
Instruction Fuzzy Hash: 59D0A7F59114169BD7049720FC4E41A7B36EFA73153059836EC038B312EA31A80EDF93

Function 00524907 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00524939

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 058994db6104d37d499265812a4a389694f3ed15f8304e9e25c423e5d977fbe7
Instruction ID: 608b2186ad2f2ae1d2fc3652962bcd80ca534a582769fd04743020200b80434d
Opcode Fuzzy Hash: 058994db6104d37d499265812a4a389694f3ed15f8304e9e25c423e5d977fbe7
Instruction Fuzzy Hash: F911DD30A056948FCB19CB78DD946DCBFF1AF8A310F0842ACD4AAE73D0D6345A41CB21

Function 00529DF0 Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,00000000,00000000,?,00000000,004FB633,00000000,00000001), ref: 00529E22

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0b9b9fa54d40553afd7642e7d17c33cce8e03bbfb1ed52fab1e8e11d224ddc03
Instruction ID: 1f48a581443bb0e76ed391d918e7a61c460b33e012d3abc4d7081dc23ae48297
Opcode Fuzzy Hash: 0b9b9fa54d40553afd7642e7d17c33cce8e03bbfb1ed52fab1e8e11d224ddc03
Instruction Fuzzy Hash: CFF0B476809A22EBC6145F24BC0695F7B68EFD6751F064834F40147351EB32E805D6A2

Function 00528720 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,00000000,00501FA0), ref: 00528740

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e674752ac9c1f3a3435c7d924e3446ec9abc2c6e4e56bbf8111f6741a7fc4d41
Instruction ID: c17930a3d8da7736a8fc8e92c513ef2354dffc4f11fc8bd69cae36f770d437ac
Opcode Fuzzy Hash: e674752ac9c1f3a3435c7d924e3446ec9abc2c6e4e56bbf8111f6741a7fc4d41
Instruction Fuzzy Hash: 7ED01232459536FBC6102F18BC0ABCB3B55EF59760F070891F4446E1B5D725EC91DAD4

Function 00528700 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,0050A117,00000000), ref: 00528710

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8508f448f3a4e9daba134501c32637cd43ff36013c65efa2776a6dc259d29824
Instruction ID: 1d8c73e8883a70071112d2ca01f91a9dc5fdfc89d0f08f330e0c8a8d51e4415c
Opcode Fuzzy Hash: 8508f448f3a4e9daba134501c32637cd43ff36013c65efa2776a6dc259d29824
Instruction Fuzzy Hash: 9AC04C31445121ABD9142B15FC0ABCA3F54AF55361F010051B405661B187616C869694

Function 004FCC21 Relevance: 1.3, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE ref: 004FE31B

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: 65746c12aa1482b38f2c98f002125a8879d678b7cb37c1144139fa41dcc99027
Instruction ID: 5b716ea9023815277449e6eddcf0d6a4159b2399378648748203b56183dec6ac
Opcode Fuzzy Hash: 65746c12aa1482b38f2c98f002125a8879d678b7cb37c1144139fa41dcc99027
Instruction Fuzzy Hash: ABB09237A44008DA4B101BA5B8080E9B360EE882367110173DA1AC2010D626012A56E6

Non-executed Functions

Function 00525AC0 Relevance: 32.2, APIs: 10, Strings: 8, Instructions: 698memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0052F68C,00000000,00000001,0052F67C,00000000), ref: 00525D88
SysAllocString.OLEAUT32(3<), ref: 00525E22
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00525E60
SysAllocString.OLEAUT32(3<), ref: 00525EBB
SysAllocString.OLEAUT32(D793D587), ref: 00525F80
VariantInit.OLEAUT32(lefg), ref: 00525FEB
VariantClear.OLEAUT32(?), ref: 00526149
SysFreeString.OLEAUT32 ref: 0052616C
SysFreeString.OLEAUT32(?), ref: 00526172
SysFreeString.OLEAUT32(00000000), ref: 0052617F

Strings

a-N/, xrefs: 00525EF4
z)e+, xrefs: 00525EEC
lefg, xrefs: 00525AF0
D%`', xrefs: 00525EE4
3<, xrefs: 00525DD0
J9e;, xrefs: 00525F0C
~=w?, xrefs: 00525F14
@!H#, xrefs: 00525EDC

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInitInstanceProxy
String ID: 3<$@!H#$D%`'$J9e;$a-N/$lefg$z)e+$~=w?
API String ID: 2485776651-614847132
Opcode ID: 1719357c53ad7e7c79069d40c50666695ce68b3b670e917692b1b05ab03b0df3
Instruction ID: 111d49e4aa04e363dd11effda4098506e766af27897becc646477ac1a2540a94
Opcode Fuzzy Hash: 1719357c53ad7e7c79069d40c50666695ce68b3b670e917692b1b05ab03b0df3
Instruction Fuzzy Hash: 5A2212726083109FD314CF24D88576BBBE6FFC5314F18892DE995872A2D775D805CB82

Function 0051834D Relevance: 14.2, Strings: 11, Instructions: 463COMMON

Download Yara Rule

Strings

M:D<, xrefs: 00518687
Y6KH, xrefs: 0051869F
@"_$, xrefs: 00518677
V2V4, xrefs: 00518697
R.L , xrefs: 0051866F
EF, xrefs: 005186BF
%B!D, xrefs: 005186B7
O>^0, xrefs: 0051868F
E*w,, xrefs: 00518410
(N3@, xrefs: 005186AF
,J=L, xrefs: 005186A7

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: %B!D$(N3@$,J=L$@"_$$E*w,$EF$M:D<$O>^0$R.L $V2V4$Y6KH
API String ID: 0-989434418
Opcode ID: 5e8f5de95295b2317d1dd4079fd7af4f89ee0e013783c04e367d8c8f25ed9250
Instruction ID: f948576a230a796ae3358fc3be6facd74d2151f563fcb72b35ecb011d238a3d8
Opcode Fuzzy Hash: 5e8f5de95295b2317d1dd4079fd7af4f89ee0e013783c04e367d8c8f25ed9250
Instruction Fuzzy Hash: 17D1DB706083118BD724CF65C8812ABBBF2FFE6314F189A1CE8954B3A0EB79D941C756

Function 0050C0E0 Relevance: 10.6, Strings: 8, Instructions: 637COMMON

Download Yara Rule

Strings

O~, xrefs: 0050C6E8
kl, xrefs: 0050C307
q{, xrefs: 0050C6E0
pK, xrefs: 0050C6D8
MN, xrefs: 0050C54E
5`ab, xrefs: 0050C7AC
(+5=, xrefs: 0050C0E3
5`ab, xrefs: 0050C77C

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: (+5=$5`ab$5`ab$MN$O~$kl$pK$q{
API String ID: 0-703746868
Opcode ID: 53b6c008e97301c4fbc6bea9e1be39fe1d80e29e260dba440f503a5769438a96
Instruction ID: a9b20963bdf08ba8c19bb7b135972af83f7e14b177cbb7c788f624bf7df60207
Opcode Fuzzy Hash: 53b6c008e97301c4fbc6bea9e1be39fe1d80e29e260dba440f503a5769438a96
Instruction Fuzzy Hash: B002FD7654C3018FD3109FA8D89166FFBE2EFD6314F08891CE4D58B392E6788909CB96

Function 00506B06 Relevance: 10.1, Strings: 7, Instructions: 1349COMMON

Download Yara Rule

Strings

D, xrefs: 005073BB
tu, xrefs: 00506BEC
7, xrefs: 00506C49
-X[i, xrefs: 0050796E
gfff, xrefs: 00506CA0
P<?, xrefs: 00506FD0
O, xrefs: 0050704A

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: -X[i$7$D$O$P<?$gfff$tu
API String ID: 0-1455771666
Opcode ID: ee06aa6bcf8c8b3fb8b397d8ab7df666ff58051bdb118d79fa6c453b51f2cd53
Instruction ID: b3f25886627dfa073ccd77585e63d03212a996a736f5c914a9a877a0e48901af
Opcode Fuzzy Hash: ee06aa6bcf8c8b3fb8b397d8ab7df666ff58051bdb118d79fa6c453b51f2cd53
Instruction Fuzzy Hash: 00821471A0C3519BD7248F24C8917AFBBE2FFA6304F18895CE4C69B391D7789905CB92

Function 00518CF8 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

S()*, xrefs: 00518B4F
K~, xrefs: 00518AD4
GF, xrefs: 00518A13
S()*, xrefs: 00518986
K~, xrefs: 00518C94
K~, xrefs: 00518BDB
GF, xrefs: 00518BD3

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: GF$GF$K~$K~$K~$S()*$S()*
API String ID: 0-1127579884
Opcode ID: b909855cb33074bd7be7e3d1f74aa94404680570fbebb90b650c6ee31772b527
Instruction ID: 3f064c8ce7d94cc614575f3d1eded95113e19ec94278f6df080fee84c37e2927
Opcode Fuzzy Hash: b909855cb33074bd7be7e3d1f74aa94404680570fbebb90b650c6ee31772b527
Instruction Fuzzy Hash: 37A1917165C3268FD729CF58880069FB7E5FBC5314F05892DD89ADB681C738D60A8782

Function 00509890 Relevance: 8.3, APIs: 2, Strings: 2, Instructions: 1316COMMON

Download Yara Rule

APIs

Part of subcall function 00529E70: LdrInitializeThunk.NTDLL(0052CC7B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00529E9E

FreeLibrary.KERNEL32(?), ref: 00509EBA
FreeLibrary.KERNEL32(?), ref: 00509F5B

Strings

FG, xrefs: 00509C3F
CE, xrefs: 00509C37

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: FG$CE
API String ID: 764372645-3557296681
Opcode ID: ac56aba040b2dcc8544d4a5f4be9eb7d7274b46dceeb25818d59dadbcd4546df
Instruction ID: 01263cc278d3d1c0a1209b3996866ae40ad1e4696d43bab299ef9555ea6b9497
Opcode Fuzzy Hash: ac56aba040b2dcc8544d4a5f4be9eb7d7274b46dceeb25818d59dadbcd4546df
Instruction Fuzzy Hash: 20922275A0C3406BEB249F24DC84B6EBFE2BBE5304F18882CE48587396D675DD06DB52

Function 00515079 Relevance: 7.9, Strings: 6, Instructions: 414COMMON

Download Yara Rule

Strings

rPQ, xrefs: 00515060
pqr, xrefs: 005151BC
,Y, xrefs: 005150A9
Z[, xrefs: 005150B1
^E, xrefs: 00515099
V,, xrefs: 005150A1

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: ,Y$V,$Z[$^E$rPQ$pqr
API String ID: 0-2136572039
Opcode ID: 5fb4ce920c461353abb057d820bd9cea8f166658e2f19e022b1a93b5ab121355
Instruction ID: 04b5d68dd21ee4519c7a6ceb3ba7b1ddc1018a10924eda03ebe7420ab5abe86f
Opcode Fuzzy Hash: 5fb4ce920c461353abb057d820bd9cea8f166658e2f19e022b1a93b5ab121355
Instruction Fuzzy Hash: 08E1CCB1608341DFE7248F24D8817ABBBE0FBE5304F60492CF199572A2E774994ADF42

Function 00512232 Relevance: 5.7, Strings: 4, Instructions: 696COMMON

Download Yara Rule

Strings

2)Q, xrefs: 00512928
&Q, xrefs: 005126D8
r(Q, xrefs: 00512865
(, xrefs: 0051230C

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 2)Q$r(Q$&Q$(
API String ID: 0-1153874740
Opcode ID: ae341c9a4eec91b7d88b2d9aeff07b6df7403e959a517b2cbdbdf9e6f780bed9
Instruction ID: e8d8fe962e34014b9320afa7e5f9c6c830f450f78152867d3767bd04b6e1a4df
Opcode Fuzzy Hash: ae341c9a4eec91b7d88b2d9aeff07b6df7403e959a517b2cbdbdf9e6f780bed9
Instruction Fuzzy Hash: 2332FD71A04216CFEB28CF68EC917AEB7B2FB59310F1944ACD406A7390D734AD95DB90

Function 004F9470 Relevance: 5.4, Strings: 4, Instructions: 427COMMON

Download Yara Rule

Strings

+, xrefs: 004F972D
!"6C, xrefs: 004F9714, 004F971B
!RSP, xrefs: 004F966B
qbU", xrefs: 004F9663

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: !"6C$!RSP$+$qbU"
API String ID: 0-828761533
Opcode ID: 086cad6feaed587146661c88049e1713fa1bd8061ddd27899043bd51e29de368
Instruction ID: 09b43245748366e6307cfff78d078750897568cf4a6beaaf0a67da01b892951a
Opcode Fuzzy Hash: 086cad6feaed587146661c88049e1713fa1bd8061ddd27899043bd51e29de368
Instruction Fuzzy Hash: C8D143B164C3448BD718DF75C8947ABBBE2EBD1304F14893DE5D187391EA788909CB4A

Function 0050C840 Relevance: 5.4, Strings: 4, Instructions: 413COMMON

Download Yara Rule

Strings

GD, xrefs: 0050C8F9
WO, xrefs: 0050C8F1
]xyz, xrefs: 0050CBFA
EL, xrefs: 0050C8E9

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: EL$GD$WO$]xyz
API String ID: 0-4149224771
Opcode ID: 02707fc8195beead59dba347af9e15412e964c9ef90256cfb10b5f2a749912ad
Instruction ID: 5b31e21e5b3b322ae271bb41f81ea2c952e3c6c7657235606bd59535f8da34bf
Opcode Fuzzy Hash: 02707fc8195beead59dba347af9e15412e964c9ef90256cfb10b5f2a749912ad
Instruction Fuzzy Hash: 5EA1FE719083118BD724DF28C85266BBBF0FF82350F189A5DE8D98B3D0E7389945C796

Function 00521A20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00521A6E
GetSystemMetrics.USER32 ref: 00521A7D

Strings

, xrefs: 00521B51

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 05a42a01f534c9e930a48ef89c8856784607fcf5c5c3a689b24ba87c1a791cc4
Instruction ID: f96c6a329a75c2ae690e7180eba5c6e5e678e98851aed0e84dcc210e8c65b130
Opcode Fuzzy Hash: 05a42a01f534c9e930a48ef89c8856784607fcf5c5c3a689b24ba87c1a791cc4
Instruction Fuzzy Hash: F15196B0D142189FDB50EFACE985A9DBBF0BF49300F10852AE858E7350D734A949CF92

Function 0051A440 Relevance: 5.3, Strings: 4, Instructions: 256COMMON

Download Yara Rule

Strings

fd}e, xrefs: 0051A4CF
aF,J, xrefs: 0051A67F
eklj, xrefs: 0051A4E5
zkmq, xrefs: 0051A4DA

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: aF,J$eklj$fd}e$zkmq
API String ID: 0-2764528280
Opcode ID: a10f4356bac3b95e3cc0c2c4147fa30a0b2f9122f07aa6957ed5045a5a06c431
Instruction ID: 72329b882b2fb8fe03d63e0888c3126884fa1f40d79eaf3857445a29b634312a
Opcode Fuzzy Hash: a10f4356bac3b95e3cc0c2c4147fa30a0b2f9122f07aa6957ed5045a5a06c431
Instruction Fuzzy Hash: 7571ADB580D3D18AE332CF248450BABBFE1EF92314F188A5CD4D91B282D7755545DB93

Function 0051BB35 Relevance: 4.2, Strings: 3, Instructions: 482COMMON

Download Yara Rule

Strings

?, xrefs: 0051C040
k, xrefs: 0051BD30
ORVM, xrefs: 0051BC4A

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: ?$ORVM$k
API String ID: 0-55357630
Opcode ID: 6be5102d093295cff221d7d21b0cbc9f95913efff6762879d245494e073e8c22
Instruction ID: 9ff62bf1e9657c013d9558da64e61ad9639741f1150433cf39caa76de9a63fe8
Opcode Fuzzy Hash: 6be5102d093295cff221d7d21b0cbc9f95913efff6762879d245494e073e8c22
Instruction Fuzzy Hash: 14F1E5315083908EE735CB3984917EBBFE2AF97304F08895DD4D99B382DB35994ACB52

Function 00526D19 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

1n3, xrefs: 00527005
45, xrefs: 00526FBB

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 1n3$45
API String ID: 0-3766162355
Opcode ID: 845102040c6fcbae316ff839e6f8b350f2150b843d202fe75944994bb8decf24
Instruction ID: 465bcf8a53da30643f9546e175a549d4e568515c9c3c1dce53d213dd9e4f4315
Opcode Fuzzy Hash: 845102040c6fcbae316ff839e6f8b350f2150b843d202fe75944994bb8decf24
Instruction Fuzzy Hash: D6D1113A228651CBCB089F38E86126A77F1FF5A741F4AD87CD4858B2A0F736C958D741

Function 00515B50 Relevance: 2.9, Strings: 2, Instructions: 372COMMON

Download Yara Rule

Strings

7k2?, xrefs: 00515ED3
%21&, xrefs: 00515ECB

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID: %21&$7k2?
API String ID: 2994545307-1884281822
Opcode ID: 82443488dd936b434bbdc068375aab34fe871f93c00237cd26205058c3891387
Instruction ID: dc93c9c4beaaf2b620c4ef4feb5f17908953ccf997c7cef9e58ded96f5f3dd9f
Opcode Fuzzy Hash: 82443488dd936b434bbdc068375aab34fe871f93c00237cd26205058c3891387
Instruction Fuzzy Hash: 4CB15A75A08704CBEB18CE24D8926FB7BA6FBD5304F59856DE8468B381F234DE49C391

Function 00517B00 Relevance: 2.9, Strings: 2, Instructions: 355COMMON

Download Yara Rule

Strings

l.ez, xrefs: 00517A33
dgX`, xrefs: 00517A2B

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: dgX`$l.ez
API String ID: 0-4200491131
Opcode ID: 94c809cf3b406f0ff97db9cc8c779997b24e87b9982caea5ac5098f4f749c204
Instruction ID: 4a044c28f701125ec3db03412d321e3c6c81737cab94c3cbafd24fd8b1580ff2
Opcode Fuzzy Hash: 94c809cf3b406f0ff97db9cc8c779997b24e87b9982caea5ac5098f4f749c204
Instruction Fuzzy Hash: 96A120B160C344ABE3108F28989466BFBF6FBE9314F14882CE58597351E3749D4ACB86

Function 0051C273 Relevance: 2.8, Strings: 2, Instructions: 340COMMON

Download Yara Rule

Strings

1;28, xrefs: 0051C4DB
@DrE, xrefs: 0051C4D0

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 1;28$@DrE
API String ID: 0-323544097
Opcode ID: bb3bca7967e5aa9629c2238efb6b53e9bdcfed4117833e59ab207ed8f5385ce7
Instruction ID: fd9d542b0b10a1e81af5e8a176476579724159a6600f21f92cc47f5530891284
Opcode Fuzzy Hash: bb3bca7967e5aa9629c2238efb6b53e9bdcfed4117833e59ab207ed8f5385ce7
Instruction Fuzzy Hash: CE91D17090C3918FE729CF2980607ABBFE1AFD6305F18896DD4D99B382D6758845CB52

Function 00518D70 Relevance: 1.9, Strings: 1, Instructions: 632COMMON

Download Yara Rule

Strings

|G, xrefs: 00519377

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: |G
API String ID: 0-720105526
Opcode ID: 2d900f13106290ae3e522fbd441539adc58e0d552346eb015be8baed74e87693
Instruction ID: 8efe558f03ac3bd63bc77c62d0685b127d043ffe5ba6ff102321e6f38ec91ae0
Opcode Fuzzy Hash: 2d900f13106290ae3e522fbd441539adc58e0d552346eb015be8baed74e87693
Instruction Fuzzy Hash: 21225371A0C355DFE310DF2498546ABBBE6BF99304F04896CF99187392D738CA49CB92

Function 00511B60 Relevance: 1.7, Strings: 1, Instructions: 481COMMON

Download Yara Rule

Strings

KL, xrefs: 00511B86

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: KL
API String ID: 0-759073162
Opcode ID: 91d9db4df557410ef2b881e08806dcec104f5a821c74168e9a584139287bcf50
Instruction ID: 35f0f27d24cc7dd15760929caf04ea0c1c1c577ba07356b4680e497d0833ab8c
Opcode Fuzzy Hash: 91d9db4df557410ef2b881e08806dcec104f5a821c74168e9a584139287bcf50
Instruction Fuzzy Hash: 32C14672A047018BE714DB24C882AB7BBE6FFD1314F19856DEA8687391E338DC45C796

Function 00519BE0 Relevance: 1.6, Strings: 1, Instructions: 382COMMON

Download Yara Rule

Strings

", xrefs: 00519EC8

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 6ee46c06aaf861ca7784c4a2c3c6f0fe029521c94ecc5bd1037a54d5be9bfe8d
Instruction ID: d0a9b7e28576d40bd51ba102e767db3c9e32704c6caade53ae0052f89f04661d
Opcode Fuzzy Hash: 6ee46c06aaf861ca7784c4a2c3c6f0fe029521c94ecc5bd1037a54d5be9bfe8d
Instruction Fuzzy Hash: 65C10672A083156FE715CE24C4A4BEBBBE9BF84350F18892DE89987281D734DD85C7D2

Function 004F8090 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

rLMN, xrefs: 004F8195

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: rLMN
API String ID: 0-1296146032
Opcode ID: f36ed9a7c3171d092e63f07ac9af11ffcbdb8aefa0a18b36a219848073a85ef5
Instruction ID: 73c6ac86b2dbbe78d1d657248027fdcc14d1c5ddadc8daef8099bf6fc5362fd6
Opcode Fuzzy Hash: f36ed9a7c3171d092e63f07ac9af11ffcbdb8aefa0a18b36a219848073a85ef5
Instruction Fuzzy Hash: 00817E32E086294BC7109E25C94027BB7D29BC1710F6A875ECE959F3A5EE39DC0687C9

Function 0052B9B0 Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

4, xrefs: 0052B9C2

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 4ba066f0f8b7b60abe7ecc5850597caf20a1f7acda7905ccf78b1fb25fa46d7c
Instruction ID: 976cd688607fdb499fdbef5e87b595549da5ec66ad4dcec2572be63d160e1899
Opcode Fuzzy Hash: 4ba066f0f8b7b60abe7ecc5850597caf20a1f7acda7905ccf78b1fb25fa46d7c
Instruction Fuzzy Hash: 7F51F330A19365CFE7044F35A4A067ABBE2AF9A314F4CE5ADD0D48B396D7349C05EB40

Function 0051A9E8 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

<<9>, xrefs: 0051AA5D

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: <<9>
API String ID: 0-2032997600
Opcode ID: 8849872d99a7f5bca4d64ee14f996c9c5e131bab5f619cf55bbf49ecaf82e7c6
Instruction ID: f5c92235ff32ed232f226de8e4b76544a4fee886e332454b2c28badc54d7a747
Opcode Fuzzy Hash: 8849872d99a7f5bca4d64ee14f996c9c5e131bab5f619cf55bbf49ecaf82e7c6
Instruction Fuzzy Hash: E64104A550D3D18BE3328F2984A07B7BFE1EFA7300F28584CD5C647242D67109898B67

Function 0052D270 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

cba`, xrefs: 0052D2CB

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID: cba`
API String ID: 2994545307-1926275841
Opcode ID: e01827382a8a79dc7639314359afe1d34fa1becbf6d1dd4d62ee8129c478ba2b
Instruction ID: eab45c156e5a3ada8b1e50170b1b75e114e8f3123fa5edc7c7fce4ff81ec695e
Opcode Fuzzy Hash: e01827382a8a79dc7639314359afe1d34fa1becbf6d1dd4d62ee8129c478ba2b
Instruction Fuzzy Hash: 31412A75648315ABD324CA25ECC1B7EBBB5FFA9704F38492CE685573D0D2709C01D662

Function 0052D0E0 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

cba`, xrefs: 0052D13B

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID: cba`
API String ID: 2994545307-1926275841
Opcode ID: 262cb532b7fe8197f92ac6a47f6b45a7daff29a5b1b98f4b718c90c73b318532
Instruction ID: dde7e08a360972e0f2bed93d04b773ad7df1e94adf1092365d4751da49b3db42
Opcode Fuzzy Hash: 262cb532b7fe8197f92ac6a47f6b45a7daff29a5b1b98f4b718c90c73b318532
Instruction Fuzzy Hash: 48415B75648319ABD3289E54ECC0B7A7BB5FFC9704F28452CEA45A73D0E270EC40D6A1

Function 0052BC60 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

@, xrefs: 0052BCC8

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 6ee7aa4e9ac58c1c537bf5c0ee65d925040e460c3e62a7da02546190b13b581e
Instruction ID: bfe5b78d2bf843402745a5390ee6ffa24a4f7d09f87104767272782f26e63e70
Opcode Fuzzy Hash: 6ee7aa4e9ac58c1c537bf5c0ee65d925040e460c3e62a7da02546190b13b581e
Instruction Fuzzy Hash: 023104B55083089BD324DF18E8C06AFBBF5FF89354F14492CEA9547391E3359909CB92

Function 0052A44A Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

@, xrefs: 0052A4CD

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: b5b7ebaea90b429e871136690202cfc2f0bf95bbcdd4dec5ba92494f22308e10
Instruction ID: c827001b288dcd77a0613df0ec68573a8f977ab71bfe1d65225a25e23c539fb2
Opcode Fuzzy Hash: b5b7ebaea90b429e871136690202cfc2f0bf95bbcdd4dec5ba92494f22308e10
Instruction Fuzzy Hash: 8831AD756193528BC704DF24D85523BB7E1FFD6304F18182DE1859B390EB789909DB86

Function 004F73D0 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5e617d9d6c3f9ddc8b81b139253b09b29521e9c94e8f197b0c157e9ec1d7b2
Instruction ID: 37960d5f1d9270c6f11b5526d9c41c2857c56a1899e6c4c58132c118fc4317be
Opcode Fuzzy Hash: 2e5e617d9d6c3f9ddc8b81b139253b09b29521e9c94e8f197b0c157e9ec1d7b2
Instruction Fuzzy Hash: 0322D431A0C3198BD7249F18D8406BBB3E1FFC4319F29892EDA8697381D73CA915CB46

Function 00526550 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ce27578586112afe2ceb3e58299f6a3b4cca706d1d9f892860550779f85828
Instruction ID: d32b31d6104c7355df9061217a5795877347cff7e83066ac57cda3a561849ddc
Opcode Fuzzy Hash: b6ce27578586112afe2ceb3e58299f6a3b4cca706d1d9f892860550779f85828
Instruction Fuzzy Hash: ACB12471A083609BD724DE24E88163BBBA6FFD6314F24492CE595972E1DB30EC458B92

Function 0051C9AF Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1a3c56c56aaeb51f6f9ee2137bab7d0f70c20e7563a2f1b221de2e350ff4d3
Instruction ID: c83c9c6c66618c40cedf9c860095e179d4b34c4c5d22de7f141fe6958199bad2
Opcode Fuzzy Hash: 1e1a3c56c56aaeb51f6f9ee2137bab7d0f70c20e7563a2f1b221de2e350ff4d3
Instruction Fuzzy Hash: 6D815A7168C3818BF3258B2488917ABBFD2FFD2314F288A1CD5D95B3C6C6765845C792

Function 0050EA50 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28b696331077d5e0a5369e47c16f322ec9fc612756547622adbf571aa4233ac
Instruction ID: 4ee90448b4f014ddc0da44e0995cfd9df65b78ac371a69f16a7737da92a3dffa
Opcode Fuzzy Hash: c28b696331077d5e0a5369e47c16f322ec9fc612756547622adbf571aa4233ac
Instruction Fuzzy Hash: BF6146356083918FD7258F28C89292E7FE1BF95310F588AADE8D54B3D2D635DC05C792

Function 00518134 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a1bd0391a2f480c38e47f44457f9dc6267d95cb7c85afc2ce51e43cc67ac97
Instruction ID: 909d3f3b5622d4534cc895ed663faf3a201e0ddb315d626c8f4b2b146777ac0e
Opcode Fuzzy Hash: a6a1bd0391a2f480c38e47f44457f9dc6267d95cb7c85afc2ce51e43cc67ac97
Instruction Fuzzy Hash: 5B510E76908310EBD7209B28C84156BB7F2FF99311F19892CE8D5A7321EB39DC50CB92

Function 004F2540 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d9d7014d29aa4d9cc68eaaa4f548aba4ce7217524aef0ab29209a3d456cabb
Instruction ID: 48a931cf80a9d774d796043d07f6785db7d6abc37bc69aaf129928531c15509c
Opcode Fuzzy Hash: 60d9d7014d29aa4d9cc68eaaa4f548aba4ce7217524aef0ab29209a3d456cabb
Instruction Fuzzy Hash: 4A4156704083CC9BD710AF388D84377BAD4AF52304F18852AEA9A9B341E3B8D905C76A

Function 00517CB8 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e4cda375714e0dde92fee6fc41276ce19830b6f6dd57a6e0e43eff5dcc3e44
Instruction ID: a9cbac9b6b91136db8348a7619d01db7e96cd26ca5afa47b610076a330d05404
Opcode Fuzzy Hash: 22e4cda375714e0dde92fee6fc41276ce19830b6f6dd57a6e0e43eff5dcc3e44
Instruction Fuzzy Hash: EF41117090C3099BD714DF18E851AABBBF0FF85304F04992CF9858B291E778DA45C785

Function 00505CA2 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 137d35db67d17bde46ad6f8df0f7f6e186881cf921c7df581356c7a4a439fb7e
Instruction ID: 6395e7684f6c1fa3cb99c05a1601e2dddb47c3b85f6c81f0516b7204c5618034
Opcode Fuzzy Hash: 137d35db67d17bde46ad6f8df0f7f6e186881cf921c7df581356c7a4a439fb7e
Instruction Fuzzy Hash: 5231F4726087118BC7249F28C8916AFBBE1FF89354F05962DE4D9CB391F7389900CB92

Function 004F8860 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2fd4d3e156d30c0c2b8dc8dc78c1b6c267880f9e00ddefb7542dcc745552709
Instruction ID: 81c875fb2b4ea1b5beee12479012ce7ab9b689a7c68ef8bc09ee5192ff3ea7b7
Opcode Fuzzy Hash: c2fd4d3e156d30c0c2b8dc8dc78c1b6c267880f9e00ddefb7542dcc745552709
Instruction Fuzzy Hash: 5521A537E6143047D310CD59CC443A172A6ABD9338F3E87B98864AB796C97BAC0386C4

Function 0052AA2A Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090ffdc4ba3a37135139b733d2715cc059739906c52be7de530631d5762f4197
Instruction ID: 138803b109f50906fa7c431579e0b59133516044bfea364efe4d3e4f9722edeb
Opcode Fuzzy Hash: 090ffdc4ba3a37135139b733d2715cc059739906c52be7de530631d5762f4197
Instruction Fuzzy Hash: 4F116A7264D3419FD708CF21A99211FBEA2ABE6618F28991DD0C1AA205D634D6078B8A

Function 005231D0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 08cc169f45d0399a43bf96b601134b2e0aaf9a95c8e8fcaaa74c62d23b885809
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 1D11E937A091E44EC3168D3C9400565BFA31EE3234F198399F4F89B2D7D6268E8A8354

Function 005198E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e668f0443b00a77aa73fb05eb0e6595b865b3f7c1a7071fde2abdda04867b9c
Instruction ID: 9ba9b9e095f5278edd79d79b79db5b139c636ab98bc2c971dbf720673104c167
Opcode Fuzzy Hash: 6e668f0443b00a77aa73fb05eb0e6595b865b3f7c1a7071fde2abdda04867b9c
Instruction Fuzzy Hash: C7015EF660030257E7209E55D4E177BA6B97B81718F18443DE9049B202EB79EC85C6A5

Function 004FCB10 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bba0dd9bfe126a0a1007eca9b7cc56abc64e1f946ac9a55177cf0de369d43e32
Instruction ID: 6a2b22d1c4dd2145304b39ab0d218c26a0709ded5e015ee81d688973566e08cb
Opcode Fuzzy Hash: bba0dd9bfe126a0a1007eca9b7cc56abc64e1f946ac9a55177cf0de369d43e32
Instruction Fuzzy Hash: 4FF0E53064C358A7E2159B679D91B3FEDBA4FD6704F20942DF193A71C0D128A501471F

Function 004FA383 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a80ce876880bb4eccdbb394f89987c590d0d770be695afeef2d66a2fa705a0d3
Instruction ID: 8f87cda9f84a2b74bc647b1439786c681c4b592ae81d95baa300f0e2172e4067
Opcode Fuzzy Hash: a80ce876880bb4eccdbb394f89987c590d0d770be695afeef2d66a2fa705a0d3
Instruction Fuzzy Hash: 33E06DB2E043504BD314CF31C8805667362ABD6224F19C31CDD6E17380DA34EC0AAA98

Function 0051891E Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b60bb88600965d8ade1141648267842eff7419967a70e207593e5f1eaac22209
Instruction ID: 7a6e781e21fefdb5f2a4b4010b5c8bf12a6f893efe51f92d9b435e55b83b2017
Opcode Fuzzy Hash: b60bb88600965d8ade1141648267842eff7419967a70e207593e5f1eaac22209
Instruction Fuzzy Hash: 00B012D1C0820446C2009E106C41435A13C1517104F003415D009FB203E52CDA08410D

Function 0051D0BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0051D1C5
FreeLibrary.KERNEL32(?), ref: 0051D2C5

Strings

,M, xrefs: 0051D21A

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID: FreeLibrary
String ID: ,M
API String ID: 3664257935-1887782012
Opcode ID: b4a7569032d5d55e2a4d7aca05b782999c95c65e01511dd8c258d374d0b59fa2
Instruction ID: 159c7a23fcf4584bec9c218f233d6b3d0f431dda76967044f04a5e36c0f4938d
Opcode Fuzzy Hash: b4a7569032d5d55e2a4d7aca05b782999c95c65e01511dd8c258d374d0b59fa2
Instruction Fuzzy Hash: 8A4136A441C3D08AE3358B35C8907E67FE1AFE7305F0889ACD5D997346CB794545CB22

Function 00521419 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00521450
GetSystemMetrics.USER32 ref: 0052145F

Strings

, xrefs: 0052150D

Memory Dump Source

Source File: 00000003.00000002.1330321253.00000000004F1000.00000020.00000400.00020000.00000000.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000003.00000002.1330301653.00000000004F0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330357009.000000000052E000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330375956.0000000000531000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1330396394.0000000000540000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4f0000_aspnet_regiis.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: a397cab6f88e55d07b5e951ec4c57302ceaec2e098b61b4f72e923bc1ddebbe5
Instruction ID: a00515d5987fb94a4b84e9f3d8716a7ca5b54b19989a38781a2d46f4b8b94c2c
Opcode Fuzzy Hash: a397cab6f88e55d07b5e951ec4c57302ceaec2e098b61b4f72e923bc1ddebbe5
Instruction Fuzzy Hash: 8D3190B09183548FDB10EF68E985659BBF4BF99204F01892EE498DB360D774A949CF82

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report oiF7u78bY2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oiF7u78bY2.exe.log

C:\Users\user\AppData\Roaming\gdi32.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
oiF7u78bY2.exe

Function 6EBF49F0 Relevance: 22.1, APIs: 4, Strings: 8, Instructions: 1125
nativeCOMMON

Function 6EC1DB8E Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6EC1DC3E Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6EC1DA87 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6EC23B8B Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Function 6EC255F1 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Function 6EC2218E Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE